I was on a Teams call with a prospect a few weeks ago. Mid-sized company outside Linköping, about 200 employees, growing steadily. I asked how they manage access today.
"We have a spreadsheet," the IT lead said. No hesitation. Like I had asked what colour the sky was.
Then he shared his screen.
340 rows. Columns for name, department, role, applications. And one column at the far right that made me pause: "Probably fine?"
That was a real column. With real answers in it. Mostly "Yes" and a handful of "Check later" entries dating back to 2024.
I have seen a lot of access management setups at Nordic companies over the past few years. Spreadsheets are by far the most common. And honestly, I get it. They are free, flexible, and everyone knows how to use them. When you have 20 employees, a spreadsheet works. It might even be the right call at that stage.
But spreadsheets have a shelf life. Most companies blow past it without noticing.
The problem is not the spreadsheet itself
Excel is fine software. The issue is that a spreadsheet for access management requires a human to keep it accurate. And that human is busy fixing the printer and resetting passwords.
Here is what actually happens:
Someone joins. IT gives them access. Someone updates the spreadsheet. Maybe. If they remember. If they even know the spreadsheet exists.
Someone changes roles internally. Their old access stays. New access gets added on top. The spreadsheet might get a new row. Or the old row gets edited. Or nothing happens at all.
Someone leaves. Account gets disabled (hopefully on the same day). The spreadsheet row turns yellow or gets a strikethrough. Or it just sits there, looking like everyone else.
After a year of this, your spreadsheet is not a source of truth. It is a rough estimate with good intentions.
The compliance angle
If you are working toward ISO 27001 or SOC 2, or if NIS2 applies to your organisation (and if you are in Sweden, it very likely does), auditors will ask you to demonstrate who has access to what and why.
A spreadsheet can technically answer that question. But "technically" is doing a lot of heavy lifting there.
An auditor wants to see that your access records match reality. That means comparing the spreadsheet against your actual directory — whether that is Active Directory, Entra ID, or (as is common in the Nordics) both running in a hybrid setup. Application by application, user by user. And when they find gaps (they will find gaps), you need to explain each one.
I have watched IT teams spend entire weeks doing this reconciliation before an audit. Pulling exports from AD and Entra ID, cross-referencing against the spreadsheet, chasing down managers for approvals that should have happened six months ago.
All because the spreadsheet said "Probably fine?"
Why does this keep happening?
Because proper access management tools used to be expensive and complicated. If you were a 200-person company in the Nordics, your options were a spreadsheet or a six-figure enterprise platform requiring months to implement and consultants who bill by the hour. Not much of a choice.
So the spreadsheet won. Not because it was good, but because everything else was worse or wildly out of proportion.
I started Adcyma partly because of this exact gap. But even setting my own product aside: if your access management lives in a spreadsheet, you are one busy week away from it being dangerously out of date. Probably already are.
The test
Here is something you can do right now. Five minutes, tops.
Open your access spreadsheet. Pick five rows at random. Not the CEO, not the new hire from last week. Five random people who have been at the company a while.
Now go into Entra ID (or Active Directory, if you are still running on-prem) and check whether the spreadsheet matches what those people actually have access to.
If all five match perfectly, I owe you a fika. Seriously, send me a message.
If they do not match (and I would be surprised if they do), you have some thinking to do. Not necessarily about which tool to buy. About whether you are comfortable with the gap between what you think your access looks like and what it actually looks like.
That gap is where risk lives.
Go check your five rows.