They break down because the review cycle assumes reviewers can inspect access before it changes materially. When non-human and agent identities outnumber people, the workload overwhelms the certification cadence and low-risk decisions consume most of the effort. That leaves the highest-risk access under-reviewed and weakens the value of the control.
Why This Matters for Security Teams
Access reviews were designed for a world where identity change was slow enough for periodic certification to work. At machine scale, that assumption collapses. Non-human identities now outnumber human identities by 25x to 50x in modern enterprises, and NHIMG notes that only 5.7% of organisations have full visibility into service accounts in the Ultimate Guide to NHIs. That means reviewers are often certifying what they cannot fully see, much less validate in context.
The practical problem is not just volume. Machine identities are created for pipelines, workloads, integrations, and agents that change faster than a quarterly or semi-annual review can track. By the time a certifier looks at a list, the workload may have shifted roles, inherited new permissions, or been copied into a new environment. Guidance from the OWASP Non-Human Identity Top 10 reinforces that weak lifecycle controls and excessive privileges are recurring failure modes, not edge cases.
Security teams also tend to overinvest in low-risk approvals because they are easiest to scan, while the highest-risk service accounts and tokens are buried inside automation, CI/CD, and vendor integrations. In practice, many security teams encounter the real exposure only after a secrets leak or privilege abuse has already happened, rather than through intentional certification.
How It Works in Practice
At machine scale, access review has to shift from a document-checking exercise to a continuously informed control. The review inputs should come from authoritative inventory, workload telemetry, and secret-sprawl detection, not from a spreadsheet assembled at the end of a cycle. NHIMG’s Key Challenges and Risks section highlights why visibility and rotation matter: if identity ownership, usage, and expiry are unclear, reviewers cannot make reliable decisions.
The better operating model is to make review decisions smaller and more contextual:
- Group identities by workload, owner, environment, and risk tier instead of reviewing every identity one by one.
- Prioritise privileges that reach production data, secret stores, deployment systems, and infrastructure APIs.
- Use event-driven triggers such as new privilege grants, dormant accounts, expired rotation windows, or failed offboarding.
- Require attestations to confirm business need, technical owner, and last observed use.
- Feed results back into provisioning, rotation, and offboarding so review findings actually reduce standing risk.
Current best practice is to pair periodic certification with continuous controls such as secrets scanning, workload identity, and automated revocation. That is consistent with the lifecycle emphasis in the NHI Lifecycle Management Guide and with implementation guidance that encourages removing long-lived credentials from code, config, and CI/CD paths. The OWASP Non-Human Identity Top 10 also makes clear that excessive privilege and poor rotation are control failures that review alone will not fix.
These controls tend to break down in highly dynamic CI/CD and ephemeral compute environments because the identity may be valid for minutes, while the approval cycle still assumes weeks or months.
Common Variations and Edge Cases
Tighter review controls often increase operational overhead, requiring organisations to balance stronger assurance against reviewer fatigue and delivery speed. That tradeoff is especially visible where service accounts are short-lived, created automatically, or owned by platform teams rather than application teams.
There is no universal standard for how granular machine-scale access reviews should be yet. Some organisations review by workload class, some by privilege threshold, and some by exception-driven sampling. The right choice depends on whether the environment is dominated by stable infrastructure identities or by ephemeral automation and agents. In the latter case, current guidance suggests shrinking the scope of manual certification and shifting more decision-making to policy-as-code and automated control checks.
Edge cases matter. Third-party integrations, delegated admin tools, and shared platform identities can hide the real owner, making certification a paperwork exercise. Fast-changing developer environments can also create false confidence if reviews focus on nominal ownership instead of observed use. NHIMG’s research on the Ultimate Guide to NHIs shows how widespread excessive privilege and weak rotation are, while breach analysis in the 52 NHI Breaches Analysis illustrates how often identity misuse becomes an incident before it becomes a governance finding.
In environments with heavy automation, the review model should be treated as a backstop, not the primary control. That is where governance becomes practical instead of ceremonial.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Directly addresses weak rotation and review of machine credentials. |
| NIST CSF 2.0 | PR.AC-1 | Identity and credential management is central to scalable access review. |
| NIST AI RMF | Governance of autonomous workloads requires continuous oversight and accountability. |
Use AI RMF governance practices to define owners, review cadence, and escalation paths for machine identities.
