Access control is where the security programme proves itself in practice. The policy on paper might require least privilege and separation of duties, but the moment that matters is when a real employee, contractor, or system tries to do a real thing and the platform either allows it or refuses it. Almost every Annex A control in the access family is a question about the gap between those two statements.
Role-based models, where permissions flow from assigned business roles rather than per-user grants, are the dominant pattern in mid-market companies because they make the access landscape manageable as headcount grows. Attribute-based approaches add context to the decision (time of day, network location, sensitivity of the resource), which matters more as the workforce distributes and the network perimeter dissolves.
Whatever model is chosen, three operational rhythms separate working access control from documented access control. Joiner, mover, and leaver events change access promptly rather than at the next audit. Access reviews run on a published cadence and are approved by named individuals, not rubber-stamped by a manager who inherited a spreadsheet. And privileged access, in particular, is subject to a tighter loop: time-limited, recorded, and challenged. The Askara Solutions agent maintains the linkage between the access catalogue, the role definitions, and the risk register, so the controls people show the auditor are the controls that are actually operating.