Subscribe to the Non-Human & AI Identity Journal

Quarterly Certification

Quarterly certification is a periodic access review process in which managers validate whether users still need their current permissions. It provides oversight evidence, but it only reflects a snapshot, so it can miss risk created by access changes that happen between cycles.

Expanded Definition

Quarterly certification is a governance control in which a manager, system owner, or delegated reviewer confirms that permissions still match business need at a scheduled interval. In identity programs, it is usually part of access recertification, access attestation, or entitlement review workflows, and it is most useful when paired with event-driven controls and logging. It should not be treated as a substitute for continuous monitoring, because a certification outcome only proves that access looked appropriate at a point in time. That limitation matters even more for NHIs, where service accounts, API keys, and automated workflows can gain or retain access outside human review cycles. NIST Cybersecurity Framework 2.0 frames this kind of oversight within access governance and ongoing risk management, while NIST Cybersecurity Framework 2.0 reinforces the need to maintain visibility into access decisions over time. The most common misapplication is treating quarterly certification as proof of ongoing least privilege, which occurs when organisations assume a passed review means the entitlement remains safe for the next 90 days.

Examples and Use Cases

Implementing quarterly certification rigorously often introduces review fatigue and delay, requiring organisations to weigh audit evidence against the operational cost of manual approvals.

  • A cloud operations manager reviews all production role assignments every quarter and revokes access for users who have changed teams or left a project.
  • A platform team certifies service-account permissions after comparing current entitlements with the inventory in the Ultimate Guide to NHIs — What are Non-Human Identities, then flags any account that no longer maps to an owner.
  • An application owner reviews privileged database access each quarter, but supplements the cycle with alerts for newly created tokens and unexpected role grants.
  • A security team uses quarterly certification after an incident to verify whether dormant API keys are still assigned, informed by patterns seen in the Sisense breach.
  • An audit team exports certification results as evidence that access governance exists, then reconciles the report against NIST Cybersecurity Framework 2.0 expectations for ongoing control.

In practice, quarterly certification works best when it is tied to authoritative ownership data, because reviewers cannot reliably approve what they do not understand or cannot validate.

Why It Matters in NHI Security

Quarterly certification matters because NHI environments change faster than review calendars. Service accounts are often embedded in applications, CI/CD systems, and integrations that keep running long after the original owner has changed roles or left the organisation. That is why a quarterly attestation can create a false sense of safety if it is the only control in place. NHIMG research shows that 97% of NHIs carry excessive privileges, and only 5.7% of organisations have full visibility into their service accounts, which makes scheduled review alone too blunt to manage real exposure effectively. The governance value of certification is strongest when it confirms ownership, accountability, and exception handling, not when it is used as a stand-alone mitigation. Paired with lifecycle controls, it helps teams spot stale access before it becomes an incident, but it cannot by itself catch rights granted yesterday or tokens copied into an unmanaged workflow. Organisational risk rises when review evidence exists but operational drift continues underneath it.

Quarterly certification is relevant after a breach review, when investigators discover that access had been approved on paper even though the entitlement had already become excessive in production.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-05 Quarterly review is a key governance check for stale or excessive NHI privileges.
NIST CSF 2.0 PR.AC-4 Access permissions must be managed and reviewed as part of identity governance.
NIST Zero Trust (SP 800-207) Zero Trust expects continuous verification, so periodic attestation is only one signal.

Use recurring certification to verify NHI owners, scope, and necessity, then remove unjustified access.