Subscribe to the Non-Human & AI Identity Journal

What do organisations get wrong about hybrid access certification?

They assume a unified export creates a unified control. In practice, AD, Entra ID, SaaS platforms, and ERP systems expose different entitlement models, so the spreadsheet often flattens away the context needed for accurate decisions. Without source-system meaning, reviewers end up certifying access they cannot fully see.

Why This Matters for Security Teams

Hybrid access certification fails when organisations treat it like a single identity-control problem instead of a source-system problem. AD, Entra ID, SaaS apps, and ERP platforms all encode entitlement meaning differently, so the reviewer’s job is not just to approve or revoke access, but to interpret what the access actually does. When that context is flattened into one export, certification becomes a compliance exercise that can miss toxic combinations, inherited privileges, and hidden admin paths. That is why NHI Management Group consistently frames visibility as a control issue, not just a reporting issue; the Ultimate Guide to NHIs shows how fragmented identity data undermines remediation and governance at scale. OWASP also warns that entitlement review without source context weakens effective access decisions in complex environments, especially where systems expose different privilege models, as reflected in the OWASP Non-Human Identity Top 10. In practice, many security teams discover the gap only after a reviewer has already certified access they could not truly validate.

How It Works in Practice

Effective hybrid certification starts by preserving source-system semantics instead of collapsing everything into one generic entitlement list. A good process keeps the business object, privilege type, inheritance model, and expiry logic attached to each access item so reviewers can make a meaningful decision. That usually means pulling from multiple authoritative sources and normalising only the fields needed for workflow, not the meaning itself. For example, an AD group membership, an Entra role assignment, a SaaS admin scope, and an ERP transaction role should not be presented as equivalent just because they all resolve to “access granted.”

Practitioners also need a clear distinction between certification and remediation. Certification answers whether the access is still justified; remediation answers how to remove it safely if it is not. If the workflow cannot send revocation back to the source system with the correct object ID and role context, the review becomes theater. NHI Management Group’s Key Challenges and Risks section highlights the same pattern in identity governance: visibility without lifecycle action does not reduce exposure.

  • Keep source-system metadata attached to every access record.
  • Group certifications by risk and entitlement type, not only by application name.
  • Require reviewers to see inherited, indirect, and delegated access separately.
  • Automate revocation back to the system of record, not just spreadsheet status changes.
  • Use exception handling for privileged, regulated, or cross-domain access.

This lines up with broader identity governance guidance from NIST, which emphasises traceable identity proofing, lifecycle control, and access decision integrity in the NIST Digital Identity Guidelines. These controls tend to break down when one export mixes applications with incompatible entitlement models and no reliable source-of-truth mapping exists for revocation.

Common Variations and Edge Cases

Tighter certification scope often increases operational overhead, requiring organisations to balance reviewer fatigue against decision quality. The hardest cases are not standard employee roles but delegated admin access, nested group membership, composite SaaS permissions, and ERP entitlements that depend on organisational context. Best practice is evolving here: there is no universal standard for how much normalisation is acceptable before meaning is lost, so organisations should preserve enough source detail for the reviewer to answer “what does this access actually enable?”

Another common failure mode is overreliance on periodic recertification for access that changes faster than the review cycle. In fast-moving environments, a quarterly campaign may certify access that was valid on day one but no longer matches the user’s job or project assignment by day 20. That is where hybrid certification should be paired with event-driven triggers, such as role change, department transfer, vendor offboarding, or privileged access escalation. The 52 NHI Breaches Analysis is a reminder that identity failures often compound when review processes lag behind real-world change.

For NHI Management Group, the practical rule is simple: if a reviewer cannot see the source-system meaning, the certification is not truly hybrid, it is abstracted. That abstraction may help reporting, but it should never be mistaken for control.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-01 Addresses visibility and classification gaps in hybrid identity access review.
NIST CSF 2.0 PR.AA-1 Access control depends on knowing what each entitlement actually grants.
NIST SP 800-63 IAL2 Identity assurance supports reliable access decisions across mixed systems.

Use stronger identity assurance and traceability where certification outcomes affect sensitive access.