Subscribe to the Non-Human & AI Identity Journal

Reperformance

An audit test where the reviewer independently repeats the control to see whether the result matches what the organisation claimed. In access review audits, reperformance can include attempting authentication after revocation or recalculating completion rates. It is one of the strongest checks because it proves the outcome, not the narration.

Expanded Definition

Reperformance is an audit procedure where a reviewer independently repeats a control or calculation to verify that the outcome matches what the organisation reported. In NHI governance, it is especially useful when evidence can be falsified by screenshots, logs without context, or checklist-based assertions.

Unlike inquiry or simple inspection, reperformance tests the control itself. That matters for NHI access reviews, revocation workflows, token rotation, and entitlement recertification, where the question is not whether a process exists but whether it actually prevents access or produces the claimed result. The concept aligns well with the evidence-oriented intent of NIST Cybersecurity Framework 2.0, even though NIST does not define reperformance as a standalone identity control. Definitions vary across vendors and assurance programs, but the operational meaning is consistent: repeat the action and compare outcomes.

The most common misapplication is treating a signed control attestation as equivalent to verified control performance, which occurs when reviewers accept documentation without independently redoing the step.

Examples and Use Cases

Implementing reperformance rigorously often introduces time and coordination overhead, requiring organisations to weigh higher audit confidence against the operational cost of repeating live NHI workflows.

  • After a service account is revoked, the auditor attempts a fresh authentication to confirm the account no longer works.
  • An access reviewer recalculates a quarterly entitlement completion rate from the raw export instead of trusting the dashboard summary.
  • A control owner repeats an API key rotation workflow to confirm the old secret is invalid and the new credential is actually in use.
  • An auditor traces a privileged workflow in a sandbox to verify that the stated approval gate and logging steps really occur.

For broader NHI control context, the Ultimate Guide to NHIs explains why visibility, revocation, and rotation failures are so common in practice, and why repeated testing often reveals gaps that documentation misses. Where identity assurance is concerned, reperformance is often the closest thing to proof because it checks the system outcome rather than the narrative around it.

Why It Matters in NHI Security

Reperformance matters because many NHI failures are operational, not theoretical. A control may be written correctly and still fail under real conditions when secrets persist, revocations do not propagate, or automation reissues access behind the scenes. That is why NHI-focused assurance work frequently uses reperformance to validate the last mile of a control, not just its policy language.

The risk is not abstract. NHI Mgmt Group reports that 79% of organisations have experienced secrets leaks, and 77% of those incidents caused tangible damage. In that environment, verifying a control by repeating it is often the only way to know whether a revocation, rotation, or access review truly worked. Reperformance also supports stronger alignment with NIST Cybersecurity Framework 2.0 objectives around governance, access control, and continuous verification.

Organisations typically encounter reperformance as an urgent need only after an access review, audit finding, or incident response exercise exposes that a claimed control never actually prevented access.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-01 Reperformance proves whether NHI controls work, not just whether they are documented.
NIST CSF 2.0 PR.AC-4 Access control verification supports the CSF's emphasis on least-privilege enforcement.
NIST CSF 2.0 GV.RM-01 Risk management depends on evidence that controls actually function in practice.

Use reperformance evidence in governance reviews to validate control effectiveness before accepting residual risk.