Access reviews

Reviews that close. Evidence that exports.

Review campaigns scoped to what matters. Reviewers see only what's theirs. Completion is tracked centrally. Decisions trigger revocations through the same provisioning engine that granted access. Exportable artifacts for the audit cycle. No more "we sent the spreadsheet in February" theater.

Campaign lifecycle

A campaign, start to finish.

  1. Scope.

    Choose the population — users, resources, entitlements — and the cadence. Plan before you launch: dry-run the policy against a grant, preview the reviewer load to estimate how assignments fall across reviewers, and simulate the remediation blast radius. The campaign owner gets a single dashboard of what's in scope and where the campaign stands.

  2. Reviewer assignment.

    Reviewers receive a scoped queue — only the access they're responsible for attesting to. When a primary reviewer can't be resolved — a missing manager, an empty group, an inactive user — routing falls back to configured fallbacks, then to admins or owners, so work doesn't stall in an empty inbox. And the access subject can't review their own grant.

  3. Decisions.

    Reviewer acts on each item: keep or revoke. Revocations produce provisioning operations through the standard pipeline — the same per-step journal, retry semantics, and audit trail as any other change. When a revoke would be undone immediately — access that policy, a workflow, or a schedule would just re-grant — the remediation is held until an admin records how the source was addressed, so the evidence doesn't read "revoked" for access that's still live.

  4. Close-out.

    The owner sees a status and outcome breakdown — items decided, kept, revoked, and how many still need remediation. Export produces a campaign artifact: scope, per-item decisions with the reviewer on record, and the provisioning operations that followed.

Accountability by design

Why campaigns actually close.

Completion is a product of UX and accountability. Reviewers see only what's theirs — no 400-row spreadsheet, no context-switching across tools. Overdue work chases itself: due-soon and overdue reminders fire on their own, and high-risk items escalate — reassigned through the fallback chain or routed to admins, depending on configuration — when a reviewer doesn't act, so no owner is hand-working a spreadsheet of stragglers. And because revocations flow through the same provisioning engine that handled the original grant, "decided to revoke" becomes "actually revoked" — with evidence — instead of a ticket lingering in someone else's queue.

Artifact, not reconstruction

Evidence that exports.

Every campaign produces an exportable artifact — scope, per-item decisions with the reviewer on record, and the provisioning operations triggered. It's generated server-side, one evidence packet per item, each record carrying its own content hash, so re-exports of the same decision are byte-identical and verifiable. The artifact lands alongside the rest of the audit evidence: the execution journal, the versioned state per assignment, the approval provenance. When the auditor asks what changed and why, the answer is a record, not a reconstruction.

Bring a real attestation cycle.

Early access is open. Show us a cadence you've struggled to complete and we'll walk through how Owlie runs it.