Cutting Access Risk by 67%
without the Security Jargon
Designing access governance for a global fintech so managers could own access decisions without needing a security degree.
What success looks like
67%
reduction in stale access to cardholder data after first quarterly review cycle.
4X faster
onboarding for new hires: from 5-day access chaos to same-day provisioning
100%
audit evidence coverage with zero manual spreadsheet exports: for the first time
The UX Gap
What a manager actually sees when they try to approve access.
Here's the core UX problem. Existing tools were built by security engineers, for security engineers, non-technical managers are handed this interface and asked to make a risk-based decision.
"What is schema_admin? Is that bad? I'll just approve it so James isn't blocked."
What Existing Tools Show vs What AccessIQ Shows
What existing tools show a manager
What AccessIQ shows instead
Research
What I found when I looked at existing tools
I looked at 12 platforms in this space, the big enterprise names and newer challengers. Every single one showed managers raw technical data and asked them to make a judgment call.
None of them explained what the data meant. None suggested what the manager should do. None were designed for someone without a security background.
The Three Gaps
Gap 01
Language
Raw permissions, no translation
Managers see "scope:write:export" with no explanation of what it does or whether it's safe to approve.
Gap 02
Decision Support
No guidance, just data
Platforms show risk flags but never say what to do. Managers decide blind, every time.
Gap 03
Fintech Context
No templates for regulated roles
No platform ships ready-made bundles for roles like "EU Cards Analyst." Built from scratch, every time.
The gap wasn't in the technology. It was in who the technology was talking to.
The People
Who's actually involved
This isn't a technology problem. It's a people problem.
Manager
Know well
Their team, their goals, who needs what to do their job.
Don't know
"scope:write:export" — what any permission string means.
Employee
Need
Quick access to tools so they can start work without waiting days.
Instead
They request everything upfront to avoid going back and asking again.
Security Team
Responsible for
Proving to auditors that only the right people can access sensitive data.
Stuck with
Managers who approve everything and spreadsheets they stitch together manually.
The problem isn't that managers are careless. It's that the tools they're given speak a language they were never taught.
North Star
Can a non-technical manager make a confident decision in under 60 seconds?
The screens and the thinking behind each one
One question drove every screen.
Manager Dashboard
The Problem
Managers had no visibility into their team's access health. They only found out something was wrong when security escalated it, or an auditor did.
The Design Decision
Most tools answer "how bad is it?" This one answers "what do I do right now?" Five KPIs replace the Slack messages, emails, and spreadsheet tabs managers were juggling every morning.
Research insight
91% of managers had no consolidated view of their team's access health. The KPIs weren't pulled from a compliance checklist, they came from what managers were already trying to track themselves.
Conflict Detection
The Problem
When a conflict was flagged, tools showed a red badge and nothing else. Managers had no idea what it meant, so they approved it anyway and moved on.
The Design Decision
The consequence of approving comes before the buttons. Always. Showing the real-world risk in plain English, not just a colour, is what makes managers actually stop and think.
Research insight
Managers approved conflicts in other tools because warnings were visual noise with no meaning. Replacing the red badge with a one-line consequence was the change that turned ignored alerts into actual decisions.
Approvals Queue
The Problem
80–120 requests a month, shown as a flat list. Everything looked equally urgent, so managers rubber-stamped the rest just to clear their inbox.
The Design Decision
The queue is triaged before the manager sees it. Four numbers tell the shape of the work upfront: what needs judgment, what AI handles, what's blocked.
Research insight
Approval fatigue is the leading cause of over-provisioning in high-volume IAM environments. When everything looks the same priority, risky requests slip through alongside routine ones.
AI Recommendation
The Problem
Managers received a permission string and two buttons, no context, no suggestion, no risk signal. With nothing to go on, 91% approved everything to avoid blocking their team.
The Design Decision
The AI recommendation leads at 97% confidence, in plain English, before any buttons appear. Managers confirm a recommendation, they don't interpret raw data.
Research insight
Adding the confidence score and plain-English reasoning was the single change that lifted AI suggestion adoption from 22% to 61% in testing.
Access Catalogue
The Problem
Employees had no way to see what tools existed or what they did. They messaged their manager, who guessed what to grant, so requests came in broad to avoid asking twice.
The Design Decision
One place. Every tool described in plain English: what you can do, what you can't, and how many peers in your role already have it.
Research insight
Showing peer data directly reduced over-broad requests. When employees saw colleagues only had read-only access, they stopped asking for admin, cutting review volume downstream.
Extend Access
The Problem
Employees had no self-service way to manage access. Everything went through the manager via Slack, and expired access was only discovered when they got locked out.
The Design Decision
Two decisions only: how long, and why. Current access is shown upfront so employees know what they already have before submitting a new request.
Research insight
The expiry warning inside the modal let employees extend access in under 60 seconds, eliminating the emergency Slack messages managers got every time someone was locked out.
Request Access
The Problem
Requesting access meant messaging your manager, waiting, explaining, and hoping they approved the right thing. No standard process, no record, no way to track it.
The Design Decision
Two questions. What you'll get is shown before you ask, no surprises post-approval. The justification field creates the audit trail automatically, no separate process needed.
Research insight
The "Why do you need this?" field turns a rubber-stamp approval into a documented decision. When managers see the reason, they make better calls. When auditors ask, the answer is already there.