#329 - Discovering Effective User Access Reviews with Stephen Washington

Feb 3, 2025

Stephen Washington, Head of IAM at Discover Financial, brings decades of identity and access management experience. He discusses why user access reviews matter, lifecycle and service account cleanup, and how AI, identity data lakes, and policy shifts can make certifications less painful. Conversation also touches on IGA evolution and practical steps to get auditors and teams aligned.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

INSIGHT

Access Reviews Provide Auditable Decision Trails

User access reviews serve as both detective and corrective controls that provide a named decision trail for auditors and regulators.
Stephen explains they work well for small/mid companies but at scale can become checkbox exercises when reviewers rubber-stamp due to volume.

INSIGHT

Fix Lifecycle To Reduce Recertification Noise

Poor lifecycle management drives the need for frequent access certifications because standing permissions accumulate without removal.
Stephen proposes time-limited access plus orchestration (IDP checks and re-provision on-demand) to avoid permanent standing permissions and reduce certification noise.

ADVICE

Triage Certifications With AI To Cut Volume

Use AI/ML to triage certification items so reviewers see a focused subset of high-risk entitlements first.
Stephen describes narrowing thousands to a few dozen by analyzing last-use, peer patterns, and privilege indicators before human review.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

In this episode of the Identity at the Center podcast, hosts Jeff and Jim discuss the vital role of user access reviews, device identity, and the evolving landscape of Identity Access Management (IAM) with guest Stephen Washington, Head of IAM at Discover Financial. The conversation delves into regulatory compliance, the use of AI in IAM, and practical steps for improving user access certifications. They also explore the importance of managing service accounts, innovations in IGA, and the role of identity in modern cybersecurity frameworks. The episode wraps up on a lighter note with a chat about fitness challenges like Tough Mudder and personal cheese preferences for grilled cheese sandwiches.

Chapters

00:00 Introduction to Regulatory Compliance in Financial Services 01:54 Welcome to the Identity at the Center Podcast 02:07 Exploring Device Identity 03:19 The Role of Identity in Modern Security 06:44 Engaging with the IAM Community 10:31 Upcoming Conferences and Events 13:58 Interview with Stephen Washington 25:36 The Importance of User Access Reviews 33:55 Backend Changes in IGA Systems 35:04 The Concept of Identity Data Lake 36:37 AI and Identity Fatigue 37:22 Importance of Identity Hygiene 38:32 Challenges with Access Reviews 39:42 Regulatory Compliance and Policy Changes 41:06 Advice for Practitioners on Access Reviews 45:47 NYDFS and User Access Reviews 47:41 The Role of NIST Cybersecurity Framework 52:35 Training Auditors and Policy-Based Access Control 57:38 Fitness and Stress Relief 01:05:38 Grilled Cheese and Final Thoughts

Connect with Stephen: https://www.linkedin.com/in/stephen-washington-jr-5569b57/

Gartner IAM Summit - Code IDAC425 saves 425€: https://www.gartner.com/en/conferences/emea/identity-access-management-uk

European Identity and Cloud Conference 2025 - Use code idac25mko for 25% off: https://www.kuppingercole.com/events/eic2025?ref=partneridac

Identiverse 2025 - Use code IDV25-IDAC25 for 25% off: https://identiverse.com/

Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Visit the show on the web at http://idacpodcast.com