Episode 32 — Overview – Why vulnerability management is continuous
Welcome to Episode 32, Control 5 — Evidence, Metrics, and Recertification, where we examine how identity and account management prove their effectiveness through verifiable records and measurable outcomes. In prior episodes, we covered how accounts are created, governed, and retired. Now we turn to validation—showing that these processes actually work in daily practice. Evidence demonstrates that controls are functioning, metrics reveal where improvement is needed, and recertification ensures that access remains justified over time. This episode explains what auditors look for, how to collect proof efficiently, and how to use that data to maintain a culture of continuous accountability.
Reviewers look for evidence that is both authentic and relevant. The strongest proof directly connects an account to its owner, its approval, and its current status. Raw exports from identity management systems, signed-off approval tickets, and time-stamped configuration reports all demonstrate operational reality. Reviewers prefer system-generated outputs over manually created documents because they are less prone to tampering. They also look for traceability—each item of evidence should show the data source, time of extraction, and the system that produced it. Together, these attributes create a chain of trust that confirms identity governance is not just theoretical but actively maintained.
Exports with timestamps and unique identifiers are the backbone of account evidence. Standard exports include lists of active users, administrative accounts, service accounts, and recent deactivations. Each export must include columns for usernames, account type, last login date, and assigned owner. Timestamps verify that reports were generated within the review period, while unique record identifiers allow cross-referencing with tickets or logs. Ideally, these exports are automated, pulled from authoritative directories on a recurring schedule. This automation prevents manual errors and ensures consistency across audits. Keeping these exports archived for at least one full audit cycle supports future comparisons and trend analysis.
Screenshots complement raw data by providing human-readable proof of configurations and ownership. They should display the system interface showing account details—owner name, status (active or disabled), and last authentication date. Screenshots can verify specific controls, such as multifactor enforcement or session timeout settings. When captured, each image should include a visible timestamp and the environment identifier, such as “production” or “development.” Annotated screenshots can highlight relevant fields for reviewers but must never obscure original data. Organized image sets make visual confirmation faster and prevent confusion during evidence walkthroughs.
Ticketing systems hold another vital source of truth: the decision history behind each account. Ticket links or IDs show how provisioning and deprovisioning requests were approved, by whom, and when. For new accounts, the ticket record ties back to HR onboarding events; for changes, it documents business justification. Linking these tickets to account records allows auditors to trace every identity event from request to resolution. Closed tickets showing proper approvals are among the clearest indicators of compliance maturity. When systems integrate, ticket numbers can even appear automatically in account metadata, simplifying future audits.
Dormant account discovery logs show how the organization detects and handles inactivity. These reports capture accounts unused for a defined period—commonly ninety days—and record actions taken, such as disabling or removing them. Log exports should include the detection date, responsible analyst, and resolution notes. Automated alerts for dormant accounts provide continuous protection by ensuring that forgotten credentials do not linger indefinitely. For audit readiness, keep a historical record of both detections and follow-up actions, demonstrating that the process runs regularly and that findings lead to real changes.
Temporary access records demonstrate control over short-lived privileges. Each record should identify the user, scope of access, start and end dates, and authorizing manager. Systems should automatically revoke these permissions once the expiration time passes. Evidence might include reports from privileged access management tools or logs of expired credentials. Reviewers often check whether expired temporary accounts remain active; showing that they are automatically disabled reflects a well-managed environment. Tracking these records also enables trend analysis—frequent emergency access requests may signal underlying process gaps worth correcting.
Recertification schedules and role assignments confirm that access reviews occur systematically. A clear schedule should identify when each system’s access will be revalidated—quarterly, semiannually, or annually—and who is responsible for leading that review. Role assignments define which managers, system owners, or compliance officers certify access for their teams. Evidence includes calendar schedules, completed attestations, or exported certification results. Automated governance platforms can track completion percentages and send reminders to late reviewers. Regular recertification ensures that dormant, duplicate, or outdated privileges are removed before they pose risk.
Sampling approaches explain how reviewers test account populations without checking every record. Sampling criteria must be risk-based and statistically sound—for instance, selecting a subset of high-risk systems, administrative accounts, and random user accounts across departments. Documentation should describe why the chosen sample size and scope provide reasonable assurance. Population notes clarify the total number of accounts, systems covered, and excluded cases. Transparent sampling demonstrates fairness and accuracy in audit testing, assuring reviewers that conclusions about control effectiveness are well founded.
An exceptions registry documents any deviations from policy, including extended access, missing documentation, or delayed deprovisioning. Each entry should include an exception ID, description, impacted accounts, reason, compensating control, approval authority, and expiration date. Regular reviews of this registry confirm that exceptions remain temporary and controlled. Evidence of expired exceptions being closed proves active oversight. This transparency shows maturity: even when controls cannot be applied immediately, the organization tracks, explains, and limits deviations to protect its environment.
Metrics quantify account management performance and highlight long-term trends in access hygiene. Useful metrics include average time to disable terminated users, percentage of accounts covered by recertification, number of active versus dormant accounts, and ratio of exceptions to total accounts. Tracking these indicators over time helps identify systemic weaknesses—such as recurring delays in access removal or rising exception counts—and guides process improvements. Metrics also provide leadership with tangible progress markers, transforming identity governance from a compliance obligation into a continuous improvement cycle.
Dashboards communicate these metrics to different audiences. For leaders, dashboards summarize high-level indicators: compliance percentages, review completion rates, and open exceptions. For operators, they provide granular views—specific accounts pending review, systems with overdue recertifications, and tickets awaiting closure. Dashboards should update automatically, pulling data directly from identity systems and ticketing tools. Regular reporting cadence—weekly for operations, monthly for management—keeps attention focused and ensures that gaps are addressed promptly rather than discovered during external audits.
Common findings in account governance reviews include inactive accounts left enabled, missing ownership assignments, outdated baseline documentation, or incomplete recertification logs. Quick corrections involve enabling automatic disablement rules, updating ownership fields, or reconciling accounts through identity connectors. Teams should log corrective actions to demonstrate responsiveness. Over time, analyzing recurring findings reveals root causes such as unclear roles or insufficient automation. Addressing these patterns turns reactive fixes into lasting improvements, strengthening overall security posture and audit readiness.
Narratives and contextual explanations help reviewers interpret evidence correctly. Each evidence package should include a short narrative describing how the control works, where the data came from, and what results indicate. For example, explaining that an access review covered ninety-five percent of users and why five percent remain under remediation clarifies intent and transparency. Narratives convert raw data into understanding, showing auditors that the organization not only follows procedures but also monitors their effectiveness and acknowledges areas for growth.
Evidence, metrics, and recertification together confirm that account management is both functional and maturing. They prove that access remains current, justified, and accountable through objective data and transparent governance. The readiness checklist at the end of this cycle should verify that exports are current, recertification is complete, exceptions are tracked, and dashboards reflect true system states. With these foundations in place, organizations demonstrate control, foresight, and a living commitment to identity integrity—core indicators of a strong and sustainable security program.
