An important axiom of user access administration is: "In the absence of policies, all user access is exceptional." Most organizations make limited use of "birthright" entitlement assignments, leaving the vast majority of user access in their environments exceptional and subject to procedural governance burdens such as access requests requiring approvals and periodic access certification. Policy-driven administration can reduce these burdens significantly while simultaneously improving management of access risks, but only when combined with proper governance over access policies. This session presents practical advice for adopting policy-driven administration with a governance framework that is applicable across industries, and includes insights about how machine learning can be applied most effectively to manage user access risks.