A recurring access certification cycle in which assigned reviewers confirm whether users, service accounts, or other identities still need their entitlements. In practice, the control only works when scope, evidence, and remediation are aligned, not when the campaign simply closes on schedule.
Expanded Definition
Quarterly access review is a scheduled certification process used to confirm whether an identity still needs its current entitlements. In NHI operations, that identity may be a user, service account, workload, API client, or agent with tool access. The control is not just administrative housekeeping. It is a decision point that should reconcile business ownership, technical evidence, and remediation status before access is renewed.
Definitions vary across vendors and governance programs on whether quarterly means every 90 days, once per calendar quarter, or on a risk-based cadence triggered by events. NHI Management Group treats the practical meaning as a recurring review cycle that must be backed by evidence of usage, ownership, and privilege relevance. For a security reference point, the OWASP Non-Human Identity Top 10 frames overprivilege and poor lifecycle control as recurring NHI failure modes. The most common misapplication is treating the review as a sign-off exercise, which occurs when approvers click through lists without verifying actual access need or revocation follow-through.
Examples and Use Cases
Implementing quarterly access review rigorously often introduces coordination overhead, requiring organisations to balance faster attestation cycles against more complete evidence and cleaner revocation outcomes.
- A platform team reviews service accounts tied to production pipelines and removes roles no longer needed after a migration, using activity logs as evidence.
- A cloud security group certifies workload identities against their current application owner, then flags stale API keys for rotation or deletion, consistent with guidance in the NHI Lifecycle Management Guide.
- A finance application owner approves continued access for a scheduled integration account only after confirming the integration still runs and has not been replaced.
- An IAM team uses a quarterly campaign to find dormant entitlements, then compares results against the 52 NHI Breaches Analysis to prioritise high-risk account types.
- A security program aligns the review workflow with OWASP Non-Human Identity Top 10 findings so certifiers focus on privilege creep, secret exposure, and unowned identities rather than volume alone.
Why It Matters in NHI Security
Quarterly access review matters because NHIs accumulate privileges quickly and are often poorly understood by the teams asked to approve them. When the review process lacks inventory quality, ownership clarity, or remediation enforcement, excess access survives the campaign and becomes part of the attack surface. NHI Management Group reports that 91.6% of secrets remain valid five days after the targeted organisation is notified, which shows how weak follow-through can undermine even timely review cycles.
Quarterly review is also a governance signal. It helps show that access is still justified, that dormant identities are not quietly persisting, and that privileged relationships are not drifting outside business need. In Zero Trust and NHI programs, this becomes a practical control for reducing standing access, supporting lifecycle hygiene, and limiting blast radius before compromise spreads. It also aligns with the broader expectation that NHI controls must be continuously validated, not merely documented. Organisations typically encounter the need for quarterly access review only after a breach, audit finding, or failed offboarding reveals that old entitlements were never removed, at which point the process becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Quarterly reviews expose stale access, privilege creep, and poor entitlement governance. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions should be managed and reviewed to preserve least privilege. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires ongoing verification of access rather than permanent trust. |
Use recurring certification to remove unused NHI privileges and verify ownership before renewal.