Identity certification is the periodic review of existing access to confirm that it is still appropriate. In mature governance programs, certification is tied to ownership, business context, and lifecycle events so that revocation happens quickly when access no longer has a justified purpose.
Expanded Definition
Identity certification is the recurring attestation step in access governance where owners confirm that an identity, permission, or entitlement is still justified. In NHI programs, that means reviewing service accounts, API keys, certificates, and agent access against business purpose, lifecycle state, and ownership, not just against a static roster.
Definitions vary across vendors on whether certification is only a review workflow or also includes approval, remediation, and evidentiary logging. For NHI Management Group, the practical view is broader: certification is only useful when it is tied to revocation, exception handling, and the current operational context of the identity. That aligns with the governance intent described in the Ultimate Guide to NHIs and with the access review emphasis in NIST Cybersecurity Framework 2.0.
The most common misapplication is treating certification as a calendar checkbox, which occurs when review campaigns are run without asset ownership, usage telemetry, or a revocation path for stale NHI access.
Examples and Use Cases
Implementing identity certification rigorously often introduces operational friction, requiring organisations to weigh tighter governance against review fatigue and delayed remediation.
- A platform team certifies Kubernetes service account access before each major release, using usage logs to remove permissions that are no longer needed.
- A security owner reviews API keys linked to third-party integrations and revokes dormant secrets after confirming the integration has been retired.
- An agentic workflow reviews tool access for an AI Agent after a prompt or model change, because the required permissions may no longer match the current task.
- A cloud team certifies privileged break-glass credentials separately from standard RBAC roles, because emergency access needs stricter evidence and shorter review cycles.
- An organisation uses findings from the 52 NHI Breaches Analysis to prioritise which high-risk service accounts need the most frequent recertification.
For implementation guidance, the review process should be informed by lifecycle status, telemetry, and upstream standards such as NIST guidance on identity assurance and access governance. It is especially important when secrets, certificates, and machine identities are distributed across pipelines and runtime environments, as highlighted in the Top 10 NHI Issues.
Why It Matters in NHI Security
Identity certification matters because NHI sprawl creates access that survives longer than its business justification. In the Ultimate Guide to NHIs, NHI Mgmt Group reports that 97% of NHIs carry excessive privileges, which means certification is often the only control that can expose stale entitlements before they are abused.
Without disciplined certification, organisations drift into permanent access, failed offboarding, and hidden dependency chains across pipelines, vaults, and third-party connections. That weakens Zero Trust Architecture goals because ZTA assumes access is continuously evaluated, not assumed valid forever. It also creates audit gaps when owners cannot explain why a service account still exists, who approved it, or when it was last reviewed.
Identity certification supports governance, but it only becomes operationally meaningful when the review leads to removal, not just acknowledgement. That is why NHI incident response, breach reconstruction, and exception cleanup so often reveal the need for better recertification after access has already been misused. Organisations typically encounter the true cost only after a secret leak, a breach, or an audit exception, at which point identity certification becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-05 | Access review and revocation are core NHI governance controls. |
| NIST CSF 2.0 | PR.AA | Identity governance requires verified access and ongoing review. |
| NIST Zero Trust (SP 800-207) | AC-3 | Zero Trust depends on continuously evaluated, least-privilege access decisions. |
Recertify NHI entitlements on a fixed cadence and revoke anything without current business need.
