Always, when the goal is assurance rather than activity. More reviewers and larger campaigns do not fix systems that remain outside the governance platform. Expand scope first by inventorying identity-bearing systems, then extend certification coverage to the highest-risk sources, including privileged and local access.
Why This Matters for Security Teams
access review volume is a weak signal if the review only covers a fraction of the identity estate. When privileged access, local accounts, service accounts, and API keys sit outside the certification boundary, security teams can close tickets without improving assurance. The real question is not how many reviewers are involved, but whether the scope includes the systems that actually issue, consume, and persist access.
This is especially true for non-human identities, where the attack surface is larger and more dynamic than many access review programs assume. NHI Mgmt Group notes that NHIs outnumber human identities by 25x to 50x in modern enterprises, yet only 5.7% of organisations have full visibility into their service accounts in the Ultimate Guide to NHIs. If the inventory is incomplete, the review program becomes a compliance exercise rather than a control.
Security teams also need to recognise that access review fatigue can hide the real gap: stale entitlements in unmanaged systems. Current guidance from the OWASP Non-Human Identity Top 10 supports focusing on identity discovery, lifecycle control, and privilege reduction before scaling certification volume. In practice, many teams discover the highest-risk access only after an incident forces them to look beyond the governance platform.
How It Works in Practice
Scope expansion should begin with an inventory of identity-bearing systems, not a broader campaign calendar. That means mapping where identities are created, where credentials are stored, which platforms enforce authorization, and which sources can grant access without passing through the standard identity governance tool. The objective is to certify the sources that can actually change risk.
For most organisations, the first expansion targets are privileged access, local administrator accounts, service accounts, CI/CD identities, third-party integrations, and API keys. These are the places where review programs often miss critical access because the entitlement is not represented as a normal enterprise role. The NHI Lifecycle Management Guide is useful here because lifecycle visibility determines whether access can be reviewed meaningfully at all.
A practical approach is:
- Define the review boundary around identity sources, not just the governance tool.
- Prioritise systems with standing privilege, shared accounts, and persistent secrets.
- Pull in authoritative inventories from IAM, PAM, secrets managers, cloud control planes, and endpoint tools.
- Use risk to sequence expansion, starting with the identities most likely to be abused or forgotten.
- Measure coverage by identity-bearing system and privilege class, not by campaign size alone.
Where the organisation has poor visibility, it is better to review fewer systems with high fidelity than to expand reviewer count across a blind spot. NHI Mgmt Group’s 52 NHI Breaches Analysis shows why this matters: when credentials and service identities are not governed as first-class assets, review activity does not translate into risk reduction. These controls tend to break down when local access is unmanaged and entitlement data cannot be reliably reconciled across systems.
Common Variations and Edge Cases
Tighter review scope often increases discovery and remediation workload, requiring organisations to balance assurance against operational capacity. That tradeoff is real, especially in environments with many inherited systems or multiple business units. Best practice is evolving, but the direction is clear: broaden scope where access can be changed, not where people can only acknowledge it.
There are a few common edge cases. In fast-moving engineering environments, service accounts and ephemeral credentials may be reviewed through exception handling rather than periodic certification, because the access exists for too short a time to fit a normal cycle. In federated enterprises, local teams may own system access while central governance owns the policy, so scope expansion must include delegated review paths and evidence standards. For M&A or legacy estates, the first step may be catalogue cleanup, since a review program cannot certify what it cannot name.
The practical rule is simple: expand scope when the gap is structural, not when review completion rates are low. More review volume can hide the fact that critical access remains outside the control boundary, while scope expansion exposes the identities that actually need governance. The broader the estate, the more important it is to align certification with systems that create standing privilege and persistent secrets.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Scope gaps leave service accounts and secrets outside governance. |
| NIST CSF 2.0 | PR.AC-1 | Access governance depends on knowing who and what has access. |
| NIST AI RMF | Risk management requires measuring control coverage, not activity counts. |
Inventory identity-bearing systems first, then certify the highest-risk NHI sources.