Skip to content

Review Lifecycle

Overview

When an access grant's decay score crosses a configurable threshold, Verity generates a review — a structured decision workflow that routes evidence to the right person, tracks response time against SLAs, and executes the outcome safely.

Reviews are the human decision point in the access-decay pipeline. Verity does not blindly revoke access; it provides evidence and asks the people closest to the resource to make an informed decision.

stateDiagram-v2
    [*] --> PENDING : Score threshold crossed
    PENDING --> IN_REVIEW : Reviewer opens packet
    IN_REVIEW --> DECIDED : Reviewer submits decision
    DECIDED --> EXECUTED : Remediation completes
    EXECUTED --> [*]

    IN_REVIEW --> ESCALATED : SLA breached
    ESCALATED --> IN_REVIEW : Escalation assignee opens
    PENDING --> ESCALATED : No response after reminder

    DECIDED --> FAILED : Remediation error
    FAILED --> DECIDED : Retry / manual fix

What Triggers a Review?

Reviews are created through three mechanisms:

Score Threshold (Automatic)

The primary trigger. When a grant's decay score crosses the configured threshold (default: 50), the Review Generator creates a review automatically.

Hysteresis

To prevent review churn when a score oscillates around the threshold, Verity applies a hysteresis band of ±5 points. A review is triggered when the score crosses above 55, and a new review is suppressed until the score drops below 45 and rises again.

Scheduled Campaign

Organisations that require periodic certification (e.g., SOX compliance) can configure scheduled campaigns that generate reviews for all grants matching a filter — regardless of decay score.

Scheduled campaigns complement continuous scoring; they ensure 100 % coverage even for grants that Verity's model has not yet flagged.

Manual Request

Any authorised user can request a review of a specific grant, identity, or resource through the API or dashboard. This is useful for:

  • Investigating a specific user during an incident
  • Reviewing all access to a resource before decommissioning
  • Ad-hoc audits requested by compliance

The Evidence Package

Every review includes an evidence package — a self-contained bundle of data that gives the reviewer everything they need to make an informed decision without having to investigate independently.

Evidence Item Description
Decay Score Current score with full factor breakdown (recency, trend, org, peer, review, sensitivity)
Score History 90-day trend chart showing how the score has changed
Last Access Timestamp and description of the most recent meaningful access event
Usage Summary Access frequency over 30 / 60 / 90 day windows
Peer Comparison How this user's access pattern compares to peers in the same role/team
Org Context Recent role changes, department transfers, manager changes
Resource Info Resource name, type, sensitivity classification, owner
Review History Previous review outcomes and decisions for this grant
Risk Context Risk level, SLA deadline, escalation status

Reviewers Make Better Decisions With Context

In traditional access reviews, a manager sees a row in a spreadsheet: "User X — Permission Y — Approve / Deny." With no context, the rational choice is to approve and avoid the risk of breaking something.

Verity's evidence package inverts this: the reviewer sees that the user hasn't accessed the resource in 94 days, has changed departments, and is an outlier compared to peers. The rational choice becomes revoke.

Review Routing

Reviews must reach the person with the best context to make the decision. Verity uses a three-tier routing model:

graph TD
    RG["Review Generated"]

    RG --> T1{"Resource owner<br/>defined?"}
    T1 -->|Yes| RO["Route to<br/>Resource Owner"]
    T1 -->|No| T2{"Team lead<br/>identifiable?"}
    T2 -->|Yes| TL["Route to<br/>Team Lead"]
    T2 -->|No| SEC["Route to<br/>Security Team"]

    RO --> SLA["SLA Timer Starts"]
    TL --> SLA
    SEC --> SLA

    SLA --> T3{"Response within<br/>reminder window?"}
    T3 -->|Yes| DECIDE["Reviewer Decides"]
    T3 -->|No| REM["Send Reminder"]
    REM --> T4{"Response within<br/>escalation window?"}
    T4 -->|Yes| DECIDE
    T4 -->|No| ESC["Escalate to<br/>Next Tier"]
    ESC --> SLA

    style RG fill:#536dfe,color:#fff,stroke:none
    style RO fill:#448aff,color:#fff,stroke:none
    style TL fill:#448aff,color:#fff,stroke:none
    style SEC fill:#448aff,color:#fff,stroke:none
    style DECIDE fill:#4caf50,color:#fff,stroke:none
    style ESC fill:#f44336,color:#fff,stroke:none

Tier 1: Resource Owner

The person or team listed as the owner of the target resource. This is typically populated from the upstream system's metadata (e.g., the repository owner in GitHub, the resource group owner in Azure).

Tier 2: Team Lead

If no resource owner is defined, the review routes to the team lead of the user whose access is under review.

Tier 3: Security Team

The fallback. If neither a resource owner nor a team lead can be identified — or if escalation is triggered — the review routes to the configured security team.

SLA Tracking

Every review is backed by a Temporal workflow that enforces time-bound SLAs:

Phase CRITICAL HIGH MEDIUM LOW
Reminder 12 h 48 h 7 d 30 d
Escalation 24 h 96 h 15 d 60 d
Max Review Time 48 h 7 d 30 d 90 d

What Happens at Max Review Time?

If a review reaches its maximum review time without a decision:

  1. The review is marked as ESCALATED and assigned to the security team.
  2. A compliance event is logged to ClickHouse.
  3. If configured, an automatic suspend action can be triggered (disabled by default).

Temporal Workflow

sequenceDiagram
    participant RG as Review Generator
    participant TW as Temporal Workflow
    participant RV as Reviewer
    participant NT as Notifications
    participant RM as Remediation

    RG->>TW: StartWorkflow(review_packet)
    TW->>NT: SendNotification(reviewer, packet)
    TW->>TW: Timer: reminder_window

    alt Reviewer responds before reminder
        RV->>TW: SubmitDecision(approve/revoke/reduce)
        TW->>RM: ExecuteDecision(action)
    else Reminder fires
        TW->>NT: SendReminder(reviewer)
        TW->>TW: Timer: escalation_window
        alt Reviewer responds
            RV->>TW: SubmitDecision(decision)
            TW->>RM: ExecuteDecision(action)
        else Escalation fires
            TW->>NT: Escalate(security_team)
            TW->>TW: Timer: max_review_time
        end
    end

Decision Options

Reviewers choose from four actions:

Decision Effect When to Use
Approve Access is kept. Score receives a review credit (f_review → 0.0). You have confirmed the user still needs this access.
Revoke Access is removed via the connector. The user no longer needs this access.
Reduce Access is downgraded (e.g., write → read, admin → member). The user needs some access, but less than they have.
Delegate Review is reassigned to a different person. You are not the right person to make this decision.

Reduce Is Powerful

The Reduce action lets reviewers find a middle ground. Instead of a binary keep-or-revoke, they can downgrade access to the minimum required level. This is especially useful for shared service accounts with broad permissions.

Review States

Every review transitions through a well-defined state machine:

State Description Transitions To
PENDING Review created, awaiting reviewer. IN_REVIEW, ESCALATED
IN_REVIEW Reviewer has opened the evidence package. DECIDED, ESCALATED
ESCALATED SLA breached, escalated to next tier. IN_REVIEW
DECIDED Reviewer has submitted a decision. EXECUTED, FAILED
EXECUTED Remediation action completed successfully. (terminal)
FAILED Remediation action failed. DECIDED (retry)

Bulk Reviews

Large organisations may have thousands of reviews generated simultaneously — for example, after onboarding a new connector or running a scheduled campaign. Review fatigue is a real risk.

Verity mitigates this with smart batching:

Grouping

Reviews are grouped by:

  1. Reviewer — A single person sees all their reviews in one batch.
  2. Resource — Reviews for the same resource are grouped together.
  3. Risk level — CRITICAL reviews surface first.

Bulk Actions

Reviewers can apply a decision to multiple reviews simultaneously:

  • "Revoke all access for users who haven't logged in for 180+ days."
  • "Approve all access for users in the same team who are still active."

Fatigue Detection

Verity monitors reviewer behaviour for signs of rubber-stamping:

Signal Response
Reviewer approves > 20 reviews in < 5 minutes Warning banner displayed
Reviewer approves > 95 % of reviews in a campaign Flagged for compliance team review
Average decision time < 10 seconds Decisions marked as "fast-tracked" in audit log

Fatigue Signals Are Advisory

Fatigue signals do not block reviewers. They are logged for compliance visibility and can optionally trigger a notification to the security team.

Next Steps

  • Remediation Pipeline

    See how review decisions are executed safely.

    Remediation Pipeline

  • Scoring Model

    Understand the six factors that produce the score reviewers see.

    Scoring Model