Cloud access certification is the process of validating whether permissions across SaaS and cloud platforms still match business need. It is broader than a user-only review because it must include inherited permissions, shared access, and non-human identities that can retain authority long after the original request has changed.
Expanded Definition
Cloud access certification is a periodic governance process that validates whether permissions in SaaS and cloud platforms still match business need. It extends beyond classic user access reviews because modern cloud estates include inherited roles, shared folders, delegated admin paths, service accounts, and other NHI access paths that can persist after the original need has changed.
In practice, the term sits close to access recertification, entitlement review, and privileged access review, but no single standard governs this yet. Guidance varies across vendors and audit teams, so the practical definition is usually shaped by the environment: identity provider, cloud control plane, SaaS application, and the evidence required for compliance. The best reference point is whether a reviewer can prove that each entitlement still has a current, justified owner and business purpose. The OWASP Non-Human Identity Top 10 is useful here because it frames how non-human identities and over-privilege create real attack paths, while NHIMG’s Ultimate Guide to NHIs explains why entitlement drift is not limited to people.
The most common misapplication is treating cloud access certification as a one-time user list export, which occurs when teams ignore shared access, inherited privilege, and machine identities.
Examples and Use Cases
Implementing cloud access certification rigorously often introduces review fatigue and remediation overhead, requiring organisations to weigh audit confidence against the operational cost of revoking or re-approving access at scale.
- A finance team certifies SaaS access for expense and procurement tools, but also reviews delegated admin roles and shared inbox permissions that can expose sensitive approvals.
- A cloud platform team validates that Kubernetes service accounts and automation roles still map to active deployment jobs, not abandoned pipelines or temporary migrations. NHIMG’s Ultimate Guide to NHIs — What are Non-Human Identities is helpful for separating human from non-human entitlement patterns.
- A security operations team uses certification results to remove stale secrets and dormant API keys after a vendor integration changes ownership, reducing the chance of hidden persistence. The OWASP Non-Human Identity Top 10 provides a practical lens for this kind of review.
- A merger integration team certifies access across two cloud directories to identify duplicate admin grants, orphaned groups, and inherited cross-tenant permissions before consolidation.
- An audit team investigates a data exposure and traces it to a contractor account that still had access after the contract ended, a pattern that appears in NHIMG’s Sisense breach coverage and broader breach analysis.
Why It Matters in NHI Security
Cloud access certification matters because cloud privilege rarely fails in a clean, visible way. It accumulates through inherited roles, temporary exceptions, automation, and shared operational accounts, then becomes difficult to reconstruct after an incident. NHIMG’s Ultimate Guide to NHIs — Key Challenges and Risks shows why stale non-human access is especially dangerous: machine permissions often outlive human ownership and are harder to notice during routine reviews.
The risk is not theoretical. In the 2026 Infrastructure Identity Survey by Teleport, 70% of organisations grant AI systems more access than they would give a human employee doing the same job. That over-privilege pattern mirrors the exact failure cloud access certification is meant to catch, especially when AI agents, service accounts, and shared cloud credentials are in scope. It also explains why organisations that think they are “covered” often remain exposed through dormant entitlements and unowned exceptions.
Organisations typically encounter the need for cloud access certification only after a breach, an audit finding, or a failed offboarding event, at which point entitlement cleanup becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Addresses risky NHI access and secret handling that certification must uncover. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access management aligns directly with periodic certification. |
| NIST Zero Trust (SP 800-207) | 4.2 | Zero Trust requires continuous verification of access, including cloud entitlements. |
Revalidate cloud access continuously and revoke standing privilege when it is no longer required.
