Who has access to your critical systems right now? Not last quarter. Not as of the last certification review. Right now, at this moment.
Most enterprises cannot answer that question with confidence. That is not a failure of effort. Most run joiner-mover-leaver workflows and regular certification cycles. The gap sits between the policy you enforce and the access your users actually hold. Policy definition typically lags behind system integration and process automation.
That gap has a name. It is access debt, and it grows a little every day. This is a policy gap. It is the result of automating process without access policy definition and continuous enforcement. Closing it starts with treating it as a structural problem, not an operational one.
Access debt is the accumulated distance between least privilege, the access your role actually requires, and the access you actually hold. Certification reviews only sample that distance periodically. A continuous identity architecture closes it by delegating policy definition and reconciling identity state against access policy in real time. That reconciliation reaches across every connected system, down to the live session.
Access debt is the accumulation of entitlements over time in the absence of continuous governance and access policy enforcement. Users collect access as they change roles, join projects, and cover for colleagues. Little of it is ever removed.
Like technical debt, access debt is invisible until the day it becomes expensive. It accrues quietly. It surfaces later as audit findings, failed certifications, and exposure no one intended to carry.
Access debt is the predictable output of scale, not negligence. A steady flow of ungoverned identity events, coupled with stale access policy, produces it. No single decision causes it.
Consider three common patterns. An employee changes roles, and new access is granted while old access is never removed. A contractor account is disabled at the end of an engagement, then reused and re-enabled months later with its former entitlements intact. A migration leaves shadow accounts behind in a system that was only half decommissioned.
None of this is negligence. It is what scale does to access when no governing system reconciles it. Docusign describes its own starting point in these terms: manual operations, with dozens of teams handling joiner and leaver events over email. That approach does not scale without adding headcount. Multiply it across thousands of users and tens of thousands of permissions, and the debt compounds.
Access certification is necessary, but it does not close access debt. The reason is structural, not operational. Certification reviews a snapshot, and the snapshot is out of date the moment it is taken.
Walk the timeline. The data pulled for review is often weeks old before a reviewer sees it. Reviewers take more days to respond. Deprovisioning lands months after the event that triggered the need for it. In a quarterly cycle, you never operate on current state. You operate on a reconciled history.
The table below contrasts periodic certification with continuous governance across the dimensions that matter.
|
Dimension |
Periodic certification |
Continuous governance |
|
Data freshness |
Snapshot, often weeks old |
Real-time reconciliation |
|
Trigger |
Calendar cycle |
Identity event |
|
Deprovisioning |
Days to months after the event |
Automated at the event |
|
Between cycles |
No active coverage |
Continuous coverage |
|
Live sessions |
Not addressed |
Session review possible |
|
Audit evidence |
Point-in-time attestation |
Continuous record |
If your answer to access debt is a better review cadence, you are treating a structural gap as a scheduling problem.
Closing access debt does not mean running more certification campaigns. It means evolving access policy and changing how identity data flows. The identity platform becomes the authoritative, real-time source for who receives access and who still holds it.
Two examples show the difference. Define a role in the identity governance platform, and a permission change to that policy propagates across its associated users and systems at once. When an out-of-band change appears in a downstream system, automated discovery detects it. The platform checks it against access policy and revokes it if required.
Three conditions make this work:
Architecture matters here. Security has to work as a robust ecosystem, not a siloed toolset. Bravura Security Fabric delivers on this model with automated discovery, policy enforcement, and remediation. Those capabilities extend across Bravura Identity for identity governance, Bravura Privilege for privileged credential management, and Bravura Pass for enterprise password management.
Proof should confirm a model, not carry it. Docusign runs continuous governance at production scale, and the results show what the model produces.
Docusign supports about 6,800 employees across systems that include Workday, Microsoft Entra ID, Active Directory, and Salesforce, plus applications such as Tableau, Oracle, and Slack. The company expanded its identity program with Bravura Identity and Bravura Pass to unify identity data and act on it.
The numbers show the shift from manual work to governed automation. Peter Muller reports Docusign is on pace for more than 1.2 million identity operations, with about 87% of knowledge worker access granted automatically and upwards of 93% for Developer resources. The rest flows through standard requests and approvals, which is where approval belongs.
Peter Muller, Principal Security Architect for Identity at Docusign, frames the goal this way: “Compliance and audit artifacts are useful byproducts of good governance.” Governance comes first. The audit evidence follows from it.
Docusign found a gap that most SaaS-heavy enterprises share. Offboarded users were disabled in the directory and the identity provider, yet stayed signed in to downstream cloud applications. Disabling an account does not always end the sessions it left open. Session logout is not applied consistently across identity providers and SaaS tools, and coverage varies by application.
Working with Bravura Security, Docusign extended governance into the session layer for the systems that matter most. That includes its identity provider, collaboration suite, and key SaaS applications. For platforms that grant tokens to other applications, the team revokes those tokens too, so a user loses access across connected tools at once. Deactivating an account does not end its live sessions. Who has access right now includes who is signed in right now.
Here is a test you can run without any new tooling. Picture someone leaving your organization today, effective immediately. Now time how fast each account tied to that person is confirmed closed, not merely submitted for closure.
Name the systems as you go: Active Directory, Microsoft Entra ID, Salesforce, your cloud applications, VPN, and each privileged account. Then run the harder version of the test. Confirm that each live session is ended, not just that each account is disabled. That is the answer an attacker cares about.
Docusign's own security architect closes his talk with the same test. If someone leaves today, can you say with confidence they have lost access across the tools they used, or are you relying on session timeouts to catch up? In a regulated environment, you want a real answer.
If the honest answer is measured in days, you have access debt.
This model is not universal, and it is worth being honest about the limits. Small environments with only a few connected systems may not justify continuous reconciliation. Some legacy applications without APIs may require manual steps, because there is nothing to automate against. The model also depends on clean, authoritative HR data. Poor source data produces fast, confident, and wrong decisions.
Session-level governance carries its own limit. Coverage is selective by application support, by design. Docusign applies it to the systems that matter most, because not every application exposes session or token controls. Termination is also not instant everywhere. Some systems acknowledge the request before the sessions actually end, so you account for that lag rather than assume it.
See how continuous governance closes access debt in practice. Read the Docusign customer story for the full picture: over 1.2 million identity operations in 2025, 87% of access automated, and session-level offboarding across critical SaaS. When you are ready to size your own exposure, request an identity access assessment.