An access certification campaign is the structured workflow used to collect reviewer decisions across applications and identities. It turns access review into a managed process with assignments, reminders, decisions, remediation, and audit evidence, which is essential when estates include both human and non-human identities.
Expanded Definition
An access certification campaign is the operational mechanism for reviewing who and what should keep access, then tracking decisions through completion. In NHI programs, that means human users, service accounts, API keys, agents, and other non-human identities are reviewed under one governed workflow rather than as separate exceptions.
Definitions vary across vendors, but the useful distinction is this: an access review is an activity, while a campaign is the managed container that assigns reviewers, sets deadlines, follows up on non-response, and records evidence. In mature IAM and NHI environments, a campaign often ties into role models, ownership metadata, and remediation queues so that approvals translate into deprovisioning, not just attestation. The OWASP Non-Human Identity Top 10 is useful here because campaign quality depends on knowing which NHI risks are being reviewed, especially around over-privileged secrets and stale machine access. For broader NHI context, see Ultimate Guide to NHIs and Ultimate Guide to NHIs — What are Non-Human Identities.
The most common misapplication is treating the campaign as a reporting exercise, which occurs when reviewers click approve without validating owner, usage, and business justification.
Examples and Use Cases
Implementing access certification campaigns rigorously often introduces review fatigue and remediation lag, requiring organisations to weigh auditability against operational disruption.
- A quarterly certification campaign validates whether production service accounts still need broad database access, then routes removals to the platform team for execution.
- A merger cleanup campaign reviews duplicated identities across two directories, ensuring orphaned accounts and old entitlements are removed before consolidation.
- An NHI-focused campaign checks whether CI/CD pipeline tokens, workload identities, and automation bots still match their intended scope, supported by lessons from the 52 NHI Breaches Analysis.
- A privileged access campaign aligns elevated access with OWASP Non-Human Identity Top 10 guidance by verifying that secrets, tokens, and agent permissions are still justified.
- A breach-driven review examines whether exposed credentials related to the DeepSeek breach should trigger immediate campaign scopes for sensitive AI and automation access.
For deeper operational patterns, NHI teams often compare campaign outcomes against Ultimate Guide to NHIs — Key Challenges and Risks, especially when owners are unclear or access is inherited through tooling.
Why It Matters in NHI Security
Access certification campaigns matter because stale approvals create invisible privilege drift. In NHI estates, that drift is often worse than in human IAM because machine identities are numerous, inherited through automation, and easier to overlook during audits. When campaigns are weak, organisations preserve access that should have expired, which increases blast radius during compromise and makes incident response slower.
NHIMG research on secrets management shows why this becomes urgent: organisations maintain an average of 6 distinct secrets manager instances, and the average estimated time to remediate a leaked secret is 27 days. That fragmentation makes it harder for a campaign to prove that a secret, token, or service account still has a valid owner and current purpose. The same issue is visible in breach analysis and in guidance from Sisense breach, where access governance failures compound exposure. For governance alignment, practitioners also reference OWASP Non-Human Identity Top 10 to prioritise review targets that are most likely to become exploit paths.
Organisations typically encounter the need for an access certification campaign only after an audit finding, credential leak, or privilege-related incident, at which point the campaign becomes operationally unavoidable to close the gap.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Addresses improper secret and access governance for non-human identities. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access management depends on periodic certification and revocation. |
| NIST Zero Trust (SP 800-207) | AC-4 | Zero Trust requires continuous authorization, which campaigns help validate periodically. |
Review NHI entitlements, secrets, and service accounts on a set cadence and remove unjustified access.
