Accountability sits with the business owner and the identity governance function together. The business owner confirms the need, while IAM or IGA teams enforce the review process and evidence trail. Standards such as the NIST Cybersecurity Framework 2.0 support that accountability model through access governance and review discipline.
Why This Matters for Security Teams
When group membership is not recertified on schedule, the problem is not only an overdue task. It is a control failure that can leave access in place after roles, projects, or risk conditions have changed. That creates audit exposure, but more importantly it weakens the organisation’s ability to prove that access was still needed at the time it was retained. The accountability question matters because governance breaks down when ownership is assumed but not operationalised.
NIST Cybersecurity Framework 2.0 places access governance inside a broader accountability model, which is why teams should treat recertification as a shared control between the business and identity functions, not a clerical follow-up. NHIMG research shows how often entitlement hygiene fails in practice: 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, yet many organisations still lack full visibility into service accounts and related access paths. That gap matters because the same governance pattern applies to group membership, role assignments, and privileged entitlements. As seen in the Ultimate Guide to NHIs — What are Non-Human Identities, access that is not reviewed on time tends to remain active long after it should have been challenged. In practice, many security teams encounter the risk only after an audit exception or misuse event has already exposed the missed review.
How It Works in Practice
Accountability for missed recertification usually splits into three layers. The business owner owns the decision to keep or remove access, because they can confirm whether the group still supports a current business need. The IAM or IGA function owns the workflow, evidence capture, reminders, escalation paths, and reporting. Security or compliance teams typically verify that the control operated on schedule and that exceptions were handled with documented approval. That operating model aligns with the NIST Cybersecurity Framework 2.0, which emphasises governance, accountability, and access review discipline.
In a well-run process, the owner review should be time-bound and unambiguous:
- Confirm the entitlement and the business justification.
- Approve continuation, reduce scope, or revoke access.
- Escalate non-response through a defined chain of command.
- Preserve evidence of reviewer identity, timing, and outcome.
That evidence trail is critical because auditors usually test whether the control existed, whether it was executed on time, and whether overdue items were escalated. Where entitlement sprawl is already high, the cleanest program is one that pairs recertification with role design and joiner-mover-leaver controls. NHIMG notes that excessive privileges remain widespread, and that pattern also appears in access review failures; the Sisense breach is a reminder that weak governance around access paths can become a real incident path, not just a policy gap. These controls tend to break down in decentralised organisations where business approvers are unclear, because no single owner feels responsible for approving or revoking the group membership.
Common Variations and Edge Cases
Tighter recertification often increases operational overhead, so organisations have to balance speed against assurance. That tradeoff becomes visible in large enterprises, delegated admin models, and fast-moving engineering groups where memberships change frequently and owners do not monitor notifications closely.
Current guidance suggests three common edge cases require special handling. First, if the business owner has changed, the recertification task should not remain open indefinitely; it should be reassigned with an audit trail. Second, if a group is tied to emergency or break-glass access, the review cadence should be stricter and evidence retention stronger than for standard access. Third, if the group supports machine or service identities, the same approval logic applies, but the reviewer may need technical context to judge whether the membership is still necessary. NHIMG’s research on the Schneider Electric credentials breach reinforces the point that stale access paths are often discovered only after exposure, not through routine governance.
There is no universal standard for exact recertification frequency across all environments. Best practice is evolving toward risk-based scheduling, where privileged, external, or high-impact groups are reviewed more often than low-risk access. The key accountability rule is simple: if the review is overdue, the business owner owns the decision lapse, while IAM or IGA owns the control execution gap.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access reviews and governance map directly to scheduled recertification failures. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers lifecycle governance when access or credentials are left uncleared. |
| NIST AI RMF | Governance and accountability principles apply to autonomous access decisions. |
Tie overdue recertification to entitlement lifecycle controls and revoke stale access fast.
