High-Dollar Manual User Access Reviews: A Thing of the Past

The challenge: Quarterly reviews that drained time, budget, and trust

As a leading platform for front-end development and hosting, Vercel manages over 100 SaaS apps and is held to strict PCI DSS compliance standards. But their quarterly access reviews were anything but streamlined.

Each cycle pulled in 50+ stakeholders across Finance, IT, Security, and the line of business owners, yet the process was slow, manual, and high-risk:

• Access reviews were tracked in Notion, with IT chasing follow-ups
• CSVs were exported and compared manually against Okta data
• Excel VLOOKUPs were used to find ex-employees and outdated access
• Escalations were common, reporting was fragmented, and teams were frustrated

What should’ve been a repeatable, controlled process instead consumed weeks of senior team time, introduced audit risk, and relied on disconnected tools and outdated workflows.

The solution: Okta anchored identity. Stitchflow automated everything else.

Okta remained Vercel’s core identity platform, managing SSO and lifecycle for primary apps. But identity coverage stopped at the edge of what was SCIM- or SSO-enabled.

That left dozens of tools, especially CSV-based apps, shadow IT, and systems outside of automated provisioning, outside Okta’s perimeter, forcing IT to track access manually across spreadsheets and Notion.

Stitchflow filled this gap by continuously auditing 100+ apps (connected and disconnected), mapping them to Vercel’s access policies, and identifying risks that would’ve been missed:

What Stitchflow enabled:

• Automated reminders to app owners, eliminating manual follow-ups
• Live account status (deactivated in Okta, hidden, inactive > 90 days)
• Shared review boards with full context; no spreadsheets, or Notion docs
• Auditable logs and approval records, ready for PCI DSS audits at any time