Least privilege
Standing access shouldn't stay standing.
Timed access for high-risk resources. Drift handling for when reality diverges from intent. Access reviews that actually close. Revocation that runs through the same provisioning pipeline as the original grant. Least privilege as an operating posture, not a project.
Timed access with self-cert → expiry → revoke
Expiring access row with a self-cert prompt, followed by the execution journal showing the revocation step.
Four mechanics. One pipeline.
-
Timed access.
High-risk resources expire by default. Self-cert prompts ask the user to extend — or the access revokes automatically. A policy decision, not a calendar reminder.
-
Drift handling.
Sync observes what's actually granted downstream. When reality diverges from intent, policy decides: adopt, flag, preserve, or revoke. Drift becomes a signal.
-
Access reviews.
Certification campaigns with reviewer accountability and exportable evidence. Decisions to revoke flow through the provisioning pipeline, not into someone's inbox.
-
Accountable revocation.
Every revocation is a versioned provisioning operation with a step-by-step journal. "Revoked" means actually revoked, with evidence.
What least privilege usually looks like.
Most teams implement least privilege by mandate and hope. Set a policy. Manually audit once a quarter. Send a spreadsheet to managers. Chase completions. Resolve by email. The access decisions happen; the actual revocations mostly don't.
Owlie closes the loop. Reviews trigger revocations. Drift triggers policy. Timed access expires on its own. Less ceremony. More access actually removed.
One grant, one expiry, one journal.
A sensitive resource — production database write access — is configured with 5-hour timed access and a Function-backed approval policy. An engineer needs it for an outage. Requests it. The Function checks their on-call schedule and auto-approves. Access is granted.
Four hours in, the engineer gets a self-cert prompt: "still need this?" Extends. At expiry, Owlie revokes. Sync verifies the revocation happened downstream. Evidence lives in the execution journal. No one has to remember to clean up.
Timed access + self-cert + revoke journal
The full lifecycle — request, approval, grant, self-cert extension, revoke — with each step recorded in the execution journal.
Keep reading.
- Security persona.
The Security-framed view of the same mechanics.
- Access reviews.
Certification campaigns, reviewer accountability, exportable evidence.
- Provisioning.
Intent-based, versioned. The pipeline that every grant and revoke runs through.
- Governance model.
Drift handling, adopt/flag/preserve/revoke policies, sync semantics.
Least privilege, without the ceremony.
Early access is open. Bring a real high-risk resource and we'll show you Owlie expiring it on a timer, through the same pipeline as any other grant.