Most organizations agree with least privilege in theory, but momentum stalls as soon as “we’re actually going to remove access” enters the conversation. Users fear being blocked, leaders fear outages, and internal audit keeps asking for cleaner evidence and fewer exceptions.

In this session, we’ll walk through how Yelp designed and rolled out a continuous access revocation system for every employee that our engineers, leaders, and auditors actually trust. Starting in 2021 with a single system, we now continuously monitor and automatically revoke unused access across platforms that control production deployments, incident response, financial operations, and other critical assets. Today, this protects more than 5,000 people and removes hundreds of unused privileges each month, shrinking our standing‑access footprint and reducing the risk of credential abuse and lateral movement without derailing day‑to‑day work.

We’ll cover the architectural patterns we landed on and how we applied them as we scaled from a single system to most major systems at Yelp: “stopping the bleeding” for new applications by default, then onboarding the legacy surface. We’ll share lessons learned, including how overly broad exceptions and conservative thresholds initially limited our risk‑reduction goals and what we changed to fix that.

Most importantly, we’ll explore the human element: how we balanced security vs. usability, marketed the program, handled “never break production” teams, tuned signals to earn trust, reduced compliance burden, and avoided organizational distrust of continuous access revocation.