Access control is where the security programme proves itself in practice. The policy on paper might require least privilege and separation of duties, but the moment that matters is when a real employee, contractor, or system tries to do a real thing and the platform either allows it or refuses it. Almost every Annex A control in the access family is a question about the gap between those two statements.
Role-Based Access Control is the dominant pattern in European mid-market companies, because it lets administrators reason about access in terms of business roles rather than per-user permissions. The discipline depends on the role catalogue itself: too few roles and the system collapses into administrator-or-end-user; too many roles and the catalogue becomes a maintenance burden in its own right. Attribute-Based Access Control adds context to the decision (time of day, network location, sensitivity of the resource), which is increasingly relevant as the workforce becomes distributed and the perimeter dissolves.
Whatever model is chosen, three operational rhythms separate working access control from documented access control. Joiner, mover, and leaver events change access promptly rather than at the next audit. Access reviews run on a published cadence and are approved by named individuals, not rubber-stamped by a manager who inherited a spreadsheet. And privileged access, in particular, is subject to a tighter loop: time-limited, recorded, and challenged. The Askara Solutions agent maintains the linkage between the access catalogue, the role definitions, and the risk register, so the controls people show the auditor are the controls that are actually operating.