A governance pattern that rechecks access using live telemetry instead of waiting for scheduled review cycles. It is most useful where entitlements change quickly and stale access can accumulate between manual checkpoints.
Expanded Definition
Continuous certification is a control pattern that treats NHI access as a living state, not a periodic checkbox. Instead of waiting for a quarterly or annual review, it re-evaluates entitlements against live signals such as usage, posture, ownership, risk, and identity relationships. In practice, that makes it closer to operational telemetry than to traditional recertification. The concept aligns closely with NIST Cybersecurity Framework 2.0 ideas around ongoing governance and risk-informed access decisions.
Definitions vary across vendors because some platforms use the term to mean automated access reviews, while others include policy enforcement, anomaly detection, and revocation workflows. At NHI Management Group, continuous certification is best understood as a feedback loop: detect, evaluate, certify, or remove. It is especially relevant for service accounts, API keys, workload identities, and AI agents whose permissions can drift as pipelines, environments, and integrations change. The most common misapplication is treating scheduled attestation as continuous certification, which occurs when organisations only automate reminders but still rely on fixed review cycles and manual sign-off.
Examples and Use Cases
Implementing continuous certification rigorously often introduces operational friction, requiring organisations to balance faster revocation decisions against the risk of interrupting legitimate automation or production workloads.
- A deployment pipeline inherits a broad role during testing, then live telemetry shows the NHI has not used half of its permissions for 30 days. The unused privileges are flagged for removal before they become permanent sprawl.
- An AI agent is granted tool access for a specific workflow. When the task changes, continuous certification rechecks whether the same access still matches intent, ownership, and current blast radius.
- A third-party integration continues calling APIs after a contract ends. The certification layer detects stale usage patterns and revokes the remaining entitlement rather than waiting for the next access review.
- During an incident, a privileged service account is found to be active outside its expected runtime window. The control can trigger review or suspension using signals that map to least-privilege guidance in NIST Cybersecurity Framework 2.0.
- After an access-path investigation, teams compare the identity’s actual behaviour with the inventory documented in Ultimate Guide to NHIs — What are Non-Human Identities to confirm whether the entitlement was ever justified.
For a concrete failure pattern, the Sisense breach is a reminder that identities and secrets can remain dangerously overexposed when governance lags behind reality.
Why It Matters in NHI Security
Continuous certification matters because NHI risk compounds quickly. NHIs outnumber human identities by 25x to 50x in modern enterprises, and review-based governance cannot keep pace when permissions change through CI/CD, cloud automation, and agentic workflows. Without live recertification signals, stale entitlements accumulate, dormant secrets survive too long, and privilege creep becomes normal rather than exceptional. That is why continuous certification is tightly linked to Zero Trust Architecture and Privileged Access Management, even when no single standard governs this yet.
One relevant data point from NHI Management Group shows why delayed review is dangerous: only 20% of organisations have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them. In that environment, the difference between visibility and control is whether stale access can be detected before it is abused. Research in the Ultimate Guide to NHIs — What are Non-Human Identities also shows that 71% of NHIs are not rotated within recommended time frames, which reinforces why certification must be continuous rather than calendar-driven.
Organisations typically encounter the need for continuous certification only after a leak, outage, or compromised integration reveals that an identity had been trusted long after its original purpose expired.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers access drift and lifecycle risk for non-human identities. |
| NIST Zero Trust (SP 800-207) | JIT | Zero Trust requires ongoing verification and time-bound access decisions. |
| NIST CSF 2.0 | PR.AC-1 | Identity and access governance depends on timely review and enforcement. |
Tie certification to current risk, usage, and ownership so access is reviewed continuously, not periodically.
