AC-13 — Supervision and Review — Access Control

This is a withdrawn control that has been incorporated into AC-2 and AU-6. The intent is that access control activities should be supervised and reviewed through account management and audit review processes.

Example 1: Implement the review requirements through AC-2 — conduct quarterly access reviews of all accounts. Use your AD access review or Azure AD Access Reviews to systematically verify that everyone's access is still appropriate.

Example 2: Pair the access reviews with AU-6 audit log reviews. Have your security team review audit logs for access control events weekly and report any anomalies to management. Use your SIEM dashboards to make this efficient rather than reading raw logs.