Access certification for NetSuite shows how automation cuts review toil

At a glance

What this is: This is a Delinea blog post about automating NetSuite access certification, with the key finding that customers reported 80% less time spent on reviews.

Why it matters: It matters because access certification is a core IAM control across human, NHI, and lifecycle governance, and manual review processes create gaps in privilege control and audit evidence.

By the numbers:

• Fastpath customers reported an average of 80% less time spent on access certifications.
• ChemTreat reduced time spent on UARs from over 100 hours per quarter to just one hour.
• Norwegian Cruise Line Holdings saved approximately 300 hours a year on UARs.

👉 Read Delinea's analysis of automated access certification for NetSuite

Context

Access certification is the formal review of who has access to an application, what that access allows, and whether it still matches job need. In NetSuite environments, that review becomes a governance problem when role design is broad, subsidiary access is layered, and evidence is still assembled manually.

For IAM and IGA teams, the issue is not whether reviews exist but whether they can be executed consistently enough to support least privilege and auditability. When certification lives in spreadsheets, the process itself becomes a source of delay, error, and privilege creep rather than a control that reduces it.

Key questions

Q: How should security teams reduce manual effort in access certification campaigns?

A: Security teams should automate reviewer routing, reminders, approval tracking, and removal handling so the certification process produces reliable evidence instead of spreadsheet churn. The goal is not only speed but consistency, because a workflow-controlled review is easier to audit and less likely to miss excessive access or delayed revocations.

Q: Why do over-permissive application roles make access reviews less effective?

A: Over-permissive roles force reviewers to judge whether a broad entitlement is acceptable rather than simply confirming current need. That weakens the review because it hides role design problems behind certification activity. If the underlying role is too generous, the access review can document the issue but cannot fully fix it.

Q: What should organisations do when access certifications keep taking too long?

A: They should look for process friction, role ambiguity, and poor reviewer context before adding more review staff. Long campaigns often mean the control is too manual, the access model is too broad, or both. Shortening the cycle without improving evidence quality usually just moves the bottleneck.

Q: Who is accountable when access certification failures lead to audit findings?

A: Accountability sits with the identity, application, and control owners together, because certification is both a governance process and an operational control. If access was not reviewed, interpreted correctly, or removed, the issue is rarely one team alone. Regulators and auditors will expect a clear owner for the full control chain.

Technical breakdown

Why manual access certification breaks down in NetSuite

Manual certification campaigns depend on collecting account data, preparing extracts, routing spreadsheets, and reconciling responses across managers and systems. That creates failure points at every handoff: missed reviewers, mapping errors, delayed follow-up, and incomplete removals. In a platform like NetSuite, those delays matter because access can span subsidiaries and entities, making the review set larger and harder to interpret. The result is not just admin friction. It is weaker control assurance because the process cannot reliably prove that access was reviewed, understood, and acted on within the same campaign.

Practical implication: replace spreadsheet-based review operations with an evidence-producing workflow that tracks request, response, and removal in one control path.

How over-permissive roles turn certification into a detection problem

NetSuite native roles often prioritise functionality over restraint, which means reviewers are not simply confirming access. They are also trying to detect whether the role design itself is excessive or creates segregation of duties conflicts. That makes certification a second-order control: it compensates for upstream design choices that were too broad at provisioning time. When role descriptions are missing or unclear, reviewers lose context and default to approval or delay. This is a classic governance failure, because the review process is being asked to correct what role engineering should have limited earlier.

Practical implication: pair certification with role rationalisation so reviewers are not forced to judge ambiguous entitlements without context.

Why automation changes auditability, not just speed

Automation in access certification is not only about reducing admin effort. It changes the evidence model by standardising reviewer prompts, reminders, approval tracking, and removal handling. That matters for audit because completion is not the same as demonstrable completion. A dashboard view, timestamped workflow, and integrated access data create a cleaner chain of custody for the review. In governance terms, this is the difference between a campaign that feels done and one that can be defended. The control becomes repeatable rather than dependent on individual spreadsheet discipline.

Practical implication: design certification workflows to preserve an auditable trail from access inventory through final revocation.

Threat narrative

Attacker objective: The objective is to preserve unnecessary access long enough for misuse, audit failure, or compliance exposure to persist unnoticed.

1. Entry begins with users inheriting access that is broader than current job need, especially where role assignments, subsidiary access, and temporary moves are not cleaned up.
2. Escalation occurs when manual review processes fail to catch excessive permissions or segregation of duties conflicts, leaving standing over-privilege in place.
3. Impact is accumulated privilege creep, weaker compliance evidence, and a higher chance that sensitive NetSuite access survives beyond its justified use.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• JetBrains GitHub plugin token exposure — CVE-2024-37051 in JetBrains IntelliJ GitHub plugin exposed GitHub access tokens.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Manual certification is a governance bottleneck, not a harmless administration task. When access reviews depend on spreadsheets, the control loses timing, consistency, and evidential quality. That means the organisation is not just wasting effort, it is weakening the reliability of least privilege as a real operating control. Practitioners should treat manual certification as a control debt signal, not a process inconvenience.

Privilege creep becomes harder to see when application roles are designed for function instead of restraint. NetSuite role patterns described in the post show a familiar failure mode: reviewers are asked to approve entitlements that were too broad from the start. The review then becomes a compensating control for role design, segregation of duties, and access lifecycle gaps. The implication is that certification without role rationalisation only documents the problem.

Access certification is a lifecycle control that should be applied consistently across human, service, and delegated identities. The same governance logic that governs user access reviews also matters for non-human identities when their permissions are reviewed, offboarded, or recertified. The operational lesson is that identity lifecycle programmes should not stop at employee access. If the review process is strong enough for humans, it should be strong enough to expose stale machine access too.

Automated workflows create stronger audit evidence because they preserve the chain of review and removal. The value is not simply reduced manual time. It is that certification becomes traceable, repeatable, and easier to defend to auditors. In governance terms, automation is most useful when it improves the proof of control execution, not just the speed of administration.

Review cadence should be designed around access volatility, not calendar convenience. The article shows that role changes, temporary assignments, and multi-entity access all increase the likelihood that access drifts away from need between certification cycles. Practitioners should use that as a signal to re-evaluate how often certifications run and which entitlements deserve more frequent scrutiny.

From our research:

• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to NHI Mgmt Group research.
• For a broader governance frame, the 52 NHI Breaches Analysis shows how weak lifecycle control turns access into persistent exposure.

What this signals

Access certification is becoming a control quality issue, not just a productivity issue. When organisations rely on manual review cycles, the real question is whether the control can still prove least privilege under role churn, subsidiary complexity, and delayed approvals. That is why automation matters as a governance mechanism, not only as a cost reducer.

With 97% of NHIs carrying excessive privileges in our Ultimate Guide to NHIs, certification programmes should stop treating over-privilege as a periodic clean-up exercise. The programme design problem is broader: access that is hard to review is usually access that was too broad to begin with.

Certification fatigue is a signal to consolidate identity lifecycle and review operations. The next stage of maturity is not more reminders, but tighter integration between access governance, role engineering, and removal workflows. Practitioners who connect those controls will get better audit evidence and less tolerance for privilege creep.

For practitioners

• Map certification campaigns to access volatility Prioritise NetSuite users with role changes, temporary assignments, subsidiary access, and segregation of duties conflicts for higher-frequency review. This helps reviewers focus on the access most likely to drift away from business need.
• Replace spreadsheet routing with workflow-controlled evidence Use an access certification workflow that captures reviewer assignment, responses, reminders, approvals, and removals in one system. That reduces follow-up overhead and creates a cleaner audit trail for completion and remediation.
• Rationalise over-permissive roles before the next campaign Review whether native NetSuite roles are forcing approvers to make judgment calls on permissions that should have been constrained earlier. Tighten the role model so certification validates entitlement rather than compensating for poor role design.
• Align access reviews with lifecycle offboarding Treat recertification and revocation as connected controls, especially for users who have changed jobs or left a function. If access can remain after a move, the certification process is not closing the lifecycle loop.

Key takeaways

• Manual access certification creates governance debt because the control becomes dependent on spreadsheets, reminders, and human follow-through.
• The scale of the problem is clear: Delinea reports 80% less time spent on certifications, with one customer cutting more than 100 quarterly hours to one.
• The right response is to automate evidence, rationalise over-permissive roles, and connect certification to lifecycle revocation.

Key terms

• User Access Review: A User Access Review is a periodic check of whether an identity still needs its current permissions. In practice, it tests whether access remains aligned to role, duty, and risk, and whether the organisation can prove that decision to auditors and control owners.
• Access Certification Campaign: An access certification campaign is the structured execution of a user access review over a defined period. It coordinates reviewers, reminders, approvals, and removals so the organisation can validate access at scale rather than handle each review as an isolated administrative task.
• Privilege Creep: Privilege creep is the gradual accumulation of permissions beyond what an identity currently needs. It happens when job changes, temporary assignments, or incomplete offboarding leave old access in place, creating a larger attack surface and more difficult audit posture.
• Segregation of Duties: Segregation of duties is a control that prevents one identity from holding conflicting permissions that could enable fraud, error, or unauthorized action. In access certification, it helps reviewers spot combinations that look harmless individually but become risky together.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Delinea: Access certification for NetSuite, reducing manual effort with automation. Read the original.