Phase 2 · PAM, IGA, JIT, and Zero Trust · Lesson 3 of 3
Design an Access Review and JIT Workflow
Exercise
·
25 min
·
+20 pts
Design an Access Review and JIT Workflow
You are the GRC Engineer at a 500-person SaaS company. The CISO has asked you to design two things: a formal access review program that satisfies SOC 2 and ISO 27001 requirements, and a JIT access workflow that eliminates standing privileged access. The company has never had a structured access review process — managers occasionally check access informally, but there is no documented program, no consistent cadence, and no evidence trail.
Your design needs to be specific enough that the IT and security teams can implement it, and rigorous enough that an auditor reviewing it will see a mature, defensible program.
What makes a strong design?
A strong access review and JIT design answers every operational question: Who reviews what? How often? What happens when access is not certified? How do users request privileged access? Who approves it? How long does it last? What happens in an emergency? Auditors do not want to see vague principles — they want to see a program they can test.
Exercise
~30 min
Translate this audit finding into a technical remediation plan
SOC 2 Type II + ISO 27001 Finding
Access Review and JIT Workflow Design
ID:
IGA-JIT-2026-001
Criterion:
CC6.2 — Access Reviews / A.9.2.5 — Review of User Access Rights
Severity:
N/A — Design Exercise
Design an access review program and JIT access workflow for a growing SaaS company.
Auditor Notes
The company has 500 employees across engineering, sales, customer success, and G&A. They use Okta as IdP, AWS for infrastructure, GitHub for source code, Salesforce for CRM, and Slack. Engineering has AWS console access. Three engineers have production database access. The CISO wants quarterly access reviews and JIT for all privileged access.
Write your remediation plan in YAML below. Fill in every field — replace all placeholder comments.