This paper examines why AD groups are at the center of the access control and governance universe and then explore what it takes to manage them. I will discuss why and how to implement group ownership and attestation controls. Also, we’ll look at how much group maintenance can be automated through self-service access-request handling and policy-based rule assignments.