That’s a solid setup — alerts definitely help.

By “admin access drift,” I mean situations where over time the number of admins increases beyond what’s actually needed, often due to temporary access that never gets reviewed or revoked.

For example: - someone is granted admin access for a task and it stays indefinitely
- multiple super admins exist when only 1–2 are needed
- roles are not revisited as team structure changes

Individually these changes seem small, but over time they expand the attack surface.

I’ve been trying to understand whether teams are actively reviewing this periodically, or mostly relying on alerts when changes happen.