{
  "schema_version": "core-reviewed-term-ai-handoff-v1",
  "version": "core-reviewed-term-ai-handoff-v1",
  "contract_status": "preview",
  "distribution": "per_term_read_only_ai_handoff",
  "no_write_operations": true,
  "canonical": {
    "url": "https://core.yogoq.com/en-US/core/access-review",
    "slug": "access-review",
    "locale": "en-US"
  },
  "summary": {
    "schema_version": "core-reviewed-term-summary-v1",
    "term_id": "74d45ca9-b4f3-52b4-a250-b7c2f6e53719",
    "canonical_slug": "access-review",
    "canonical_url": "https://core.yogoq.com/en-US/core/access-review",
    "locale": "en-US",
    "display_name": "Access Review",
    "english_name": null,
    "abbreviation": null,
    "short_definition": "An access review is a recurring check that verifies whether users, service accounts, roles, and privileged permissions still match business need. It turns access control from a one-time approval into an auditable operat…",
    "quality": "reviewed",
    "publication_status": "published_reviewed",
    "version": "core-reviewed-term-summary-v1",
    "last_reviewed_at": "2026-06-01T00:00:00.000Z",
    "sources_count": 3,
    "limitations_key": "core-trust-policy-v1-2026-06-22"
  },
  "content": {
    "definition": {
      "key": "definition",
      "title": "一言でいうと",
      "text": "An access review is a recurring check that verifies whether users, service accounts, roles, and privileged permissions still match business need. It turns access control from a one-time approval into an auditable operating loop.",
      "items": []
    },
    "formula": {
      "key": "formula",
      "title": "計算の考え方",
      "text": "Access review is not a financial formula, but the operating quality can be measured. Use coverage, exception age, revocation speed, and stale-access rate to judge whether the review changed risk. Review coverage | reviewed access assignments / in-scope access assignments | Shows whether the review reached the intended population Revocation completion | revoked or corrected assignments / assignments marked for removal | Shows whether decisions became system changes Stale-access rate | access with no valid owner, user, or business need / in-scope access | Indicates residual risk after the review",
      "items": [
        "Review coverage | reviewed access assignments / in-scope access assignments | Shows whether the review reached the intended population",
        "Revocation completion | revoked or corrected assignments / assignments marked for removal | Shows whether decisions became system changes",
        "Stale-access rate | access with no valid owner, user, or business need / in-scope access | Indicates residual risk after the review"
      ]
    },
    "boundary": {
      "key": "boundary",
      "title": "含めるもの / 含めないもの",
      "text": "The value of an access review depends on a clear boundary. Without a boundary, reviewers may approve too broadly and miss the highest-risk permissions. Include | Human users, service accounts, admin roles, shared accounts, production access, finance systems, customer data systems | These can create material security or compliance risk Exclude | Access already removed, test-only accounts outside the production boundary, roles covered by a separate review | Avoid double counting while preserving evidence Define explicitly | Emergency access, break-glass accounts, contractor access, dormant users, group inheritance, service principals | These are common places where hidden access survives",
      "items": [
        "Include | Human users, service accounts, admin roles, shared accounts, production access, finance systems, customer data systems | These can create material security or compliance risk",
        "Exclude | Access already removed, test-only accounts outside the production boundary, roles covered by a separate review | Avoid double counting while preserving evidence",
        "Define explicitly | Emergency access, break-glass accounts, contractor access, dormant users, group inheritance, service principals | These are common places where hidden access survives"
      ]
    },
    "usage": [
      {
        "key": "meaning",
        "title": "意味",
        "text": "Access review, also called access certification in some governance programs, is the process of comparing current access assignments with role, job, system, data, and risk requirements. The reviewer confirms, changes, or removes access and records evidence. A good access review does not simply ask managers to click approve. It defines the in-scope systems, privileged roles, dormant accounts, exception owners, review frequency, evidence retention, and escalation rules so unnecessary access is actually removed.",
        "items": []
      },
      {
        "key": "usage",
        "title": "役立つ場面",
        "text": "Reduces identity and access risk by removing permissions that no longer match business need. Creates audit evidence that access was reviewed, exceptions were owned, and removals were completed. Improves role design by showing which permissions are repeatedly over-granted or repeatedly removed.",
        "items": [
          "Reduces identity and access risk by removing permissions that no longer match business need.",
          "Creates audit evidence that access was reviewed, exceptions were owned, and removals were completed.",
          "Improves role design by showing which permissions are repeatedly over-granted or repeatedly removed."
        ]
      },
      {
        "key": "usage",
        "title": "使い方のポイント",
        "text": null,
        "items": [
          "Access review is a control loop: scope, review, decision, remediation, evidence, and follow-up.",
          "The review is weak if removals are not executed in the actual system.",
          "Privileged access needs shorter cadence and stronger reviewer evidence than low-risk access.",
          "Good role and identity data make reviews faster and reduce rubber-stamp approvals.",
          "Review exceptions need owners, expiration dates, and escalation paths."
        ]
      },
      {
        "key": "drivers",
        "title": "何が数字を動かすか",
        "text": "Access-review workload and risk move when the organization, systems, permissions model, and identity data change. Role quality | Clear roles and least-privilege policies reduce ambiguous reviewer decisions Identity data quality | Accurate manager, department, employment status, and owner fields reduce false approvals Privilege concentration | Admin and production access usually need shorter review cycles and stronger evidence Change volume | Hiring, transfers, contractors, M&A, and system migrations create new access drift",
        "items": [
          "Role quality | Clear roles and least-privilege policies reduce ambiguous reviewer decisions",
          "Identity data quality | Accurate manager, department, employment status, and owner fields reduce false approvals",
          "Privilege concentration | Admin and production access usually need shorter review cycles and stronger evidence",
          "Change volume | Hiring, transfers, contractors, M&A, and system migrations create new access drift"
        ]
      }
    ],
    "misunderstandings": [
      {
        "key": "misunderstandings",
        "title": "判断するときの注意点",
        "text": "Do not treat access review as proof that access is safe. It is one control that must connect to provisioning, deprovisioning, monitoring, and incident response. A manager approval without context is not strong evidence. Dormant accounts, shared accounts, and service accounts need special handling because normal manager review can miss them. If the source system cannot prove remediation, the review should stay open.",
        "items": [
          "A manager approval without context is not strong evidence.",
          "Dormant accounts, shared accounts, and service accounts need special handling because normal manager review can miss them.",
          "If the source system cannot prove remediation, the review should stay open."
        ]
      },
      {
        "key": "misunderstandings",
        "title": "よくある誤解 / 落とし穴",
        "text": null,
        "items": [
          "Access review is not just a compliance form. It should remove or reduce access when business need is missing.",
          "Reviewer approval is not enough when the reviewer cannot see role meaning, usage, or risk.",
          "Annual review alone is usually too slow for privileged access, high-change teams, and sensitive data."
        ]
      }
    ],
    "examples": [
      {
        "key": "examples",
        "title": "最小例",
        "text": "A finance system review includes 480 access assignments. The team finds 38 assignments owned by transferred employees, 12 dormant accounts, and 9 users with approval rights they no longer need. The controller approves 421 assignments, removes 42, downgrades 11, and grants 6 temporary exceptions with expiration dates. The review is not closed until the identity system and the finance application both show the removals and downgrades.",
        "items": []
      }
    ],
    "comparisons": [
      {
        "key": "comparisons",
        "title": "似ている言葉との違い",
        "text": "Access review | Periodic verification of current access | Best for finding and removing access drift Access request | Approval before access is granted | Best for initial authorization Access monitoring | Continuous observation of access use | Best for detecting suspicious activity Least privilege | Design principle that limits access | Best for setting the target state",
        "items": [
          "Access review | Periodic verification of current access | Best for finding and removing access drift",
          "Access request | Approval before access is granted | Best for initial authorization",
          "Access monitoring | Continuous observation of access use | Best for detecting suspicious activity",
          "Least privilege | Design principle that limits access | Best for setting the target state"
        ]
      },
      {
        "key": "related_metrics",
        "title": "一緒に見る指標",
        "text": "Read access review with identity, risk, and remediation signals. Provisioning SLA | Time to grant approved access | Shows whether access changes are controlled Deprovisioning SLA | Time to remove terminated or transferred access | Reduces stale-access exposure Privileged access count | Users or accounts with elevated roles | Indicates blast radius Exception age | Days an exception remains open | Shows whether risk acceptance is controlled",
        "items": [
          "Provisioning SLA | Time to grant approved access | Shows whether access changes are controlled",
          "Deprovisioning SLA | Time to remove terminated or transferred access | Reduces stale-access exposure",
          "Privileged access count | Users or accounts with elevated roles | Indicates blast radius",
          "Exception age | Days an exception remains open | Shows whether risk acceptance is controlled"
        ]
      }
    ],
    "faq": [
      {
        "question": "Is access review the same as access approval?",
        "answer": "No. Access approval happens before access is granted. Access review checks whether existing access is still justified."
      },
      {
        "question": "Who should review access?",
        "answer": "The reviewer should understand the business need and the risk of the permission. For privileged access, include system owners or security owners, not only people managers."
      },
      {
        "question": "What is the most common failure?",
        "answer": "The most common failure is approving access without enough context or failing to complete the removals that the review identified."
      }
    ]
  },
  "sources": {
    "source_refs": [
      "concept:access-review:en-US",
      "concept:access-review:ja-JP",
      "core-tier-a-basic-standalone:concept:access-review"
    ],
    "visible_sources": [
      {
        "label": "NIST SP 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations",
        "url": "https://csrc.nist.gov/Pubs/sp/800/53/r5/upd1/Final",
        "kind": "tier_s"
      },
      {
        "label": "NIST SP 800-53 Rev. 5 PDF",
        "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf",
        "kind": "tier_s"
      },
      {
        "label": "NIST Cybersecurity Framework",
        "url": "https://www.nist.gov/cyberframework",
        "kind": "tier_s"
      }
    ]
  },
  "related_terms": [
    {
      "topic_id": "207ac568-a2ad-5562-a34e-9342f14ba585",
      "canonical_slug": "risk",
      "canonical_url": "https://core.yogoq.com/en-US/core/risk",
      "title": "Risk",
      "relation_type": "used_together"
    }
  ],
  "quality": {
    "quality": "reviewed",
    "publication_status": "published_reviewed",
    "source_count": 3,
    "last_reviewed_at": "2026-06-01T00:00:00.000Z",
    "trust_policy_version": "core-trust-policy-v1-2026-06-22"
  },
  "limitations": {
    "policy_version": "core-trust-policy-v1-2026-06-22",
    "professional_advice_boundary": "reference_only_not_professional_advice",
    "text": "This page is reference information for research and learning. For accounting, legal, finance, health, security, or other individual decisions, confirm against primary sources or qualified professionals.",
    "items": [
      "Public pages support general understanding and practical context; they are not professional advice for individual cases.",
      "Fast-changing information such as regulations, accounting standards, prices, product specs, and legal requirements should be checked against primary sources before final decisions.",
      "Even when AI-assisted drafting or audit is used, publication relies on quality gates and human-readable evidence."
    ]
  }
}
