You know your access rights need to be in order. So does your auditor. But between "knowing" and "being able to prove it" lies a gap that is, in practice, bigger than most organizations expect.
Group auditing places the responsibility for access control with the people who know the content, and makes that control demonstrable, repeatable and scalable.
Auditing is the foundation of IAM
Identity Access Management revolves around one fundamental question: who has access to what, and is that still justified?
But answering that question is not a one-time exercise. People change roles, leave the organization, or receive temporary elevated permissions that are subsequently forgotten and never revoked. Without periodic review, the gap between reality and the intended authorization policy grows quietly but steadily.
This phenomenon, rights creep, is one of the most common and underestimated risks in access management. An employee moves from Finance to Sales. She receives new access rights for her new role. But her access to the financial systems? That stays in place. A year later, she has permissions on systems she has not used in a long time and should never have kept.
It happens in virtually every organization. Not through negligence, but simply because access management becomes complex and opaque as organizations grow.
For organizations working with frameworks such as ISO 27001, BIO 2, GDPR or NIS2, this is not an abstract risk. It is precisely what regulators look for: can you demonstrate that you have control over who has access to which systems? And not just internally, but also to external auditors.
Why decentralized management is the logical choice
The people who best know who needs access to what are not the central IT department. They are the team leaders, department heads and group managers themselves.
Decentralized access management starts from that premise: organize users into groups, a department, a project team, a functional role, and place responsibility for membership and access rights with the manager of that group. That person knows the content, knows the people, and can assess whether someone still has the right access.
That is not just more logical. It also scales better. And it delivers exactly the accountability that auditors want to see: an authorized person demonstrably reviewing access on a regular basis.
Group auditing: accountability close to the source
A group audit is a structured review process in which a group manager goes through the members of their group, assesses access rights and records the findings. During an audit, the group manager can:
- Confirm membership and roles: is it still correct who is in the group, and does everyone have the right role?
- Revoke access: members who no longer need access are removed with a single click
- Adjust roles: a group manager can demote someone to a regular member, or immediately designate a new member as manager
- Record notes: both a general comment on the audit and specific notes per individual member can be recorded in the audit log (this is an optional action, not a mandatory part of the audit)
The result is an immutable audit trail: proof that an authorized person at a specific point in time actually reviewed the access rights. Exactly what auditors want to see.
Nested groups and audits
Auditing groups in bulk: moving through the process without getting stuck
Group auditing has been significantly improved. Where an audit previously had to be carried out group by group, the process is now designed as a smooth, continuous workflow.
After completing a group audit, the option to proceed directly to the next group requiring an audit appears immediately. This allows you to work sequentially through your audit list, without constantly returning to an overview page, without unnecessary context switches, without manually keeping track of where you left off.
For organizations with dozens or hundreds of groups, or with nested group structures where one group contains other groups beneath it, this represents a significant time saving. The quarterly audit cycle transforms from a daunting task into a manageable, repeatable routine.
Compliance without the headache
Group auditing offers more than administrative time savings. It supports compliance in a number of concrete ways:
- Enforcing periodic obligations: groups can be configured with fixed audit months. Group managers automatically receive a notification and are required to review access rights on time. Auditing becomes not a good intention, but an enforceable process.
- Four-eyes principle: for sensitive groups, it can be configured that a completed audit must first be approved by a second group manager or designated reviewer before changes are finalized.
- Accountability with reason: for actions involving sensitive access, users and managers can be required to provide an explicit reason. That reason is recorded in the audit log and is immediately available for reports, indispensable for certifications such as ISO 27001.
- Real-time authorization matrix and Audit Dashboard: where gathering evidence for a certification is normally a time-consuming and error-prone process, all data is immediately available in a clear overview. An external auditor can independently review evidence, or receives a complete export of all access activity within minutes.
Access in your organization: who is in control?
Rights creep does not stop by itself. Employees keep changing roles, projects start and end, systems expand. Without a structural audit process, the gap between access policy and reality grows quietly but surely.
KeyHub places control where it belongs: with the people who know the content, equipped with the tools to act quickly and demonstrably. With group auditing and the ability to move seamlessly from one group to the next, the quarterly audit cycle is no longer a mountain to climb, but a manageable routine you can prove.
Want to know more about how group auditing works or how to configure it? Our documentation covers all configuration options. Would you like to discuss the right setup for your organization? Get in touch.
