No. Quarterly reviews are too slow for identities that are created, overprivileged, or exposed between review windows. Continuous monitoring gives teams a chance to catch drift, while periodic certification can still serve as a governance checkpoint. The two are not substitutes in a modern hybrid estate.
Why This Matters for Security Teams
Quarterly access reviews still have a place, but they are too slow to be the primary control in a hybrid identity estate where service accounts, API keys, workload identities, and human access all change on different timelines. The real risk is not just excess privilege at the end of the quarter. It is the exposure window between review cycles, when credentials can be created, copied, mis-scoped, or left active after the business need has ended.
NHIMG’s Ultimate Guide to NHIs notes that 97% of NHIs carry excessive privileges, which shows why periodic attestation alone cannot keep pace with drift. The issue is broader than classic IAM hygiene because hybrid environments mix directory objects, cloud roles, workload tokens, and embedded secrets. Current guidance suggests treating quarterly certification as a governance checkpoint, not as a substitute for continuous exposure monitoring. That aligns with the intent of the OWASP Non-Human Identity Top 10, which emphasizes lifecycle and privilege risk rather than one-time review events.
In practice, many security teams discover access sprawl only after a leaked token, orphaned service account, or mis-scoped cloud role has already been used in production.
How It Works in Practice
A better operating model combines continuous detection with periodic certification. Continuous monitoring watches for new identities, privilege drift, stale secrets, unused entitlements, unusual API activity, and workloads that inherit permissions they no longer need. Quarterly reviews then validate ownership, business justification, and exception handling for the items that monitoring surfaces. The two controls answer different questions: one asks what is happening now, the other asks who should remain accountable.
For hybrid identity environment, that usually means correlating signals from cloud IAM, directories, CI/CD systems, secrets managers, and workload identity layers. The NHI Lifecycle Management Guide is useful here because lifecycle events such as provisioning, rotation, and offboarding are where drift most often begins. Mature programs also use policy checks to flag credentials that have no owner, permissions that exceed the service’s function, and secrets that have outlived their rotation window. NIST guidance on identity and access governance supports this pattern through continuous risk-based review rather than fixed-cycle approval only, and the broader NIST Cybersecurity Framework reinforces ongoing identification and protection activities.
- Monitor identity creation, privilege changes, and secret issuance continuously.
- Use quarterly reviews to confirm ownership, purpose, and exception status.
- Prioritise high-risk identities first, especially privileged service accounts and external-facing workloads.
- Revoke or rotate credentials automatically when workload ownership or usage signals change.
The NHI Mgmt Group 52 NHI Breaches Analysis shows how often identity weaknesses become incident pathways, especially when access remains valid after the original task is gone. These controls tend to break down when organisations lack inventory accuracy across multiple clouds and directories because the review process cannot certify what it cannot reliably see.
Common Variations and Edge Cases
Tighter review cycles often increase operational overhead, requiring organisations to balance stronger assurance against the cost of evidence collection, approver fatigue, and delayed engineering work. That tradeoff is real, especially in hybrid environments with thousands of service identities and frequent application releases. Best practice is evolving, but there is no universal standard for how often every identity class should be reviewed; the right cadence depends on risk, privilege level, and how quickly the identity can be abused.
High-risk identities usually need more than quarterly attestation. Short-lived workload credentials, externally exposed APIs, and privileged automation accounts benefit from event-driven review triggers, such as ownership change, unusual authentication patterns, or secret rotation failure. Lower-risk business roles may still fit a quarterly governance rhythm, provided continuous monitoring is detecting drift in the background. The key distinction is that periodic review answers compliance and accountability needs, while runtime telemetry answers exposure and abuse needs.
For teams formalising this model, the Top 10 NHI Issues is a useful reminder that the biggest failures often come from stale credentials, excessive privilege, and poor visibility, not from the review calendar itself. This is also where the OWASP Non-Human Identity Top 10 and NIST-based access governance should be read together: one defines the NHI-specific failure modes, the other sets the broader identity control expectations.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Quarterly reviews miss stale or overprivileged NHI credentials. |
| NIST CSF 2.0 | PR.AC-1 | Access control must reflect current entitlement state, not just quarterly signoff. |
| NIST AI RMF | GOVERN | Governance for dynamic identities needs ongoing oversight and accountability. |
Pair certification with continuous checks for excessive privilege and stale credentials.
