A situation where access certification appears complete but only covers a narrow, curated slice of the environment. The organisation produces audit-ready evidence while large parts of the identity estate, especially legacy and non-human access, remain outside meaningful governance.
Expanded Definition
access review Theatre describes access certification that looks complete on paper but excludes the identities and entitlements most likely to create risk. In NHI programs, that usually means reviews cover a curated set of human users while service accounts, API keys, legacy admin paths, and machine-to-machine permissions stay outside the scope.
The problem is not the review itself, but the boundary drawn around it. A meaningful review should cover standing access, privilege sprawl, dormant credentials, and evidence of ownership across the full identity estate. By contrast, theatre produces clean sign-off records without testing whether access is still needed, whether a credential is still active, or whether the approver had enough context to validate it. That is why the OWASP Non-Human Identity Top 10 treats weak NHI governance as a distinct risk area rather than a documentation issue.
Definitions vary across vendors, but the common pattern is the same: a process optimized for audit evidence instead of access truth. The most common misapplication is calling a partial certification complete when legacy systems and non-human identities were never in scope.
Examples and Use Cases
Implementing access reviews rigorously often introduces operational friction, requiring organisations to weigh audit simplicity against the cost of covering every identity source and entitlement path.
- A quarterly certification includes employees in a SaaS app, but ignores service accounts that hold equivalent production access.
- An auditor receives signed evidence for privileged users, while API keys embedded in CI/CD pipelines remain unmanaged, as highlighted in the Ultimate Guide to NHIs.
- A legacy application cannot export entitlements cleanly, so reviewers certify only the visible directory group and skip local administrator rights.
- A manager approves dormant contractor access because the workflow lacks activity data, even though the account has not been used in months.
- A platform team documents recertification for cloud roles, but excludes third-party NHIs that connect through federated credentials, a gap discussed in the NHI Lifecycle Management Guide.
External guidance such as the OWASP Non-Human Identity Top 10 is useful here because it reinforces that access governance must follow the credential, not just the user record.
Why It Matters in NHI Security
Access Review Theatre creates a false control environment. It lets organisations claim governance maturity while leaving secrets, privileged tokens, and machine identities unchallenged. That gap is especially dangerous because NHIs often outnumber human identities by 25x to 50x in modern enterprises, and NHI Mgmt Group reports that only 5.7% of organisations have full visibility into their service accounts. When visibility is that low, a certification program that excludes non-human access is not a safeguard, it is camouflage.
The security consequence is straightforward: excess privilege persists, incident response loses time, and audit findings become predictable after compromise rather than preventive before it. This is why the issue belongs in both governance and operations, alongside least privilege and lifecycle controls described in the Ultimate Guide to NHIs — Key Challenges and Risks. Organisational exposure usually becomes visible only after a breach review or regulatory challenge, at which point access review theatre becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Covers missing inventory and visibility that allow partial access reviews to miss NHI risk. |
| NIST CSF 2.0 | PR.AC-1 | Access control governance requires accurate authorization decisions across all identities. |
| NIST Zero Trust (SP 800-207) | SC-3 | Zero Trust assumes continuous verification rather than periodic paper-based approval. |
Expand certification scope to include all NHIs, entitlements, and ownership evidence before signing off.
