Why architecture matters here
IAM review fails when it's manual, quarterly-only, or ignores unused access. Architecture matters because analytics + drift detection + auto-revoke shift the work from human to automation.
The architecture: every piece explained
The top strip is inputs. Role catalog. Usage analytics — last used + call counts. Drift detection — policy expanded. Certification — quarterly attest.
The middle row is action. Access recert per user. Break-glass audit. Auto revoke unused > TTL. Delegate approvers at scale.
The lower rows are ops. Governance council. Metrics — sprawl + coverage. Ops — compliance mapping + reporting.
End-to-end flow
End-to-end: quarterly kick-off. Usage analytics identifies 30% of roles unused in 90 days; auto-revoke queued. Drift detection surfaces 5 roles with expanded policies; owners recertify or trim. Certification workflow reaches all users; delegates approve on behalf of managers. Metrics show coverage 98%.