A certification campaign is a structured access review in which owners confirm whether an identity still needs its permissions. For NHIs, the review must include purpose, actual usage, privilege scope, and ownership because role-based human review logic does not map cleanly to automation.
Expanded Definition
A certification campaign is a scheduled access review that asks an owner to confirm whether an identity still needs its permissions. In NHI operations, the review must go beyond a name on a roster and examine purpose, actual usage, privilege scope, and current ownership.
For human accounts, certification often maps to RBAC and manager approval. For NHI, that shortcut breaks down because an Agent or service account may hold multiple credentials, interact with APIs, and inherit permissions through automation. Guidance is still evolving, but the practical goal is consistent: identify standing access that no longer has a business or technical need.
In a mature NHI program, certification campaigns are tied to inventory, ownership metadata, and telemetry so reviewers can see whether the identity was active, dormant, overprivileged, or orphaned. That makes the review defensible under NIST Cybersecurity Framework 2.0 governance expectations, not just a checkbox exercise. The most common misapplication is treating a certification campaign like a human access recertification, which occurs when reviewers approve service accounts without verifying workload purpose or live usage.
Examples and Use Cases
Implementing certification campaigns rigorously often introduces review overhead and evidence gathering, requiring organisations to weigh stronger privilege hygiene against slower approval cycles.
- A cloud platform team reviews API keys tied to an automation pipeline and revokes keys that have not been used in the current release window.
- A security owner validates whether an NHI used for log ingestion still needs write access to a storage bucket, using telemetry to confirm actual use.
- A platform engineer confirms that a service account supporting model orchestration still needs access to the secrets manager, rather than inheriting it indefinitely.
- An incident response team re-certifies identities after a breach to remove stale credentials, as seen in cases such as the Sisense breach and the DeepSeek breach, where exposed secrets and broad access amplified risk.
- An IAM program aligns review evidence with NIST Cybersecurity Framework 2.0 so that access decisions can be traced back to ownership and business necessity.
These campaigns are most useful when they are role-aware but not role-dependent, because NHI permissions often drift faster than the application teams that created them.
Why It Matters in NHI Security
Certification campaigns are one of the few controls that can expose privilege accumulation before it becomes an incident. When NHI access is left unchecked, attackers do not need to invent a new foothold; they can simply abuse an old credential, a forgotten automation token, or a service account that no one has reviewed in months.
That risk is especially acute in secret-heavy environments. NHIMG research on Ultimate Guide to NHIs — What are Non-Human Identities shows why machine identities need distinct governance, and the State of Secrets in AppSec reports that the average time to remediate a leaked secret is 27 days. That delay makes stale access especially dangerous because reviewers often discover it only after exposure or abuse.
Used well, certification campaigns support least privilege, ownership clarity, and evidence-based governance. Used poorly, they become annual rubber stamps that preserve overprovisioning and hide orphaned access inside automation. Organisations typically encounter the cost only after a secret leak, anomalous API activity, or privilege escalation, at which point certification campaign results become operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Covers NHI inventory, ownership, and permission review as core governance requirements. |
| NIST CSF 2.0 | PR.AC-4 | Aligns with permission management and least-privilege access review expectations. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous verification of access, not one-time approval. |
Map each NHI to an owner and re-certify access on a fixed cadence using usage evidence.
