Quarterly access reviews break when applied to non-human identities because the control assumes stable identities, known ownership, and slow entitlement change. Service accounts, workload identities, and ephemeral tokens can be created outside formal workflows and change faster than the certification cycle, so the review documents history rather than governing live access.
Why Quarterly Reviews Fail for Non-Human Identities
Quarterly access reviews are built for human employees with stable managers, predictable role changes, and slow entitlement drift. That model collapses for service accounts, workload identities, secrets, and ephemeral tokens because those identities are created, reused, and rotated by systems rather than by HR events. The result is a control that records yesterday’s access while live privileges continue to change. OWASP’s OWASP Non-Human Identity Top 10 treats this as a core governance failure, not a paperwork issue.
NHI Management Group’s Ultimate Guide to NHIs notes that NHIs outnumber human identities by 25x to 50x in modern enterprises, which makes delayed certification especially dangerous at scale. When reviewers cannot see who owns the identity, what it is used for, or whether it still exists, the review becomes an audit artifact rather than a security decision. In practice, many security teams discover stale NHI access only after a secret leak or service account abuse has already occurred, rather than through intentional quarterly governance.
What Effective NHI Governance Looks Like Instead
For non-human identities, current guidance suggests shifting from periodic attestation to continuous control. That means inventorying every workload identity, tying it to a system owner, and validating access at the time it is requested, not months later. In mature environments, NHI lifecycle management is paired with automated discovery, policy-as-code, and short-lived credentials so entitlement changes are enforced in real time.
Operationally, the strongest pattern is to treat the identity as a workload primitive rather than a person-like account. That usually includes:
- cryptographic workload identity for proof of what the agent or service is
- just-in-time issuance of credentials with short TTLs
- automatic revocation when the task, pod, pipeline, or job ends
- runtime policy checks based on context, destination, and purpose
- continuous logging and reconciliation against a live inventory
This aligns with the OWASP Non-Human Identity Top 10 focus on secret sprawl, overprivilege, and missing ownership. It also matches the broader lifecycle emphasis in the Ultimate Guide to NHIs — Key Challenges and Risks, where unmanaged secrets and excessive privilege are shown to be persistent drivers of compromise. These controls tend to break down when identities are hard-coded into CI/CD systems and reused across environments because no reviewer can reliably distinguish legitimate automation from stale access.
Where Quarterly Certification Still Helps, and Where It Does Not
Tighter access control often increases operational overhead, requiring organisations to balance assurance against automation cost. Quarterly reviews can still add value for a narrow slice of NHI governance, especially where a human owner must confirm business purpose, risk acceptance, or exception status. Current guidance suggests using reviews as a backstop for ownership validation, not as the primary enforcement mechanism for access revocation.
The edge cases are usually the most dangerous: long-lived service accounts embedded in legacy applications, shared credentials with multiple jobs, third-party integrations, and secrets stored in code or pipeline variables. In those environments, even a clean review can miss the real issue because the review scope may not capture hidden dependencies or machine-to-machine trust paths. The NHIMG data point that 97% of NHIs carry excessive privileges underscores why access recertification alone does not reduce exposure; it can only describe it.
Best practice is evolving toward continuous attestation plus automated offboarding, with quarterly review reserved for oversight and exception management. Where teams still rely on quarterly certification as the main control, the gap is largest when identities are ephemeral, ownership is ambiguous, or secrets are issued outside the formal IAM workflow. That is when the control breaks, because the real access problem has already moved faster than the review cycle.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Quarterly reviews miss stale and overprivileged NHI credentials. |
| NIST CSF 2.0 | PR.AC-4 | Access governance must reflect live privilege, not static review cycles. |
| NIST AI RMF | Autonomous workloads need ongoing governance and accountability. |
Apply continuous monitoring and documented accountability to all AI-driven and automated identities.
Related resources from NHI Mgmt Group
- How should security teams run access reviews for non-human identities?
- What breaks when access reviews treat all non-human accounts the same?
- How should security teams govern non-human identities that have persistent access?
- What breaks when access review does not cover non-human identities used by AI agents?
