I think this is a step forward, but I think it is better to think of access in terms of what responsibilities a person or group has.

When new access is to be given, it should be framed in the context of what new responsibilities are required.

I think this framing provides not just justification, but can provide inherent expectations of a users behavior that is easier to inspect and interrogate if needed.

> When you understand why someone has access, you can make confident decisions about managing it. It’s hard to know whether it’s safe to remove access if you don’t even know why it’s there to begin with.

I might be missing the basic premise of this piece.

Why is there someone making confident unilateral decisions about someone else's access ? If granting access went through a process with 2 or more parties involved, shouldn't removing that same access go to the reverse process and start with an exchange with the relevant entities ?

PS: this is IMHO the main reason negociating explicit time limits during the grant process makes it much easier to manage. These limits can be reset/extented as needed and there's no need to do additional back and forth when the user lets their access lapse after a set of reminders.