Auditors have flagged that admin access is left switched on across our estate
An auditor's report has identified dozens of permanent admin role assignments — DevOps engineers with full global admin, finance contractors with elevated privileges in Microsoft 365. The CISO wants permanent admin rights replaced by request-and-approve, with a defensible just-in-time pattern in place by year-end.
Trigger — Audit finding; cyber-insurance renewal coming up.
Good outcome — No one walks around with permanent admin rights. When an engineer needs them, they request and get them for a fixed window, and there's a record of every activation. The audit finding closes.