Recertification becomes procedural instead of authoritative. If reviewers cannot see every role, account, and application entitlement, they certify partial truth and leave hidden access untouched. That is especially dangerous in hybrid estates where permissions are split between Azure AD and external platforms.
Why This Matters for Security Teams
Recertification is only as credible as the inventory behind it. When reviewers cannot see every role, service account, application entitlement, and shadow permission, the process becomes a paper exercise that approves partial truth. That is especially risky in hybrid estates where access is split across Entra ID, SaaS platforms, on-prem systems, and API-driven workflows. NHI Mgmt Group notes that only 5.7% of organisations have full visibility into their service accounts, which means hidden access is often the rule rather than the exception.
This is not just an audit problem. Missed entitlements leave standing access in place after job changes, vendor exits, and system migrations. Guidance from the NIST Cybersecurity Framework 2.0 is clear that asset and access visibility are prerequisites for effective governance, but recertification tools often rely on incomplete feeds. In practice, many security teams discover the gap only after an incident review or license cleanup exposes the hidden permissions that were never presented to the reviewer.
How It Works in Practice
Effective recertification depends on assembling a complete entitlement graph before the review starts. That graph should include human identities, service accounts, workload identities, group membership, application roles, delegated admin rights, token scopes, and direct entitlements assigned outside standard RBAC. If a platform only shows directory roles but omits SaaS privileges or cloud-native permissions, the reviewer is certifying a slice of the attack surface, not the whole thing.
Practitioners usually need three controls working together:
- Authoritative identity aggregation from HR, IAM, PAM, cloud, and application sources.
- Normalization of entitlements so equivalent permissions are grouped and duplicates are visible.
- Exception handling for accounts that cannot be mapped cleanly, with mandatory owner assignment.
That model aligns with the visibility-first guidance in the Ultimate Guide to NHIs, which emphasizes that NHI governance fails when secrets, accounts, and privileges are scattered across tools. It also matches the access governance direction in NIST SP 800-207 Zero Trust Architecture, where decisions depend on continuously evaluated context rather than static trust assumptions.
For recertification, the practical test is simple: if a reviewer cannot answer “what else can this principal reach?” the review is incomplete. A strong program cross-checks directory entitlements against application-native permissions, and it treats service accounts as first-class identities, not backend noise. The Sisense breach shows why hidden credentials and weak visibility can turn an internal access gap into an external compromise.
These controls tend to break down when entitlements are created directly in applications, bypassing central IAM, because no recertification workflow can certify what it cannot ingest.
Common Variations and Edge Cases
Tighter entitlement aggregation often increases operational overhead, requiring organisations to balance review completeness against integration cost and reviewer fatigue. That tradeoff becomes sharper in hybrid and federated environments, where no single control plane owns every permission.
Current guidance suggests treating a few edge cases differently. Break-glass accounts should be excluded from routine recertification only if they are separately monitored, time-bound, and independently approved. Shared admin accounts should be phased out where possible because they collapse accountability. For machine access, use workload identity and short-lived credentials rather than trying to certify long-lived secrets as if they were stable user entitlements.
Another common failure mode is overreliance on RBAC reports. RBAC can hide direct grants, nested group paths, and application-specific permissions that do not appear in directory exports. In those cases, the review should include owner attestations plus automated discovery from the target platform. The Schneider Electric credentials breach is a reminder that exposed access paths often live outside the systems teams assume are authoritative.
There is no universal standard for this yet, but the practical benchmark is simple: if the review cannot reconstruct effective access end-to-end, the certification should be marked incomplete rather than approved.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Visibility gaps hide non-human identities and their entitlements from review. |
| NIST CSF 2.0 | PR.AA-01 | Recertification depends on complete identity and access visibility. |
| NIST AI RMF | Governance requires traceable access decisions and accountability. |
Use AI RMF governance practices to ensure access reviews are evidence-based and auditable.
