Subscribe to the Non-Human & AI Identity Journal

What signals show that access certifications are not working well enough?

Look for long preparation cycles, high reviewer override rates, repeated rubber-stamping, unresolved revocation tickets, and audit evidence that lives in separate systems. Those signals mean the review is documenting access rather than controlling it. If unnecessary access persists until the next campaign, the programme is lagging behind the environment.

Why This Matters for Security Teams

Access certifications are supposed to prove that privileges still match business need, but they often degrade into a calendar task that records ownership without changing risk. That matters because NHIs and service accounts accumulate access faster than review cycles can catch up, and the blast radius is usually hidden until a breach or service incident forces scrutiny. NHI Mgmt Group has reported that Ultimate Guide to NHIs notes 97% of NHIs carry excessive privileges, which helps explain why reviews that do not drive removals become cosmetic.

Current guidance suggests treating certification quality as an operational control, not a reporting artifact. If reviewers lack context, ownership is unclear, or entitlement data lives in multiple systems, the review will default to approval. That is why standards such as OWASP Non-Human Identity Top 10 and NIST SP 800-53 Rev 5 Security and Privacy Controls both emphasise access governance, traceability, and timely remediation rather than checkbox completion. In practice, many security teams discover certification failure only after stale access has already been used, rather than through a clean review process.

How It Works in Practice

Effective certification programmes depend on accurate identity data, clear ownership, and a workflow that can actually revoke access. For human users, that means reviewers need role context, application context, and separation-of-duties signals. For NHIs, the bar is higher because service accounts, API keys, and automation tokens often have no obvious manager and no natural review cadence. The NHI Mgmt Group’s Ultimate Guide to NHIs — Key Challenges and Risks highlights that many organisations still lack full visibility into service accounts, which makes meaningful certification difficult from the start.

  • Compare entitlements against actual usage, not just job titles or system ownership.
  • Require reviewers to make an explicit decision: keep, reduce, or revoke.
  • Push revocations into the source system automatically, then verify completion.
  • Track unresolved tickets as control failures, not administrative backlog.
  • Separate human sign-off from machine enforcement so approval does not equal persistence.

For NHI-heavy environments, the practical question is whether access is still needed for the task, pipeline, or integration that created it. That is why identity governance is increasingly paired with workload telemetry, secrets management, and policy-as-code checks. The OWASP guidance and NIST control set both support this shift toward evidence-based review, while NHIMG research shows why it matters: excessive privilege is common, and remediation often lags far behind notification. These controls tend to break down when entitlement data is fragmented across SaaS, CI/CD, and cloud control planes because no single reviewer can reliably see the full effective access path.

Common Variations and Edge Cases

Tighter certification workflows often increase reviewer burden and slow down release cycles, so organisations have to balance precision against operational friction. Best practice is evolving, especially for autonomous systems and ephemeral workloads, where fixed review periods may be the wrong control altogether. For short-lived secrets or just-in-time access, a quarterly certification can be less useful than runtime policy enforcement and automatic expiry.

Some environments also blur the line between access ownership and service ownership. Shared service accounts, platform-managed tokens, and third-party integrations may not have a single business approver, which makes “attest or revoke” an oversimplification. In those cases, the signal that certifications are failing is not just a high approve rate but a mismatch between review design and technical reality. The NHI Mgmt Group’s 52 NHI Breaches Analysis reinforces a common pattern: review programmes often miss the path by which access is actually used, especially where secrets and service accounts are embedded in automation. Security teams should treat repeated exceptions, deferred revocations, and unclear ownership as evidence that the certification model itself needs redesign, not just better reminders.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-01 Addresses governance gaps when NHI access reviews do not reflect real usage.
NIST CSF 2.0 PR.AA-05 Identity governance needs accurate accountability and authorization evidence.
NIST AI RMF Autonomous and AI-driven access paths need ongoing risk monitoring, not periodic checkbox reviews.

Continuously monitor AI-related access paths and retrain review criteria as system behaviour changes.