Certification scope is the set of identities, entitlements, or privileges included in an access review campaign. Good scope reduces reviewer fatigue by focusing human attention on the access most likely to be risky, while poor scope turns certification into a box-ticking exercise.
Expanded Definition
Certification scope is the boundary of an access review campaign: the identities, entitlements, and privileges that reviewers are asked to confirm, remove, or justify. In NHI governance, that scope often includes service accounts, API keys, workload roles, certificates, and delegated access chains, not just human users. Scope quality matters because it determines whether a certification exercise produces meaningful risk reduction or merely records approvals with little scrutiny.
Definitions vary across vendors, especially when tools blur the line between identity inventory, entitlement review, and policy attestation. For NHI programs, good scope is usually risk-based: it prioritises privileged, dormant, externally exposed, or poorly owned access rather than all access at once. That approach aligns with the intent of OWASP Non-Human Identity Top 10, which treats excessive privilege and weak governance as primary exposure points.
NHIMG research shows why this distinction matters, because 97% of NHIs carry excessive privileges, which means a broad but unfocused campaign can miss the entitlements most likely to create impact. The most common misapplication is treating certification scope as a complete inventory dump, which occurs when every account and permission is included regardless of ownership, risk, or business context.
Examples and Use Cases
Implementing certification scope rigorously often introduces reviewer burden and data quality dependency, requiring organisations to weigh thoroughness against the operational cost of chasing low-value approvals.
- A quarterly review targets only production service accounts with write access to customer data, rather than every account in the directory.
- A cloud security team scopes API keys that have not rotated within policy windows, using the identity inventory described in the Ultimate Guide to NHIs — What are Non-Human Identities.
- An application owner reviews entitlements inherited through group membership, because effective access is often broader than the direct assignment list suggests.
- A remediation campaign focuses on externally exposed NHIs after a breach pattern similar to the Sisense breach, where access review must follow containment, not precede it.
- A privileged access program limits scope to standing admin roles and long-lived credentials, rather than including temporary test accounts that are already time-bound.
For identities with automation-heavy workflows, scope should also reflect actual execution authority, because an API key with limited routine use may still be critical if it can reach secrets, CI/CD, or production data. The Ultimate Guide to NHIs — Key Challenges and Risks is useful when deciding which clusters of access deserve the first review pass.
Why It Matters in NHI Security
Certification scope is one of the few controls that directly shapes reviewer attention, which is why poor scoping often turns access review into a compliance ritual instead of a security control. If low-risk items dominate the campaign, reviewers miss the standing privileges, stale tokens, and unmanaged service accounts that create real exposure. That problem is amplified in NHI environments, where NHIs outnumber human identities by 25x to 50x in modern enterprises and where the review population can grow faster than governance teams can sensibly evaluate.
NHIMG data also shows that only 5.7% of organisations have full visibility into their service accounts, so any certification scope that assumes complete inventory accuracy is already fragile. In practice, scope should be built from ownership, criticality, rotation state, and external exposure, then adjusted as systems change. This is where access review connects to Zero Trust thinking: OWASP Non-Human Identity Top 10 and the NHI governance patterns in NHIMG research both point toward reducing standing privilege before it becomes an incident. Organisations typically encounter the need for tighter certification scope only after a review fails to catch a dormant privileged account, at which point the term becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Access reviews should target NHI entitlements and excessive privilege reduction. |
| NIST CSF 2.0 | PR.AA-04 | Identity governance requires reviewing and managing access rights over time. |
| NIST Zero Trust (SP 800-207) | AC-6 | Least privilege depends on limiting which permissions are certified and retained. |
Define review scope around critical identities and entitlements, then track remediation through access governance.
