BG Beter Geregeld ICT
Access reviews · 2 min leestijd · 27 January 2026

Reviewing service accounts — the invisible majority

Alongside real employees, you have service accounts: API integrations, scheduled jobs, automation. Often there are more of these than human users. Who owns them, and how do you review them?

Service accounts are non-human identities: the Zapier integration, the GitHub Actions bot, the nightly backup runner. They live long, often carry broad permissions, and are rarely reviewed.

\n \n

Take stock of them

\n
    \n
  • All M365/Entra app registrations: what do they do, and who created them?
    • \n
  • GitHub deploy keys and app installations.
    • \n
  • API users in your CRM, accounting software, and customer portal.
    • \n
  • Database users outside your main user table.
    • \n
  • CI/CD credentials.
    • \n
\n\n

For each service account, record

\n
    \n
  • A human owner (name, and who takes over when they leave).
    • \n
  • Purpose / what the account does.
    • \n
  • Scope / permissions.
    • \n
  • Where credentials are stored.
    • \n
  • An expiry date (ideally) or next review date.
    • \n
\n\n

Review cadence

\n

At least annually, ideally every six months. For each item: still needed? Permissions still minimal? Credentials rotated recently?

\n\n

When an owner leaves

\n

Every service account must be handed to a new human owner — otherwise it quietly dies during offboarding and no one notices what depended on it. See vault handover.

Onderwerpen

#access-review #automation #service-accounts

Volledige gids: Revisiones de acceso periódicas: proceso, frecuencia y evidencia

Dit artikel is onderdeel van onze uitgebreide Access reviews-gids. Lees de pillar voor het complete plaatje.

Lees de pillar →

Verwant leesmateriaal

Access reviews

Periodic access reviews: process, frequency, and audit evidence

An access review is an audit requirement that nearly every SMB struggles with. Once you set it up properly the first time, the second round won't cost you a whole week.

2 min
Access reviews

Reviewing the Global Admin role: the highest-risk category

If there is one category where review discipline is absolutely critical, it's Global Admin and equivalent roles. Here is the dedicated procedure that sits on top of your standard access review.

2 min
Access reviews

Dealing with "former employees" in your review — the cleanup round

Your first review turns up 8 accounts belonging to people who left years ago. That's not a problem — that's progress. Here's how to handle it without it turning into a blame session.

2 min
Access reviews

Access review scope: what's in, what's out?

Not every user, not every system needs to be included in every review. Here's how to define your scope so it stays manageable — and defensible in an audit.

2 min
Access reviews

Bulk decisions in access reviews: faster without being careless

80% of the rows in a review are routine. You want to handle those in a single click. How do you do that without accidentally missing a critical row?

2 min
Access reviews

Evidence for access reviews: what to keep and where

A review without evidence is, as far as an auditor is concerned, a review that never happened. Here's what to retain, in what format, and for how long.

2 min
← Alle artikelen in "Access reviews"