They fail because scope is too broad and reviewers are asked to judge too much at once. When every entitlement looks equally important, people approve quickly and move on. Risk-based scoping reduces that fatigue by narrowing the review set to identities and entitlements that actually changed risk state.
Why This Matters for Security Teams
access certification campaigns are supposed to reduce entitlement sprawl, but at enterprise scale they often become a clerical exercise. Reviewers face thousands of permissions across humans, service accounts, workloads, and automation, then default to approval because the task is too broad to assess carefully. That creates a false sense of control while risk quietly accumulates across systems and teams.
The problem is even sharper for non-human identities, where the real question is not whether an account exists, but whether it still needs the access it has. NHIMG’s NHI and Secrets Risk Report notes that NHIs now outnumber human identities by 144:1 in enterprise environments, which means human-centric review models are often pointed at the wrong scale of problem. The OWASP Non-Human Identity Top 10 reinforces that overprivileged, poorly governed machine identities are a recurring failure mode, not an edge case. In practice, many security teams discover the review process has been failing only after an audit finding, incident, or major cloud review exposes how much privilege was never challenged.
How It Works in Practice
The campaigns fail when the unit of review is wrong. A generic access recertification asks managers or system owners to validate broad entitlement lists without enough context to judge risk. That becomes unscalable once the enterprise has thousands of applications, layered group memberships, inherited roles, delegated admin paths, and machine identities that rarely map cleanly to a human owner.
A better model starts with risk-based scoping. Instead of reviewing everything on a calendar, teams focus the campaign on identities and entitlements that changed risk state: new privileged access, dormant but still active accounts, access tied to sensitive data, cross-environment roles, or credentials that have not been rotated. This is where identity governance has to connect to operational signals such as recent authentication, last use, asset criticality, and business ownership.
Practitioners usually get better outcomes when they:
- Limit each review batch to a single application, control family, or risk tier.
- Separate human access from NHI and service account access so reviewers are not comparing unlike entities.
- Use exceptions for inherited or technical access paths that cannot be judged manually.
- Precompute last-use, privilege level, and business criticality before the reviewer sees the item.
- Escalate only changed or high-risk access for attestation, rather than every entitlement on a fixed schedule.
This approach aligns with the NHI security guidance in the Ultimate Guide to NHIs — Key Challenges and Risks, which emphasizes that machine identities proliferate faster than most governance workflows can absorb. It also matches the intent of the OWASP Non-Human Identity Top 10 by pushing teams to verify necessity, not just existence. These controls tend to break down when entitlement data is fragmented across IAM, SaaS, cloud, and CI/CD systems because reviewers never see the full privilege picture.
Common Variations and Edge Cases
Tighter scoping often increases upfront governance work, requiring organisations to balance review quality against campaign speed and staffing constraints. That tradeoff is real, especially in enterprises with many business units or delegated ownership models.
There is no universal standard for how narrow a certification campaign should be, but current guidance suggests that the more dynamic the environment, the more the review should be event-driven rather than calendar-driven. For example, a quarterly campaign may still work for stable business roles, while high-risk cloud permissions, service accounts, and automation identities may need continuous or triggered review instead.
Edge cases usually show up where ownership is unclear. Shared accounts, legacy infrastructure, and vendor-managed access can frustrate clean certification because no one feels accountable enough to make a definitive decision. In those cases, the right answer is often remediation first, then certification second. If an entitlement cannot be reviewed accurately, it is already a governance defect.
NHIMG’s 52 NHI Breaches Analysis shows how often unmanaged machine access becomes a breach accelerant when governance is too broad to be meaningful. The practical takeaway is simple: campaigns should verify risk, not merely document participation. Where the environment is highly dynamic, campaign-based recertification should be supplemented by continuous entitlement monitoring and just-in-time access controls.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access management is the core control area impacted by ineffective certification campaigns. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers overprivileged and stale non-human identities that slip through broad recertification. |
| NIST AI RMF | GOVERN | AI governance stresses accountability and context, which broad reviews often lack. |
Assign clear ownership and decision criteria so access review outcomes are risk-based and traceable.
