Enterprises which are moving to a governance model for controlling access to sensitive information resources or are subject to regulatory requirements to limit access to this information to only authorized employees with a legitimate business need, must first understand the access model deployed in the enterprise information technology systems, such as file servers and collaboration sites. In many enterprises this has historically been an ad-hoc process, in which it is difficult to detect anomalous situations in which users do not have the correct access for the user role or users have received access entitlements which are atypical for the assigned role.