Accounts have been removed and you didn't know!

I recommend your scope is regularly cross references with accounts resources such as access control lists (ACL). This is important as you need to be aware as soon as possible whenever an account has been disabled or removed from the platform.

Otherwise you will spend or waste time trying to remediate an account that no longer exists.

However if ACLs are generally only produced to support a user access verification exercise which might be quarterly at best, it may be a bit of work trying to get a real time view of a platform. One solution is to grant your project resources temporary, read access to for example Active Directory. Of course this depends on the appetite within your security area to grant even read access.

As an alternative you could push for granting at least one person access to platforms, or align a resource from your identify management area to support the project.

Get this right and not only will you save valuable time and money but your analysts will get the brief thrill of a quick win that they did not have to lift a finger to claim!