A certification is a structured access review campaign that records a reviewer’s decision about whether an identity record remains correct and necessary. In regulated environments, it must produce traceable evidence, require a named owner, and preserve the decision in an immutable audit trail.
Expanded Definition
Certification is a recurring control activity that tests whether an identity record still needs access, still belongs to the stated owner, and still matches its approved privilege scope. In NHI operations, certification is broader than a simple sign-off because it must connect the record to a business purpose, a technical owner, and an evidence trail that survives audit. That distinction matters for service accounts, API keys, and automation identities that often outlive the systems they were created for.
Definitions vary across vendors, but in NHI governance the practical standard is closer to entitlement attestation than human HR recertification. A strong program ties certification to lifecycle events such as application decommissioning, role change, secret rotation, or service retirement, and it should align with control review expectations in the NIST Cybersecurity Framework 2.0. NHI Management Group treats certification as an operating discipline, not a checkbox, because unattended identities tend to accumulate access that no longer has a current justification. The most common misapplication is treating certification as a one-time spreadsheet approval, which occurs when review ownership, evidence retention, and remediation follow-through are not built into the process.
Examples and Use Cases
Implementing certification rigorously often introduces review overhead, requiring organisations to weigh cleaner access records against the time needed for ownership validation and remediation.
- A platform team certifies cloud service accounts each quarter to confirm the account still maps to an active workload and that its permissions match the current deployment pattern.
- A security team certifies API keys used by third parties after contract renewals to verify the integration is still active and the key is still scoped to the intended system.
- An internal audit group uses certification results to support offboarding decisions when an application is retired but its machine identity has not yet been removed.
- A governance team compares certification outcomes with guidance from the Ultimate Guide to NHIs — What are Non-Human Identities to identify identities that remain valid but no longer have a clear business owner.
- A post-incident response team reviews the Sisense breach as a case study for why stale machine identities can survive long after their original purpose has ended.
In practice, certification is most useful when it is paired with a clear remediation path: approve, remediate, revoke, or transfer ownership. Without that structure, reviewers may confirm access simply because they lack enough context to challenge it.
Why It Matters in NHI Security
Certification closes one of the biggest governance gaps in NHI environments: identities that remain technically functional after their operational purpose disappears. That gap is dangerous because expired service accounts, orphaned API keys, and overbroad automation roles often bypass human-facing approval workflows yet still retain production access. The risk is not theoretical. NHI Management Group reports that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, and 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
Used correctly, certification helps detect access drift, enforce ownership accountability, and produce defensible evidence for regulators and internal auditors. It also supports the practical application of NIST Cybersecurity Framework 2.0 outcomes around access governance and continuous risk reduction. The term becomes especially important in environments with third-party integrations, short-lived workloads, and shared automation patterns, where no single person may remember why an identity still exists. Organisations typically encounter the operational need for certification only after an access review, audit finding, or incident reveals that a machine identity remained active long after its owner assumed it had been retired.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-08 | Covers review and governance of non-human identity lifecycle and access. |
| NIST CSF 2.0 | PR.AA | Identity and access assurance depends on periodic verification of entitlement necessity. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous validation of identity and privilege relevance. |
Run recurring certifications for NHIs and revoke anything without current business justification.
Related resources from NHI Mgmt Group
- Why do non-human identities make access certification harder than human identities?
- When does continuous monitoring matter more than access certification?
- What is the difference between access certification and continuous monitoring in ERP security?
- How can organisations reduce manual effort in access certification and evidence collection?
