I often think of Gartner's quote on identity and access management: "the right people have access to the right systems at the right time" and think how do you know if they are the right people or the right systems or the right access? We work with organizations with hundreds of thousands of users, does Bob in IT know all of them?
I'm being facetious of course, there's nobody in IT named Bob usually. But that's where your identity and access management platform comes in. It is busy giving people access to systems and you need to make sure that you are inserting the "right" into that sentence & process.
Having trusted authoritative sources really helps. If you know that HR and other systems know all of the employees, contractors, partners and customers, you can usually cover the "right person" aspect of all of this. But, that isn't always the case, so you have your first attestation option right there to solve the "right people" issue.
There will be a departmental owner or manager or HR person who can attest periodically that that user is still an active employee. Build a workflow where somebody has to approve the continuing existence of that user account. Not just a network account, but application accounts too. Think of the savings if you periodically have users attest that they still need that cloud application account for which you are paying a monthly fee.
If the account hasn't been used or accessed for a certain period (say, 90 days), bump up the attestation. It's easy to build this into a BPM-based identity workflow. Make more secure application accounts have a higher degree of attestation involving identity proofing or two factor authentication.
So, with that user attestation process you solve the right systems and the right people but what about the right access? Roles and group attestation helps solve this. Have the role or group owner attest to the membership of the group and the group's rights and permissions on a quarterly or yearly basis. Give them the audit reports to show what that role or group can do and who has been doing it.
This should all be built in to the identity workflows that come with your IAM platform, if not, take a look at EmpowerID. Dont' just give access to people, give the right access to the right people.