The point at which an access review campaign is marked finished because reviewers have submitted their decisions and the governance record is closed. Completion is not the same as enforcement, because the underlying access state may still be unchanged in target systems.
Expanded Definition
Certification completion is the administrative endpoint of an access review campaign: reviewers have submitted decisions, exceptions are recorded, and the governance record is closed. It marks the end of the review workflow, not the enforcement of those decisions in target systems.
In NHI governance, this distinction matters because service accounts, API keys, and other secrets often remain active after the review closes. A certification can be complete even when revocation, rotation, or entitlement changes are still queued for execution. That is why completion should be treated as a control milestone within a broader lifecycle, not as proof that access has been reduced. The concept aligns closely with governance reporting in the NIST Cybersecurity Framework 2.0, but no single standard governs certification completion itself yet, so usage in the industry is still evolving.
At NHI Management Group, the practical distinction is simple: closure answers whether reviewers finished, while enforcement answers whether systems changed. The most common misapplication is treating campaign closure as remediation, which occurs when teams mark the review done before the access state has been updated in downstream systems.
Examples and Use Cases
Implementing certification completion rigorously often introduces a coordination delay, requiring organisations to weigh faster audit closure against the time needed to execute access changes safely.
- A quarterly service account review is completed in the GRC tool, but ticketed revocations are still pending in the identity platform.
- An API key certification closes with a deny decision, yet the key remains valid until the secrets manager processes the change.
- A third-party NHI review is marked complete after all reviewers respond, even though the vendor access offboarding step has not started.
- A campaign is closed for audit evidence, then mapped against findings from the Ultimate Guide to NHIs — What are Non-Human Identities to verify whether excessive privileges were actually removed.
- A post-incident review references the Sisense breach as an example of why completion records must be linked to actual secret rotation and access revocation.
Why It Matters in NHI Security
Certification completion matters because governance teams can create a false sense of safety if they assume a closed review means the environment is secure. In NHI environments, that assumption is especially risky: secrets can remain valid, service accounts can retain excess privilege, and downstream systems may lag behind the decision log. NHIMG research shows that 97% of NHIs carry excessive privileges, and that only 20% of organisations have formal processes for offboarding and revoking API keys, which makes the gap between review closure and enforcement operationally significant.
This is also where audit evidence and security reality diverge. A completed certification supports accountability, but it does not confirm containment, least privilege, or revocation. Teams should therefore measure completion alongside change execution, exception aging, and post-review verification. The NIST Cybersecurity Framework 2.0 reinforces the need to connect governance activities to protective outcomes, not just administrative status. Organisations typically encounter the consequences of certification completion only after a breach review or access recertification audit reveals that “closed” did not mean “removed,” at which point the term becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-04 | Certification closure must be tied to actual NHI revocation, not just reviewer sign-off. |
| NIST CSF 2.0 | GV.RM-01 | Governance risk processes must ensure review closure reflects real access-state outcomes. |
| NIST SP 800-63 | Identity assurance principles support separating administrative review completion from credential validity. |
Treat certification completion as an assurance checkpoint, then independently confirm credentials are still appropriate.
Related resources from NHI Mgmt Group
- Why do non-human identities make access certification harder than human identities?
- When does continuous monitoring matter more than access certification?
- What is the difference between access certification and continuous monitoring in ERP security?
- How can organisations reduce manual effort in access certification and evidence collection?