Wow, that's nuts. We work out in advance which systems they're going to need access to in order to determine what level of vetting they'll need. It's not always perfect, but getting access is generally a case of raise request -> accepted by system owner or director -> do.