Access certification is the control gap behind access sprawl

At a glance

What this is: This is an analysis of access certification as an identity governance control for validating entitlements and reducing access sprawl.

Why it matters: It matters because IAM, IGA, and PAM teams need a repeatable way to prove who should still have access across human and non-human identities.

By the numbers:

• 71% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.

👉 Read SecurEnds' analysis of access certification and access review

Context

Access certification is the formal process of validating whether a user, owner, or manager still agrees that a given entitlement is justified. In modern IAM and IGA programmes, it becomes the checkpoint that turns scattered permissions into something auditable, revocable, and policy-based.

As cloud and SaaS sprawl expands, access review cycles are often the only practical way to catch privilege creep before it becomes a compliance failure or an internal attack path. The article’s central point is that certification is not just a reporting task. It is the governance layer that keeps least privilege enforceable across changing roles and systems.

Key questions

Q: How should security teams implement access certification in cloud and SaaS environments?

A: Security teams should centralise entitlement data first, then run certification against normalised access records from directory, HR, cloud, and SaaS systems. That allows reviewers to see the full entitlement picture, prioritise privileged access, and revoke unnecessary permissions without chasing separate spreadsheets or conflicting approval trails.

Q: Why do access reviews fail when identity systems are disconnected?

A: Access reviews fail because reviewers cannot validate what they cannot see. When entitlements are split across multiple identity sources, approvals become based on partial information, which leads to inconsistent decisions, missed privilege creep, and weak audit evidence. A unified entitlement model is what makes certification decisions reliable.

Q: What breaks when access certification is treated as a yearly compliance exercise?

A: A yearly cycle leaves excessive access in place for months, especially when employees change roles or gain new privileges mid-year. That creates a gap between entitlement drift and correction, which is exactly when insider misuse, audit findings, and unnecessary exposure become more likely.

Q: Who is accountable when revoked access is not removed after certification?

A: Accountability sits with the access owner, the reviewer, and the governance process that failed to complete remediation. Certification only works when approval, removal, and evidence are tied together. If access stays active after a denial, the organisation has a control failure, not just a documentation gap.

Technical breakdown

Access certification vs. access review

Access certification is the formal attestation process used to prove that entitlements were reviewed, approved, or removed. Access review is the operational act of checking whether access is still justified. In practice, the two work together: certification creates the evidence trail for auditors, while review drives the decision to keep or revoke access. The article also distinguishes recertification, which is triggered by events such as role changes or department moves. That distinction matters because event-driven review catches access drift earlier than calendar-based campaigns.

Practical implication: separate the compliance record from the operational review workflow so revocation can happen as soon as access becomes unjustified.

Why entitlement normalisation matters in IGA

Certification collapses when entitlement data sits in incompatible systems and formats. A reviewer cannot make a reliable decision if AD groups, HR status, cloud permissions, and SaaS roles are all represented differently or updated at different times. Normalisation is the process of mapping those sources into a common entitlement model so owners can compare like with like. That is the hidden technical dependency behind scale: without a consistent data layer, certification becomes spreadsheet management instead of governance. Automation then becomes possible because the system can identify the same identity and privilege across multiple applications.

Practical implication: build a normalised entitlement inventory before scaling campaigns, or reviewers will approve based on incomplete visibility.

Event-driven recertification and zero standing privilege

Periodic reviews alone are too slow for environments where access changes frequently. Event-driven certification ties review to role change, onboarding, offboarding, or privilege escalation so unnecessary access does not persist until the next campaign. That aligns closely with Zero Standing Privilege, which aims to eliminate persistent access that no longer has an active business need. The technical value is not just faster review. It is shrinking the exposure window between entitlement drift and correction, especially for privileged or high-risk accounts.

Practical implication: route role changes and privilege additions into recertification automatically rather than waiting for the next quarterly cycle.

Threat narrative

Attacker objective: The attacker seeks to exploit excess privilege that survives long enough to enable unauthorised access, lateral movement, or audit failure.

1. Entry occurs through excessive or outdated entitlements that were never removed after a role change or system change, leaving an account with more access than it should have.
2. Escalation follows when review fatigue, incomplete inventory, or disconnected identity systems allow the over-privileged account to keep standing access across applications and data.
3. Impact appears as breach exposure, compliance failure, or unauthorised data access because the organisation cannot prove who approved the entitlement or when it should have been removed.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Access certification is the control that exposes privilege creep before it becomes policy failure. The article correctly frames certification as more than a periodic audit task, because entitlement sprawl is usually visible only when someone is forced to validate it. In IGA terms, certification turns hidden over-access into a decision point, and that decision point is what keeps least privilege operational rather than aspirational. The practitioner takeaway is that certification must be treated as a live governance control, not an after-the-fact compliance ritual.

Disconnected identity systems create a certification blind spot, not just a workflow inefficiency. When access data is split across HR, cloud, SaaS, and directory systems, the reviewer is never looking at the full entitlement picture. That is a structural governance gap because approval quality depends on data completeness. The implication for programmes is that access governance fails first at data integrity, then at decision quality, and only later at audit evidence.

Event-driven recertification is the point where Zero Trust becomes measurable. If access is revalidated when roles change, departments shift, or privilege is added, then least privilege is being enforced continuously instead of annually. That makes certification one of the few identity controls that can show Zero Trust as an operational discipline rather than a policy statement. The practitioner conclusion is to align certification triggers with business events, not just calendar cycles.

Certification fatigue is a governance design problem, not a reviewer problem. When managers approve hundreds of entitlements without context, the process itself has become too broad to be trusted. The real failure mode is not human laziness alone but an overloaded control surface that produces rubber-stamp decisions. The implication is that programmes should narrow scope, prioritise risky entitlements, and preserve reviewer attention for access that matters.

Access certification becomes most valuable when it is linked to privilege lifecycle, not static snapshots. Recertifying only on a fixed schedule allows privilege to persist between cycles, especially in cloud and SaaS environments where access changes faster than review cadence. The discipline works best when it is coupled to joiner-mover-leaver events and entitlement change signals. Practitioners should treat certification as part of lifecycle governance, not a separate annual project.

From our research:

• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
• Another 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, which shows that governance change is already underway in operating assumptions.
• For a deeper baseline on how governance gaps surface across non-human identity programmes, see 52 NHI Breaches Analysis for recurring access-control failure patterns.

What this signals

Access certification is becoming the control that separates visible governance from assumed governance. When access lives across directories, cloud platforms, and SaaS applications, programmes that rely on annual review cycles are already behind the operating environment. The practical shift is toward lifecycle-linked certification, where role changes and privileged entitlements trigger review automatically instead of waiting for a campaign.

Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey. That same pattern of acknowledged risk and uneven control maturity is visible in human access governance, where many teams still know the problem exists but cannot operationalise the review cycle well enough to close it.

Access certification will increasingly sit alongside least privilege, Zero Trust, and lifecycle governance as one connected control surface. The programme implication is that identity teams should measure review completion, remediation latency, and privileged access drift together, not as separate metrics. That is where governance becomes measurable rather than symbolic.

For practitioners

• Map certification to lifecycle events Trigger recertification when users change roles, move departments, or gain elevated access so stale entitlements do not wait for the next scheduled review.
• Normalise entitlement sources before campaigns Pull access data from directory services, HR records, cloud platforms, and SaaS applications into one entitlement model before sending review tasks.
• Prioritise high-risk and privileged access Review privileged accounts, SoD conflicts, and externally exposed entitlements more frequently than standard user access so reviewer attention is spent where impact is highest.
• Separate approval evidence from remediation Record who approved access, when it was reviewed, and when revocation occurred so audit trails and deprovisioning outcomes stay linked.

Key takeaways

• Access certification is the governance mechanism that turns entitlement sprawl into auditable decisions and measurable least privilege.
• The biggest risk is not the review itself but disconnected identity data, which causes incomplete decisions and weak remediation.
• Teams should connect certification to lifecycle events and privileged access so stale entitlements are removed before they become exposure.

Key terms

• Access Certification: A formal attestation process that confirms whether a user’s entitlements are still justified. It creates audit evidence while forcing a governance decision on whether access should remain, be narrowed, or be removed. In practice, it is the bridge between access visibility and least-privilege enforcement.
• Recertification: A repeat access validation triggered by an event such as a role change, department move, or onboarding update. It is designed to catch privilege drift earlier than a fixed review cycle. In identity governance, recertification is most effective when it is tied to lifecycle events rather than calendar dates alone.
• Entitlement Normalisation: The process of translating access data from different systems into one consistent model so reviewers can compare access accurately. Without normalisation, directory groups, cloud roles, and SaaS permissions do not line up cleanly, and certification decisions become inconsistent, slow, and difficult to audit.
• Zero Standing Privilege: An access model in which privileged rights are not left permanently active. Privilege is provisioned only when needed and removed when the task is complete. For identity governance, this reduces the exposure window created by standing administrative access and supports tighter certification outcomes.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by SecurEnds: Access certification is the control gap behind access sprawl. Read the original.