The continued need for an identity (user) to have access to an asset is not validated when identity (user) repositories are reviewed
Context and Guidance: The objective of a user access review is to assess the appropriateness of access that has been provisioned to identities (users). It also involves checking whether any access to assets (such as networks, systems, and applications) is commensurate with their role and duties within the function.
Access reviews should follow the principle of least privilege, and complete access validation beyond a basic check of whether the individual associated with an identity (user) is still employed by the function.
For example, if the review only checks whether the user is still active within the organisation, and not whether there is a continued need for the access, that would indicate that this Anti-Pattern is "Present".