Access certification is the periodic review of whether an identity still needs its current entitlements. For NHIs, certification is only reliable when reviewers know the identity’s owner, purpose, and expiry, otherwise stale machine access can persist long after the original use case has ended.
Expanded Definition
Access certification is the governance check that confirms whether a non-human identity still requires its current permissions, secrets, and tool access. In NHI programs, it is less about asking “who owns this account?” and more about proving the account still has a justified purpose, an accountable owner, and a valid expiry path. That distinction matters because service accounts, API keys, workload identities, and AI Agents can retain access long after the business process that created them has changed.
Definitions vary across vendors on whether certification should cover entitlements, secrets, runtime permissions, or all three, and no single standard governs this yet. In practice, access certification sits alongside PAM, RBAC, JIT, and Zero Trust Architecture, but it should not be treated as a one-time audit event. The OWASP Non-Human Identity Top 10 frames the broader risk: machine identities fail when governance does not keep pace with lifecycle change. The most common misapplication is certifying NHIs by account name alone, which occurs when reviewers lack context on ownership, purpose, and expiry.
Examples and Use Cases
Implementing access certification rigorously often introduces review overhead and temporary friction, requiring organisations to weigh faster operations against the cost of stale privilege.
- A platform team reviews CI/CD service accounts each quarter and revokes any token that no longer maps to an active deployment pipeline.
- A security team certifies cloud workload identities after environment changes, using the Ultimate Guide to NHIs as a lifecycle reference for ownership and offboarding discipline.
- An AI operations team checks whether an AI Agent still needs write access to production tools after its workflow changes.
- An identity governance program ties certifiers to business process owners, so entitlements are reviewed by someone who understands the actual machine function rather than the directory record.
- After a compromise, analysts use the 52 NHI Breaches Analysis to identify where weak review cycles allowed access to linger.
For teams that need a standards anchor, the OWASP guidance is a practical companion to certification workflows, especially where machine identity reviews must align with least privilege and continuous validation.
Why It Matters in NHI Security
Access certification is one of the few controls that can expose hidden entitlement drift before it becomes an incident. NHI misuse often survives because machine accounts are not challenged the way human access is, and that blind spot is costly: according to the Ultimate Guide to NHIs, 97% of NHIs carry excessive privileges, widening the attack surface. That figure is especially relevant when certifications are shallow, infrequent, or performed without operational context. For deeper context on risk patterns, the Ultimate Guide to NHIs — Key Challenges and Risks is a useful reference, and the Sisense breach shows how machine credentials can become a serious exposure path when governance breaks down.
Access certification also supports Zero Trust Architecture by forcing regular proof of need, not assumed trust. When paired with governance discipline, it helps teams decide whether a permission should be removed, reduced, or time-bound, instead of merely documented. Organisations typically encounter the real need for access certification only after a breach review or privilege sprawl investigation, at which point the control becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers machine identity governance gaps that access certification is meant to close. |
| NIST Zero Trust (SP 800-207) | PA/DP | Supports continuous least-privilege verification under Zero Trust principles. |
| NIST CSF 2.0 | PR.AA | Access control and identity governance both depend on periodic validation of authorized access. |
Map NHI certification to access review procedures and document revocation decisions as part of governance.
