Subscribe to the Non-Human & AI Identity Journal

Why do access reviews sometimes leave risky access in place after certification?

Because certification and enforcement are often separated by ticket queues, ownership handoffs, and incomplete integrations. The review records a decision, but another process must carry that decision into the live system. If that downstream process stalls, revoked access persists and the organisation mistakes documentation for control effectiveness.

Why This Matters for Security Teams

Access reviews are meant to be a control checkpoint, but they often become a paperwork event when certification and enforcement are not tied together. The review can correctly identify that access should be removed, yet the actual revocation depends on a separate workflow, a service desk queue, or a connector that may fail silently. That gap is especially dangerous for NHI and agentic workloads, where privileged access is machine-speed and frequently reused across systems.

NHIMG has repeatedly highlighted that this is not a rare edge case: in the Ultimate Guide to NHIs, one of the clearest signals is that only 20% of organisations have formal processes for offboarding and revoking API keys. When reviews are detached from enforcement, organisations can end up with “approved-to-remove” access that remains active long after the certification window closes. Current guidance from the NIST Cybersecurity Framework 2.0 and the OWASP Non-Human Identity Top 10 both point toward closed-loop identity governance, but many implementations still stop at attestation. In practice, many security teams discover that certification did not reduce privilege until an incident, audit exception, or access dispute forced a manual cleanup.

How It Works in Practice

The failure usually starts with a split between identity governance and operational systems. A reviewer certifies or denies access in a governance platform, but the live entitlement exists in an app, cloud account, secrets manager, or CI/CD system that is only loosely integrated. If the deprovisioning connector is missing, delayed, or mapped incorrectly, the review outcome never reaches the enforcement point.

For NHI and agentic systems, that risk is amplified because access often includes API keys, service accounts, tokens, and delegated tool permissions. The practical answer is to make certification produce an actionable change record that is automatically enforced, then verify removal after execution. Teams should treat the review result as a trigger, not as evidence of removal.

  • Bind certification outcomes to automated revocation workflows, not manual tickets.
  • Use authoritative source systems for entitlements, so access is removed where it actually exists.
  • Validate closure with post-revocation checks, especially for secrets and service accounts.
  • Track failed revocations separately from approved removals to expose control drift.

This is where lifecycle discipline matters. The NHI Lifecycle Management Guide aligns with the operational view that access should be provisioned, reviewed, rotated, and offboarded as a continuous process, not a periodic event. That is especially important for credentials stored in code, vaults, and automation pipelines, where human certification alone does not reach the enforcement layer. Guidance from the NIST Cybersecurity Framework 2.0 supports this kind of governance-to-action linkage through continuous improvement and control verification. These controls tend to break down in hybrid environments where legacy applications, custom integrations, and shared service accounts make revocation non-atomic.

Common Variations and Edge Cases

Tighter certification-to-enforcement coupling often increases operational overhead, requiring organisations to balance revocation speed against integration complexity. That tradeoff is real, especially where owners span IAM, app teams, and platform teams, or where the target system does not support immediate deprovisioning.

There is no universal standard for this yet, but current guidance suggests a few patterns. First, privileged access should be reviewed with a shorter closure window than low-risk access, because stale administrative rights create disproportionate exposure. Second, orphaned NHI entitlements need separate handling from human user access, since service accounts and tokens do not respond to manual reminders. Third, emergency access and break-glass exceptions should be time-bound and explicitly revalidated after use, not folded into routine certifications. NHIMG’s research on the Ultimate Guide to NHIs — Key Challenges and Risks shows how quickly unmanaged machine identities become persistent attack paths, while the broader 52 NHI Breaches Analysis reinforces that review failure is often only visible after exposure has already expanded.

Where organisations rely on ticket-based deprovisioning, the process often fails for one of three reasons: unclear ownership, untested connectors, or no verification that the entitlement actually disappeared. That is why mature programmes measure revocation success, not just certification completion.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-03 Covers stale or overprivileged NHI access that reviews often fail to remove.
NIST CSF 2.0 PR.AC-4 Access rights must be managed and enforced, not only reviewed on paper.
NIST AI RMF AI governance depends on accountability for access decisions and follow-through.

Treat access review as a governed decision with ownership, verification, and closure.