Compyl
Request Demo
Start here Platform Overview A guided, top-to-bottom tour of the entire GRC platform, one connected system, not point tools. Take the tour → 125+ connectorsIntegrationsConnect your cloud, identity, ticketing & security tools, evidence flows in automatically.Explore integrations →
Govern
Policy ManagementCurrent, control-aligned policiesContract ManagementTrack every obligationAsset ManagementProtect critical assets
Comply & audit
ComplianceTest once, satisfy manyEvidence StudioAutomated, live evidenceTrust CenterShare your security postureUser Access ReviewsFast, accurate access reviews
Risk & third-party
Risk ManagementRisk in dollars, via FAIRThird Party InsightsObjective vendor risk in minutesVendor Risk ManagementManage third-party risk end to end
Compyl AI
Compyl AIAgentic AI across the platformCompyl CopilotAsk your GRC data anythingQuestionnaire AssistAI-drafted questionnaire answers
125+ integrations, connect your stackRequest a demo →
By industryIndustriesGRC tailored to the exact regulators and frameworks your industry answers to, one control library, mapped to all of them.Explore industries →
Financial ServicesSOX, GLBA, PCI, NYDFS, DORAHealthcareHIPAA, HITECH, PHI, BAAsLegalSOC 2, ISO 27001, OCG, privilege
InsuranceNAIC, GLBA, Model Audit RuleEnergy & UtilitiesNERC CIP, IEC 62443, TSAHigher EducationFERPA, GLBA, NIST 800-171
Six industries, mapped to your regulatorsRequest a demo →
One control library Every framework, mapped Map a single control to every framework it satisfies, test once, prove many. See all frameworks →
Popular
SOC 2ISO 27001HIPAAPCI DSS
Standards
GDPRNIST CSFNIST SP 800-53ISO 42001
More
CCPAMASNIS2
Compliance, automated, how Compyl maps controlsRequest a demo →
Latest Inside Compyl 26.2 AI-powered GRC, from risk to audit, what's new in the platform. Read the post →
Learn
All ResourcesBrowse the full GRC libraryGRC Learning CenterThe complete guide to GRCBlogInfoSec & compliance, trendingGuidesStep-by-step playbooks
Watch & grow
Security SessionsOn-demand episodesCase StudiesResults from real teams
Network
Partner NetworkCompyl Connect partners
Company Built by CISOs Our mission: make GRC adapt to how you work, not the other way around. About Compyl →
Company
About UsMission & teamCareersJoin the team
Trust
Our SecurityHow we protect youContact UsTalk to us
Solution · User Access Reviews

Access reviews aren’t a spreadsheet you email once a year, they’re live certification campaigns, mapped to your controls.

Most teams run access reviews in spreadsheets, slow, error-prone, and stale the day they’re done. Compyl pulls access straight from your identity systems, routes one-click approve or revoke decisions to the right managers, turns every revocation into a tracked task, and maps the outcome to the controls it satisfies, so reviews are fast, accurate, and audit-ready.

Request Demo → See how it works
One platform
125+ integrations
Audit-ready evidence
Home › Access Reviews In progress Q2 User Access Review · Okta Reviewer: M. Patel · Due in 5 days Campaign progress Recurring · Quarterly 68% certified 41 of 60 reviewed JR J. Rivera · Okta · Admin Approve SK S. Kim · Finance · R/W excessive Revoke AL A. Lee · AWS IAM · Read-only Approve TV T. Vo · Okta · Admin 90d idle Flag Mapped to controls SOC 2 CC6.2 · ISO A.5.18 Every decision recorded as audit-ready evidence
Access declined Action S. Kim · Finance R/W revoked Excessive permissions ✓ Revocation task auto-created
Access certified 248 entitlements 18 revoked · 96% on time
What are user access reviews?

User access reviews, also called access certifications, are formal checks of who has access to which systems and whether that access is still appropriate for their role. Compyl runs them as live certification campaigns: access is pulled straight from your identity providers, each entitlement is routed to the right manager for a one-click approve or revoke, every revocation becomes a tracked remediation task, and the outcome is mapped to the controls it satisfies, so reviews are fast, accurate, and produce audit-ready evidence instead of a stale spreadsheet.

The problem

Spreadsheet access reviews are slow, rubber-stamped, and stale

When reviews live in spreadsheets emailed to managers, the data is out of date, the decisions lack context, and there’s no evidence trail when the auditor asks.

Manual, error-prone & late

Exporting access from every system into a spreadsheet is tedious and out of date the moment it’s done, reviews slip and deadlines get missed.

Rubber-stamped without context

Managers approve long lists without seeing role, risk, or last login, so overprovisioned and orphaned access sails right through.

No evidence when audit comes

Disconnected from your controls, a finished review leaves no clear trail of who had access, when it was reviewed, and what was done.

How it works

From a spreadsheet scramble to a continuous certification cycle

Compyl turns access reviews into an always-on cycle, access pulled, campaigns scheduled, decisions routed, and outcomes mapped to your controls automatically.

01

Capture access

Pull user access automatically from Okta, Entra, Google, and more.

02

Schedule campaign

Run recurring or ad hoc reviews by system, role, or risk level.

03

Assign reviewers

Route each entitlement to the manager who owns the decision.

04

Certify

Approve or revoke in one click; comment and tag for input.

05

Remediate & map

Auto-create revocation tasks and map outcomes to your controls.

Centralize access data

Pull access straight from the systems of record

Exporting entitlements from every system by hand is where reviews go wrong. Compyl connects to your identity providers and pulls access automatically, and lets you upload anything that isn’t integrated, so every user and entitlement is in one place, nobody overlooked.

  • Pull access from Okta, Microsoft Entra, Google Directory & JumpCloud
  • Upload files from non-integrated systems so no user is missed
  • One unified view of every user, system, role, and last login
  • Orphaned and overprovisioned accounts surface automatically
Unified Access Data4 sourcesPULLED FROMOktaEntraGoogleJumpCloudUSERSYSTEMROLELAST LOGINJ. RiveraOktaAdmin2d agoS. KimFinance AppR/W1d agoA. LeeAWS IAMRead-only5d agoT. VoOktaAdminOrphaned 94dOrphaned and overprovisioned access surfaces automatically
Automated review campaigns

Schedule it once; the right reviewer gets the right list

Compyl schedules recurring or ad hoc campaigns, assigns each entitlement to the manager who owns it, and tracks every reviewer’s progress with due dates and reminders, so accountability is clear and nothing stalls.

  • Recurring (quarterly, annual) or ad hoc campaigns by role or risk
  • Each entitlement routed to the manager accountable for it
  • Live progress, due dates, and reminders per reviewer
  • One view of campaigns planned, in progress, and complete
Review Campaigns8 activeQ2 User Access ReviewRecurring · QuarterlyDue in 5 daysAuto-assigned to 3 reviewersREVIEWER PROGRESSM. Patel24/30J. Lee12/20R. Diaz10/10 ✓ALL CAMPAIGNSPlanned 2In progress 1Completed 5Schedule once · reviewers assigned and tracked automatically
Remediate & prove

Every revoke becomes a task, and audit-ready evidence

When a reviewer declines access, Compyl creates and assigns the revocation task automatically, tracks it to closure, and maps the whole review to the controls it satisfies, so closing a gap and proving compliance happen in the same motion.

  • Decline access, add comments, and tag colleagues for input
  • Revocation and change tasks created and assigned automatically
  • Every review outcome mapped to the controls it satisfies
  • One trail of who had access, when reviewed, and what was done
Remediation & EvidenceDECLINED ACCESSSKS. Kim · Finance App · R/WExcessive permissions · flagged by reviewerDeclinedRevocation task #UAR-118 createdAssigned to IT · due in 3 daysSATISFIES CONTROLSSOC 2 · CC6.2ISO 27001 · A.5.18PCI DSS · Req 7.2One certification → a revocation task and evidence across every framework
Why Compyl is different

Built by CISOs as an end-to-end GRC platform, not a standalone access tool

A spreadsheet or identity tool runs reviews in a silo. Compyl runs them inside your whole program, so every certification is also evidence. It shows up in five ways.

01

GRC that adapts to complexity

No-code configuration of dashboards, workflows, fields, and reports for every team, without an engineering ticket.

02

End-to-end, built to flex and scale

Governance, risk, compliance, and third-party risk as one connected source of truth, with no ceiling as your program matures.

03

No black box, all your data

125+ proprietary, in-house integrations ingest your full dataset and surface risks single-system checks miss.

04

Automation and AI that augments your team

Agentic AI and 1,500+ blueprints automate evidence and busywork, with humans in the loop on every decision that matters.

05

Quantified risk in financial terms

FAIR models and Monte Carlo simulations put risk in dollars, so the board decides on business impact, not heat-map colors. New in 26.2.

Connected across your program

An access review touches everything, so Compyl connects it to everything

Because reviews live in the same platform as controls, assets, risk, and identity data, every certification strengthens the rest of your GRC program.

Framework coverage

One control library, mapped to every framework it satisfies

Compyl cross-maps controls so a single piece of evidence can satisfy requirements across multiple frameworks at once. Explore any framework below.

SOC 2 ISO 27001 ISO 42001 HIPAA GDPR PCI DSS NIST CSF NIST SP 800-53 MAS CCPA NIS2 70+ frameworks
One-click
Approve or revoke on every entitlement
Recurring
Scheduled & ad hoc certification campaigns
125+
Integrations incl. Okta, Entra & Google
Audit-ready
Outcomes mapped to SOC 2, ISO & PCI controls
Recognized by users on G2

Rated a leader by the teams who use it

G2 High Performer, Mid-Market
G2 Momentum Leader
G2 Fastest Implementation, Go-Live Time
G2 Best Support, Quality of Support
G2 Best Meets Requirements, Mid-Market
FAQ

User access review questions, answered

User access reviews (also called access certifications) are formal checks of who has access to which systems and whether that access is still appropriate for their role. They’re required by SOC 2, ISO 27001, PCI DSS, and NIST, and they catch overprovisioned, orphaned, and inappropriate access before it becomes a breach.

Compyl pulls access from your identity providers, Okta, Microsoft Entra, Google Directory, JumpCloud, schedules recurring or ad hoc campaigns, routes each entitlement to the right reviewer for a one-click approve or revoke, and auto-creates remediation tasks for anything declined. Every outcome maps to the controls it satisfies.

A spreadsheet is stale the day it’s filled in, and a standalone identity tool is disconnected from your compliance program. Compyl runs reviews inside your GRC platform, so every certification outcome becomes audit-ready evidence, who had access, when it was reviewed, and what action was taken.

Yes. Compyl runs scheduled recurring campaigns, quarterly, semi-annual, or annual, plus ad hoc reviews triggered by role changes or system risk level, with automatic reviewer assignment, due dates, reminders, and a live dashboard of what’s planned, in progress, and complete.

When a reviewer declines access, Compyl automatically creates and assigns a revocation or change task to the right team, tracks it to closure, and records the outcome, so overprovisioned and orphaned access is closed fast, with a documented trail.

Access reviews are required by SOC 2 (CC6.x), ISO 27001 (A.5.18), PCI DSS 4.0 (Req 7), NIST CSF and NIST 800-53 (AC family), and more. Compyl maps each review to the controls it satisfies, so a single campaign produces evidence across every framework it touches.

GRC YOUR WAY

Stop running access reviews in spreadsheets

See how Compyl pulls access from your identity systems, routes one-click certifications, and maps every outcome to your controls, audit-ready, on schedule.

Request a Demo →
By clicking “Accept”, you agree to the use of cookies on your device in accordance with our Privacy and Cookie policies
Accept