A certification recommendation is machine-assisted guidance that helps reviewers decide whether access should be approved, removed, or escalated. It does not replace the reviewer. It improves decision quality by adding context from identity attributes, role prevalence, and peer-group patterns.
Expanded Definition
A certification recommendation is machine-assisted guidance that supports a reviewer during access certification or recertification. It surfaces risk signals such as identity age, privilege breadth, role membership, peer-group deviation, and recent activity so a human can decide whether access should be approved, removed, or escalated.
In NHI governance, this term is narrower than automated remediation. A recommendation informs the reviewer, while the reviewer remains accountable for the outcome. That distinction matters because service accounts, API keys, and agentic workloads often appear legitimate even when they are overprivileged or unused. Guidance in the industry is still evolving on how much weight to give behavioural signals versus authoritative entitlement sources, so organisations should treat recommendations as decision support, not as policy itself. The control objective aligns with least privilege and periodic review concepts in NIST Cybersecurity Framework 2.0, especially where identity review must cover non-human actors.
The most common misapplication is using certification recommendations as an approval shortcut, which occurs when reviewers accept the suggestion without validating the entitlement context or business justification.
Examples and Use Cases
Implementing certification recommendations rigorously often introduces review overhead and tuning effort, requiring organisations to weigh faster certification cycles against the risk of false confidence in machine-generated guidance.
- A quarterly access review flags a dormant CI/CD service account with broad repository write access and recommends removal, because peer-group usage patterns show that similar accounts are read-only.
- An API key tied to an internal integration is recommended for escalation rather than approval when the identity has not rotated in 180 days and its owner is no longer active.
- A workload identity used by a finance agent is recommended for retention, but only after the reviewer confirms a documented business purpose and matches it to current entitlement scope.
- A privileged service account is highlighted for manual investigation because the recommendation engine sees a sudden expansion from one namespace to many, which is inconsistent with its normal behaviour.
These workflows are most effective when paired with authoritative NHI inventories, such as the Ultimate Guide to NHIs — What are Non-Human Identities, and with reviewer workflows informed by access governance expectations in NIST Cybersecurity Framework 2.0.
Why It Matters in NHI Security
Certification recommendations matter because NHI environments scale faster than manual reviewers can reliably inspect. NHIMG research shows that only 5.7% of organisations have full visibility into their service accounts, which means many access decisions are made with incomplete context. When reviewers receive good recommendations, they can focus on exceptions instead of scanning every entitlement from scratch. When recommendations are weak, they can reinforce privilege creep, leave stale access in place, or miss high-risk service accounts that should be removed.
This is especially important in breach response and control validation. The Sisense breach is a reminder that compromised non-human identities can turn routine access into broad exposure when privileges are excessive or poorly reviewed. A strong recommendation process helps turn certification from a checkbox exercise into a risk-based decision point, supported by external guidance such as NIST Cybersecurity Framework 2.0.
Organisations typically encounter the need for certification recommendations only after a stale service account, overbroad token, or post-incident audit reveals that access decisions were made without enough evidence, at which point the term becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Access reviews and recommendation logic reduce overprivileged NHI entitlements. |
| NIST CSF 2.0 | PR.AC-1 | Identity and credential governance supports controlled access decisions. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege enforcement depends on reviewing and updating permissions regularly. |
Use certification recommendations to flag stale or excessive non-human access for reviewer action.
Related resources from NHI Mgmt Group
- Why do non-human identities make access certification harder than human identities?
- When does continuous monitoring matter more than access certification?
- What is the difference between access certification and continuous monitoring in ERP security?
- How can organisations reduce manual effort in access certification and evidence collection?
