Opinion

Chesterton's fence doesn't apply to access controls

Maya Kaczorowski

CEO / Founder

Chesterton's fence says you shouldn't remove something when you don't understand its purpose: someone had a reason to put that fence there, and you shouldn't remove it without understanding why.

IT teams reluctantly apply this principle to access controls. They're terrified of removing access because they don't understand why it was granted in the first place. What if removing it breaks something? This fear consistently trumps the principle of least privilege, leaving organizations with sprawling access that nobody understands. Why not apply Occam's razor instead? The simplest explanation for why someone has admin access to everything is that they must need it, right?

But access controls work differently than fences.

Use the data you already have

The fear is real: remove the wrong access and someone can't do their job (or the cows escape). But just because you don't understand why access was granted in the first place (the core issue in Chesterton's fence) doesn't mean you can't validate that it's safe to remove.

Unlike rebuilding a fence, regranting access should be straightforward — except that in most organizations, granting access can take days of approvals that everyone dreads. If we can make getting back that access really really easy, then is that such a big deal? The fear diminishes when the recovery process is painless.

And unlike mysterious fences, access controls generally have logs. Use them. You might not know why someone got access to customer data many years ago — and the person who granted that access or built that fence might be long gone — but you can see the last time that access was used. Preserving unused access isn't security, it's digital hoarding.

Removing access that hasn't been used in the last 90 days likely has low risk of actual business impact. This is where most access cleanup should start. Don't try to understand the original intent behind every permission: look at what's actually being used and start there.

Context still matters

The core insight of Chesterton's fence — that context matters — absolutely applies to access controls. Good access management isn't about preserving historical decisions — it's about making informed decisions based on current data. You can't make your access controls more manageable, and move towards the principle of least privilege, without context.

The best context to have is why access was originally granted. Without capturing that context, every change feels risky. But we often have the next best thing: current usage patterns help us understand the actual risk of removal. Sometimes the fence really was just someone's mistake, sitting there for years because everyone was too afraid to remove it. (Why do I have access to Salesforce? We'll never know…)

Stop preserving access out of fear. Start with what's unused, make recovery fast, and gradually build from there. The biggest risk isn't removing the wrong access — it's never removing any access at all.