The amount of time it takes for an access review campaign to move from launch to closure. Longer cycles keep unnecessary access active for longer, so the metric matters when governance teams want to understand whether review processes are actually reducing exposure.
Expanded Definition
Certification cycle time is the elapsed time between launching an access review and formally closing it after decisions are recorded, exceptions are handled, and revocations are executed. In NHI governance, the metric matters because service accounts, API keys, tokens, and certificates often keep working while the review is still open, which means slow closure can leave risk in place long after it was identified.
Definitions vary across vendors, but the operational distinction is consistent: cycle time measures the pace of governance execution, not the number of identities reviewed. It is related to, but different from, campaign scope, reviewer response time, and remediation latency. The most useful benchmark is whether the review is short enough to prevent unnecessary access from persisting across the full lifecycle of the credential. NHI Management Group frames this as part of overall lifecycle discipline in the NHI Lifecycle Management Guide, while the broader risk context is reflected in the OWASP Non-Human Identity Top 10.
The most common misapplication is treating cycle time as a reporting metric only, which occurs when teams measure closure speed but do not enforce timely revocation after reviewer approval.
Examples and Use Cases
Implementing certification cycle time rigorously often introduces workflow pressure, requiring organisations to weigh governance completeness against the operational cost of delaying closure.
- A quarterly service account review opens with 4,000 entitlements and closes after all owners confirm ownership, exceptions are approved, and stale access is removed.
- A cloud platform team uses cycle time to compare review duration across business units and identifies one group where unresolved campaigns routinely span multiple sprint cycles.
- A security team ties cycle time to the Top 10 NHI Issues because long-open campaigns often correlate with excessive privilege and weak ownership.
- An IAM program measures how long privileged API keys remain active during reviews, then uses the result to prioritise automation for revocation and reattestation.
- A compliance team references the OWASP Non-Human Identity Top 10 to justify tighter campaign deadlines when reviewers repeatedly miss closure targets.
Where review scope is broad, organisations often track cycle time alongside reviewer response time and remediation time so delays can be attributed to the right control point rather than to the whole process.
Why It Matters in NHI Security
Certification cycle time is a practical indicator of whether governance is reducing exposure or merely documenting it. For NHIs, slow campaigns are especially dangerous because secrets and service accounts continue to authenticate while the review remains unresolved. That creates a window where excessive privileges, orphaned ownership, or stale credentials can be abused even though the issue is already known. NHI Management Group has found that only 5.7% of organisations have full visibility into their service accounts, which means many campaigns begin without a complete inventory and often close too late to matter.
This metric becomes more important in environments shaped by secret sprawl, shadow service accounts, and fragmented ownership. The Guide to the Secret Sprawl Challenge and the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs show why review speed cannot be separated from lifecycle control. For practitioners, the target is not just faster closure but closure that actually results in revoked access, updated ownership, and reduced attack surface. Organisational risk typically becomes visible only after an access review exposes a compromised or overprivileged credential, at which point certification cycle time becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Access review timing affects secret and credential governance under NHI control expectations. |
| NIST CSF 2.0 | GV.RM-03 | Certification cycle time is a governance metric for managing identity risk and remediation speed. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Zero Trust requires continuous access validation, which slow certification cycles undermine. |
Set review deadlines that force timely closure and revocation before unnecessary NHI access persists.
Related resources from NHI Mgmt Group
- What is Just-in-Time (JIT) access and why is it important for NHI security?
- When do NHI access reviews create more value than a one-time cleanup?
- When does just-in-time access reduce risk for agentic AI, and when does it fall short?
- How do organisations reduce the dwell time of exposed credentials at scale?
