Certification campaigns slow down when the workflow asks too much of individual reviewers and the interface makes decisions hard to complete quickly. Reviewers delay when they cannot easily understand status, action, or ownership. That creates a control risk because access remains in place while the campaign waits.
Why This Matters for Security Teams
Certification campaigns slow down when review work is spread across too many people, but the deeper issue is usually poor decision context. Reviewers are asked to approve or revoke access without a clear picture of what a user, service, or Non-Human Identity actually does, which makes every decision feel risky and slow. That delay matters because access often remains active until the campaign closes, and long-running exceptions create exposure.
Large organisations also run into fragmented ownership, duplicated systems, and inconsistent entitlement naming, which makes the same access look different across business units. The result is not just review fatigue. It is control drift. A campaign that is meant to confirm least privilege becomes a queue of unresolved decisions, especially when reviewers need to leave the tool to gather evidence. The NIST Cybersecurity Framework 2.0 is clear that access governance should be measurable and repeatable, but in practice many campaigns are still manual and interruption-heavy. In practice, many security teams encounter access sprawl only after review backlogs have already delayed revocation across multiple business units.
How It Works in Practice
Campaigns move faster when each reviewer can answer three questions quickly: who has the access, why they have it, and whether it is still needed. That sounds simple, but it requires good entitlement metadata, current ownership, and a workflow that does not force people to research basic facts during the review itself. Where those inputs are missing, reviewers defer, reassign, or mark items for later, and the campaign stalls.
Operationally, the best-performing campaigns tend to combine better scoping with better decision support. Common practices include:
- Group access by application, business function, or risk level instead of sending one enormous list to every reviewer.
- Pre-populate context such as last login, privilege level, source system, and owner so reviewers can act in one pass.
- Auto-approve low-risk, well-understood access and focus human review on privileged or unusual entitlements.
- Use escalation paths for stale items so unresolved reviews do not sit indefinitely in a queue.
- Remove duplicated records and stale owners before launch, not during the campaign.
This is especially important where the review scope touches secrets, service accounts, or machine access. The State of Secrets in AppSec research highlights how fragmented control environments already slow remediation, and similar fragmentation makes access certification harder to complete cleanly. Mature teams also align campaign outputs with identity governance and privileged access workflows rather than treating certification as a one-time spreadsheet exercise. These controls tend to break down when entitlement data is stale across multiple source systems because reviewers cannot trust what the campaign is showing them.
Common Variations and Edge Cases
Tighter certification controls often increase reviewer workload, so organisations have to balance speed against assurance. That tradeoff becomes sharper in global enterprises, regulated sectors, and environments with many inherited permissions, where every additional layer of validation can slow closure.
There is no universal standard for campaign design, but current guidance suggests that the slowest campaigns usually share the same patterns: too many reviewers, too much noise, and too little context. In some cases, the real bottleneck is not the reviewers at all but upstream identity hygiene. If role definitions are weak, campaign owners cannot tell whether access is legitimate, so they keep reclassifying the same items every cycle.
One practical exception is high-risk access. Security teams should not over-automate privileged or sensitive entitlements just to improve completion rates. Another edge case is contractor or seasonal access, where short review windows may require faster escalation and stronger ownership. In those environments, campaign design should be paired with clearer joiner-mover-leaver controls and better entitlement lifecycle management. The Sisense breach is a useful reminder that weak identity control often becomes visible only when access is already being abused, not when the review is scheduled.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-01 | Identity and access governance depend on accurate, reviewable entitlement data. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Campaign delays often reflect weak lifecycle control over non-human identities and secrets. |
| NIST AI RMF | Campaign slowdown is a governance issue requiring accountable, repeatable decision processes. |
Use AI RMF GOVERN practices to define owners, escalation, and evidence requirements for certification.
