An attestation campaign is a structured review cycle that asks owners to confirm, reject, or reassign identities or permissions in scope. For NHI governance, the campaign is only useful when it is linked to lifecycle events and downstream enforcement, otherwise it becomes a reporting task.
Expanded Definition
An attestation campaign is a time-boxed governance process that asks identity and resource owners to review scoped access, then confirm, revoke, or reassign it. In NHI operations, the scope often includes service accounts, API keys, workload identities, and agent permissions, not just human users. Definitions vary across vendors, but the useful version is not a passive certification report. It is a control point tied to lifecycle triggers such as onboarding, offboarding, privilege escalation, environment changes, or secrets rotation. That makes it complementary to NIST Cybersecurity Framework 2.0 functions for Identify and Protect, because the campaign should surface ownership gaps before they become access drift. In mature NHI programs, attestation is also linked to policy enforcement, so a stale approval can actually remove standing access or open a remediation ticket rather than sit in a dashboard. The most common misapplication is treating the campaign as a quarterly checkbox exercise, which occurs when reviewers are asked to approve permissions without context, lifecycle triggers, or follow-up enforcement.
Examples and Use Cases
Implementing attestation campaigns rigorously often introduces review fatigue and temporary friction, requiring organisations to weigh governance accuracy against the operational cost of interrupting teams and service owners.
- A platform team runs a campaign after a cloud migration to confirm which service accounts still need production write access, then removes obsolete permissions before the next release window.
- A security team uses a campaign after a secrets rotation to verify that old API keys were retired, not merely marked inactive in a spreadsheet.
- An engineering manager attests that an DeepSeek breach-style exposure lesson has changed how automated agents are granted tool access, then reassigns ownership for orphaned NHI assets.
- An IAM team aligns the review with NIST Cybersecurity Framework 2.0 by requiring explicit disposition for every entitlement in scope, not just a bulk approval.
- A SOC-led cleanup campaign removes stale CI/CD tokens after a repository restructure, because the effective owner changed even though the pipeline kept working.
These use cases are strongest when the campaign is anchored to a change event, because reviewers can make specific decisions instead of rubber-stamping a long list of names and tokens.
Why It Matters in NHI Security
Attestation campaigns matter because NHI risk often accumulates silently: service accounts outlive projects, secrets linger after migrations, and agents retain permissions long after the business need has ended. In practice, the campaign is only as good as the inventory behind it. If ownership is unclear, reviewers approve access they do not understand, and if approvals are not enforced, the campaign creates a false sense of control. That is especially dangerous in environments with secret sprawl and fragmented control planes. NHIMG research on DeepSeek breach shows how quickly exposed credentials can become operationally exploitable, while DeepSeek breach-related lessons also highlight how hidden credentials and over-broad access accelerate blast radius when review cycles are weak. More broadly, the underlying problem is not awareness but remediation discipline. NHIMG data from The State of Secrets in AppSec reports an average 27-day time to remediate a leaked secret, which is far too slow if attestation does not trigger action. Organisations typically encounter the true value of attestation only after a leaked secret, orphaned service account, or agent misuse has already caused an incident, at which point the campaign becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Addresses secret and credential governance that attestation campaigns are meant to verify. |
| NIST CSF 2.0 | PR.AA-01 | Identity and access governance requires knowing who or what is approved to act. |
| NIST Zero Trust (SP 800-207) | PDP | Zero Trust decisions depend on continuously validated access and policy enforcement. |
Tie attestation outcomes to verified access records and remove entitlements that lack current justification.
