Rescue

How Manual Are SOC 2 Access Reviews Really? An Honest Look in 2026

The dirty secret of compliance automation: access reviews remain stubbornly manual. What automation actually delivers, what doesn't, and how to make the quarterly work bearable.

By Hemant Attri, Founder, Attri Edge Updated June 14, 2026 2 min read

“Anyone else surprised how manual SOC 2 access reviews still are?” Yes — and after years of platform marketing promising automation, the disappointment is understandable. Quarterly access reviews are SOC 2’s most common manual control, and they stay manual for a structural reason.

The promise vs. the reality of access review automation

The pitch is “continuous access monitoring.” The reality is that deciding whether a specific person should still have a specific permission is a judgment call only their manager can make. Automation can surface the list; it can’t make the decision. Per user, a manual review runs 5–15 minutes; with mature IGA automation it drops toward 30 seconds — but the decision still needs a human owner.

What Vanta, Drata, Sprinto actually automate

They pull user lists from your identity provider and connected apps, flag obvious problems (no MFA, orphaned accounts, dormant access), and give you a structured interface to run the review and capture sign-off. That’s genuinely useful — it eliminates the spreadsheet assembly. It does not eliminate the decision.

What’s still manual (and why)

The keep/revoke decision, the manager sign-off, the follow-through on revocations, and the edge cases (contractors, service accounts, shared tools) remain manual. About 25% of mid-market teams miss their quarterly review target dates — not because the tooling is missing but because the human routing and follow-up aren’t operationalized.

The IGA tools that promise true automation

SailPoint, Saviynt, and Okta IGA do automate large parts of access governance — provisioning workflows, certification campaigns, policy-based access. They cost $30K–$200K+/year and assume a dedicated identity owner. For most mid-market companies that’s out of reach and overkill; the platform’s access-review feature plus discipline is the right tier.

A working manual cadence that doesn’t burn out the team

Put the four quarterly review dates on the calendar a year ahead. One week before each, generate the lists from your platform. Route per-system lists to owning managers with a 5-day deadline. Track revocations to closure within SLA. Capture every sign-off with a date. Treat it as a recurring operation, not a fire drill. This is exactly the kind of work that lives in the compliance automation gap.

Where Attri Edge fits

Running the quarterly access-review cycle — generation, routing, follow-up, evidence — is part of every retainer. The diagnostic shows where your current cadence will fail an auditor before the auditor does.

Related reading:

Frequently asked questions

What's the minimum quarterly access review process?
Pull the current access list per system, route each system's list to the owning manager, have them confirm or revoke line by line, capture their sign-off with a date, and remediate revocations within an SLA. Retain the signed list as evidence. That's the auditable minimum.
Can we use Vanta's access review feature?
Yes, and you should — it pulls user lists and structures the review. But it still requires a human to make the keep/revoke decision per user and an owner to sign off. The platform organizes the review; it doesn't perform it.
Is IGA worth $30K+ for our scale?
Usually not below ~150 employees. True IAM/IGA automation (SailPoint, Saviynt, Okta IGA) runs $30K–$200K+/year. For most mid-market teams a disciplined quarterly process plus the platform's access-review feature is the right cost/benefit.
How do auditors test access review controls?
They sample quarters, check that reviews happened on time, that an appropriate owner signed off, and that revocations were actioned within your stated SLA. Missing or late reviews are among the most common Type 2 exceptions.
What happens if we miss a quarterly review?
It becomes a likely audit exception for that period. Document why, remediate immediately, and tighten the calendar. Auditors are more forgiving of a documented one-off with corrective action than of a silent gap.
How do we handle terminated employees mid-quarter?
Access revocation on termination is a separate, faster control (typically same-day to 48 hours) and must not wait for the quarterly review. The quarterly review is a backstop, not the primary deprovisioning mechanism.