The exact scope of identities and permissions that enter a certification cycle. A narrow perimeter can produce audit-ready paperwork while still leaving material access untouched, so the control is only as strong as the completeness of its scope.
Expanded Definition
access review perimeter is the defined boundary of identities, entitlements, and systems that are included in an access certification cycle. In NHI governance, the perimeter determines whether reviewers are examining the real population of service accounts, API keys, workloads, and delegated permissions, or only a convenient subset. A perimeter that is too narrow can create a false sense of control because the review may look complete while critical standing access remains outside scope.
Definitions vary across vendors, especially when access reviews span human users, NHIs, cloud roles, and machine-to-machine delegation chains. In practice, the perimeter should reflect the authoritative inventory, the data or workload sensitivity, and the blast radius of each credential or token. That makes it closely related to identity lifecycle management and entitlement hygiene, as described in the NHI Lifecycle Management Guide and the OWASP Non-Human Identity Top 10. The most common misapplication is treating the perimeter as the list exported from one directory or vault, which occurs when shadow credentials, inherited roles, or cross-account grants are excluded from the certification population.
Examples and Use Cases
Implementing an access review perimeter rigorously often introduces scope-management overhead, requiring organisations to balance reviewer effort against the risk of leaving material NHI access untouched.
- A cloud platform team includes service accounts, workload identities, and federated roles in the certification scope instead of reviewing only named employee accounts.
- A security team expands the perimeter to cover CI/CD tokens and deployment credentials after finding them documented in the Ultimate Guide to NHIs as a major source of unmanaged exposure.
- An IAM program excludes dormant but still-valid API keys from the review because they are not actively used, then later learns that unused credentials remain a major risk in the Ultimate Guide to NHIs — Key Challenges and Risks.
- A zero-trust initiative defines the perimeter by privilege and resource sensitivity, aligning the review with OWASP Non-Human Identity Top 10 guidance on reducing unchecked machine access.
- A merger integration team runs a one-time certification over the acquired company’s cloud roles, but also adds brokered tokens and service principals that are easy to overlook in account-only audits.
Why It Matters in NHI Security
The perimeter is where certification either becomes meaningful or turns into audit theatre. If the boundary omits federated trust paths, orphaned service accounts, or long-lived secrets, revocation decisions will not reduce risk in the environment that actually matters. That is especially important in NHI programs because NHIs outnumber human identities by 25x to 50x in modern enterprises, which means even a small scoping error can leave a large amount of access untouched. The Ultimate Guide to NHIs shows that only 5.7% of organisations have full visibility into their service accounts, a reminder that perimeter design must be driven by inventory completeness, not by convenience.
For governance, the access review perimeter should be reviewed like an attack surface: it must include the identities that can act, the privileges they hold, and the paths by which those privileges are inherited or reissued. This aligns with Zero Trust thinking and the OWASP Non-Human Identity Top 10 emphasis on reducing excessive standing access. Organisations typically encounter the consequences only after a breach investigation or failed audit reveals that the certified population was never the real population, at which point access review perimeter becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers incomplete inventory and excessive NHI access that scoping must catch. |
| NIST CSF 2.0 | PR.AA-01 | Identity and access governance depends on scoping the right identities for review. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous validation of every identity and permission path. |
Treat the review perimeter as dynamic attack surface and continuously refresh it from authoritative sources.
