Certification becomes less useful when it only records entitlement decisions after the fact and does not reduce entitlement drift. If access data is stale, reviewers are certifying a snapshot that may already be wrong. Runtime controls matter more when the environment changes quickly, when privileged access is frequent, or when machine identities outnumber humans.
Why This Matters for Security Teams
identity certification is a point-in-time control. It is useful for accountability, audit evidence, and forcing ownership decisions, but it becomes weak when privileges change faster than review cycles. That gap is especially visible in machine-heavy environments, where Ultimate Guide to NHIs notes that NHIs outnumber human identities by 25x to 50x and 97% carry excessive privileges. In that setting, a clean certification record can still leave active overreach in place.
Security teams often treat certification as if it were enforcement. It is not. If the access model depends on delayed review, stale data, or manual follow-up, then drift continues between review windows. runtime access control matter more when the environment is dynamic, access is ephemeral, or the same identity can be used by scripts, services, and agents that change behaviour constantly. Current guidance from the OWASP Non-Human Identity Top 10 is clear that NHI governance has to account for lifecycle, exposure, and privilege, not just attestation. In practice, many security teams discover the gap only after an overprivileged service account has already been used to move laterally, rather than through a clean certification cycle.
How It Works in Practice
Identity certification asks, “Should this identity still have this access?” Runtime access control asks, “Should this request be allowed right now?” Those are related questions, but they solve different problems. Certification is best when access patterns are stable, reviewable, and low frequency. Runtime control is more valuable when access is conditional, short-lived, or tied to a task that changes as systems change.
In practice, stronger programmes combine both. Certification should validate ownership, business justification, and whether an entitlement still belongs on the books. Runtime controls should reduce blast radius by enforcing least privilege at the moment of use. For NHIs, that often means using short-lived tokens, policy-as-code, and automated revocation instead of relying on annual or quarterly review alone. The operational goal is to prevent entitlement drift from becoming active exposure, not merely to document it after the fact.
- Use certification to remove dead accounts, stale roles, and abandoned service identities.
- Use runtime policy to approve or deny each request based on context such as workload, destination, time, and sensitivity.
- Prefer short-lived credentials for systems that can authenticate continuously, rather than long-lived static secrets.
- Require explicit ownership for each NHI so review results can actually drive remediation.
For identity hygiene and incident patterns, the NHI Mgmt Group research on 52 NHI Breaches Analysis and the Top 10 NHI Issues both show how quickly overexposure becomes operational risk when revocation depends on humans catching up later. These controls tend to break down when access is granted through brittle legacy apps that cannot evaluate context at request time because the app itself cannot enforce modern policy.
Common Variations and Edge Cases
Tighter runtime control often increases engineering overhead, requiring organisations to balance security gains against integration cost and latency. That tradeoff is real, especially in older environments where access is embedded in static IAM roles, shared service accounts, or brittle batch jobs.
There is no universal standard for when certification should be reduced or replaced, but current guidance suggests using it as a governance layer, not the primary enforcement mechanism. For high-churn environments, runtime controls should carry more weight. For low-change administrative access, certification still adds value because it creates an ownership checkpoint and a remediation trail. The key edge case is machine-to-machine access: if a workload authenticates frequently and its privileges change with each task, certification alone can lag behind the actual risk. That is why runtime enforcement, token TTLs, and automated revocation are usually more effective than review-based controls in those environments. The OWASP Non-Human Identity Top 10 and PCI DSS v4.0 both support this direction by emphasising least privilege, access restriction, and ongoing control validation.
Where certification still matters most is as an exception and accountability mechanism. Where it matters least is in fast-moving operational pathways, because a reviewed entitlement can still be the wrong entitlement by the time it is used.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Addresses stale or overprivileged NHI access that certification often misses. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access management aligns with using runtime controls over static reviews. |
| NIST AI RMF | Runtime governance is needed when access decisions depend on changing AI or workload context. |
Pair certification with runtime revocation and short-lived NHI credentials when entitlements change quickly.
