“Anyone else surprised how manual SOC 2 access reviews still are?” Yes, and after years of platform marketing promising automation, the disappointment is understandable. Quarterly access reviews are SOC 2’s most common manual control, and they stay manual for a structural reason.

The promise vs. the reality of access review automation

The pitch is “continuous access monitoring.” The reality is that deciding whether a specific person should still have a specific permission is a judgment call only their manager can make. Automation can surface the list; it can’t make the decision. Per user, a manual review runs 5–15 minutes; with mature IGA automation it drops toward 30 seconds, but the decision still needs a human owner.

What Vanta, Drata, Sprinto actually automate

They pull user lists from your identity provider and connected apps, flag obvious problems (no MFA, orphaned accounts, dormant access) and give you a structured interface to run the review and capture sign-off. That’s genuinely useful, it eliminates the spreadsheet assembly. It does not eliminate the decision.

What’s still manual (and why)

The keep/revoke decision, the manager sign-off, the follow-through on revocations and the edge cases (contractors, service accounts, shared tools) remain manual. About 25% of mid-market teams miss their quarterly review target dates, not because the tooling is missing but because the human routing and follow-up aren’t operationalized.

The IGA tools that promise true automation

SailPoint, Saviynt and Okta IGA do automate large parts of access governance, provisioning workflows, certification campaigns, policy-based access. They cost $30K–$200K+/year and assume a dedicated identity owner. For most mid-market companies that’s out of reach and overkill; the platform’s access-review feature plus discipline is the right tier.

A working manual cadence that doesn’t burn out the team

Put the four quarterly review dates on the calendar a year ahead. One week before each, generate the lists from your platform. Route per-system lists to owning managers with a 5-day deadline. Track revocations to closure within SLA. Capture every sign-off with a date. Treat it as a recurring operation, not a fire drill. This is exactly the kind of work that lives in the compliance automation gap.

Where AttriEdge fits

Running the quarterly access-review cycle, generation, routing, follow-up, evidence, is part of every retainer. The diagnostic shows where your current cadence will fail an auditor before the auditor does.

If this stays stuck

Then the blocker is structural, not a missing file.

A stall that outlasts a tactical fix usually means the India entity cannot prove a control the buyer needs, and no single artifact will fix it. That is what the 48-hour diagnostic is built to find and map.

Book the $999 diagnostic →

Chain of custody. Drafted by H. Attri · Filed June 14, 2026 · One specimen of the evidence discipline AttriEdge operates for clients.