A governance process that reviews the rules authorising access rather than each individual identity one by one. For AI agents, this is often more scalable than per-agent review because the control object is the approved policy set, not the ever-growing inventory of agent instances.
Expanded Definition
Policy recertification is the periodic review and approval of access rules, not individual entitlements, to confirm that the governing policy still reflects current business need, risk tolerance, and technical reality. In NHI security, this matters because AI agents, service accounts, and automation often inherit permissions from reusable policy sets that can outlive the workload they were built for.
Definitions vary across vendors on how often recertification should happen and whether it should be triggered by time, change events, or risk signals. A practical reading aligned to NIST Cybersecurity Framework 2.0 is that policy review should be repeatable, evidence-based, and tied to governance outcomes rather than ad hoc exception handling. NHIMG frames this alongside lifecycle governance in Ultimate Guide to NHIs – Lifecycle Processes for Managing NHIs, where access decisions are treated as living controls.
The most common misapplication is treating policy recertification as a checkbox exercise for dormant rules, which occurs when teams approve policies without revalidating the services, agents, and data paths those rules now govern.
Examples and Use Cases
Implementing policy recertification rigorously often introduces governance overhead, requiring organisations to weigh faster approvals against the cost of periodic review and evidence collection.
- A platform team reviews the policy that authorises an AI agent to read tickets and call internal APIs, then removes write access that is no longer needed after a product change.
- A security team recertifies the policy governing CI/CD service accounts after a secrets migration, using Ultimate Guide to NHIs – What are Non-Human Identities as a baseline for understanding the NHI control surface.
- An audit group compares approved policy sets against Top 10 NHI Issues to identify policies that still grant broad access after a system sunset.
- A risk committee recertifies a third-party integration policy after a vendor contract renewal, ensuring the allowed scopes still match the business justification and data classification.
- A governance workflow flags policies tied to high-risk data stores for accelerated review after a major incident, rather than waiting for the next scheduled cycle.
Why It Matters in NHI Security
Policy recertification is important because NHI risk usually accumulates in the rule layer first. A policy can continue authorising access long after an agent has changed purpose, an integration has been decommissioned, or a temporary exception has become permanent. That is how standing privilege survives in environments that believe they are managing access responsibly.
This is especially dangerous in NHI estates, where the control object may be a single policy that governs many machine identities at once. NHIMG reports that 97% of NHIs carry excessive privileges, which makes stale policy approval a direct pathway to overexposure rather than a minor process defect. The governance case is reinforced in Ultimate Guide to NHIs – Regulatory and Audit Perspectives, because auditors often care less about intent than about whether access rules were reviewed, justified, and evidenced on schedule. In practice, policy recertification becomes a control failure only after a stale rule is exploited or discovered during an investigation, at which point the organisation must prove why the access was still allowed.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Policy recertification helps prevent stale machine access rules from persisting unchecked. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access governance depends on reviewing the policies that grant access. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous validation of access policy decisions, not static approvals. |
Recertify authorization policies regularly and remove access not justified by current need.
