TL;DR: Access certification formalizes who should keep access, who should lose it, and how teams prove least privilege across users, roles, and systems, according to StrongDM. The governance value is real, but manual review cadences, stale inventories, and weak visibility still leave too much room for privilege creep and audit theatre.
At a glance
What this is: Access certification is a periodic access validation process designed to keep users, roles, and systems aligned to least privilege.
Why it matters: It matters because IAM teams need evidence-driven ways to remove stale access, satisfy auditors, and govern privileged and non-human identities with the same discipline.
👉 Read StrongDM's guide on access certification, least privilege, and review workflows
Context
Access certification is a formal review process for deciding whether an identity should keep its existing permissions. In practice, it is the control many programmes use to prove least privilege, but it only works when the inventory behind the review is current and complete.
For IAM teams, the hard part is not the review itself. It is maintaining enough visibility across humans, service accounts, and privileged systems to make the review meaningful rather than ceremonial. That is where access certification overlaps with NHI governance, PAM, and lifecycle management.
Key questions
Q: How should security teams run access certification for privileged accounts?
A: Start with a complete inventory of privileged entitlements, then review each account against current business need, task scope, and ownership. Require an explicit decision to renew, reduce, or revoke access, and make revocation automatic when approval is absent. The review only works when the entitlement data is current and the remediation path is immediate.
Q: Why do access certification programmes fail in complex environments?
A: They fail when reviewers cannot see the full access picture across cloud platforms, databases, and service accounts. In that situation, certification becomes a partial audit of incomplete data, so stale access survives the process. The biggest signal of failure is a review cycle that completes on time while privilege creep continues underneath it.
Q: How do organisations know if access certification is actually working?
A: Look for shrinking numbers of standing privileges, faster revocation after review decisions, and fewer orphaned or overprivileged accounts over time. If campaigns finish but access sprawl remains unchanged, the programme is producing documentation rather than governance. Working certification changes the entitlement baseline, not just the audit record.
Q: What is the difference between access certification and access review?
A: Access certification is the formal, periodic process used to validate and renew access with documented evidence. Access review is often looser and may be triggered by events or internal checks without the same governance rigor. Certification is the stronger control when an organisation needs audit-ready proof that access decisions were made deliberately and recorded.
Technical breakdown
How access certification works as a governance cycle
Access certification is a repeatable governance cycle with four core stages: initiate the review, define scope, evaluate current entitlements, and remediate what no longer fits policy. The process can be periodic or event-driven, and it may be manual, automated, or hybrid. The control value comes from forcing explicit decisions about each entitlement, plus preserving timestamps, approvers, and outcomes for auditability. Where teams go wrong is treating the campaign as the control rather than the decision evidence it produces. Without a reliable source of truth for current access, the review becomes a paperwork exercise instead of a real least-privilege check.
Practical implication: build certification campaigns from a trusted entitlement inventory, not from spreadsheets or stale exports.
Why access visibility determines certification quality
Access certification depends on knowing what access exists before anyone can judge whether it should remain. In distributed environments, that means pulling together data from cloud platforms, databases, privileged systems, and connected services so reviewers can see the full access path. When visibility is incomplete, reviewers approve access they cannot actually assess, which weakens both risk reduction and compliance evidence. The article’s emphasis on centralised visibility is really a statement about control integrity: you cannot certify what you cannot see. This is especially true where access is fragmented across VPNs, jump hosts, and multiple admin planes.
Practical implication: prioritise centralized access visibility before expanding certification scope.
How JIT access changes the certification model
Just-in-time access shifts access certification away from long-lived entitlements and toward time-bounded privilege. Instead of approving standing access and later trying to clean it up, the governance model grants access only when required and removes it when the task ends. That changes the certification burden because reviewers focus on whether the default entitlement should exist at all, not just whether it is being used responsibly. JIT works best when paired with live logs and rapid revocation, because the review process then reinforces the shorter access lifecycle. It does not eliminate the need for certification, but it narrows the window where stale privilege can accumulate.
Practical implication: use JIT to reduce standing privilege, then certify the exceptions that still need persistent access.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Access certification is really a control over privilege persistence, not a review ritual. The article frames certification as a formal way to validate whether access should continue, but the deeper governance issue is whether an organisation can prove that access has a legitimate lifecycle at all. In NHI and human IAM alike, stale access becomes a standing risk when no one can reliably confirm when it should end. Practitioners should treat certification as evidence of privilege expiration discipline, not as a calendar exercise.
Visibility gaps are the real certification failure mode. The article correctly points to distributed environments, siloed teams, and incomplete inventories as obstacles, and that is the heart of the problem. Access reviews fail when the programme cannot assemble a complete entitlement picture across databases, cloud, and privileged infrastructure. In framework terms, this is a NIST CSF and zero-trust issue as much as an access-review issue. Practitioners should judge certification quality by coverage of the entitlement graph, not by campaign completion rates.
Short-lived access should shrink the certification surface, but it does not remove governance responsibility. The article’s JIT emphasis is directionally correct because ephemeral access reduces the number of standing privileges that need periodic recertification. But if teams keep large pools of exception access, JIT simply becomes a side path around weak governance rather than a replacement for it. The implication is that certification programmes must distinguish between durable access, task-scoped access, and privileged exceptions. Practitioners should use JIT to compress exposure, then govern the remaining standing access more aggressively.
Privilege creep control: access certification is the operating discipline that keeps entitlement growth from outpacing business need. Once access decisions are dispersed across managers, app owners, and compliance teams, creep returns unless the programme has clear ownership, review cadence, and revocation authority. The article’s best-practice list points in that direction, but the field-level lesson is broader: certification only works when it is connected to lifecycle offboarding and remediation, not when it sits beside them. Practitioners should treat certification as the checkpoint in a larger entitlement lifecycle, not the lifecycle itself.
From our research:
- From our research: 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
- That gap matters because 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to the 2026 Infrastructure Identity Survey.
What this signals
With 67% of organisations still relying heavily on static credentials despite the risks they pose to agentic AI deployments, the certification problem is no longer limited to human access reviews. Teams need a programme that can distinguish between enduring entitlement, ephemeral privilege, and machine-run access paths before the next governance cycle starts.
Privilege lifecycle compression: the more access is granted on demand, the more certification shifts from periodic approval to continuous entitlement hygiene. That means IAM, PAM, and NHI controls have to converge around revocation speed, ownership clarity, and complete visibility across the access graph.
The practical signal for readers is straightforward: if your certification workflow cannot explain why an identity still has access, it is already too late in the lifecycle. Access review maturity now depends on whether the programme can prove necessity, not just record a decision.
For practitioners
- Inventory all live entitlements before the next review cycle Build the certification scope from a centralized view of cloud, database, privileged, and service account access so reviewers are judging actual entitlements, not stale exports.
- Separate standing access from task-scoped access Classify privileges into durable, temporary, and exceptional access so the campaign can focus on removing persistent entitlements instead of rubber-stamping short-lived ones.
- Tie certification outcomes directly to revocation workflows Make every denied or unrenewed entitlement trigger automatic removal, ticket closure, and audit logging so review decisions actually change access state.
- Use JIT to reduce the review burden on privileged access Require time-bounded privilege for admin work, then certify only the exceptions that still need standing access for operational continuity or compliance reasons.
Key takeaways
- Access certification is the governance mechanism that turns least privilege into an auditable process rather than a policy statement.
- The main failure mode is incomplete visibility, because reviewers cannot certify access they cannot fully see.
- Teams should connect certification to immediate revocation, lifecycle offboarding, and JIT access so review outcomes actually reduce privilege.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access certification is an access-management control tied to least privilege and entitlement review. |
| NIST Zero Trust (SP 800-207) | Zero trust depends on continuous verification and minimal standing access. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | The article's JIT and stale-access themes map directly to NHI privilege and rotation concerns. |
Review non-human privileges on a fixed cadence and remove entitlements that no longer have task justification.
Key terms
- Access Certification: A formal process for validating whether an identity should keep its existing permissions. It is used to prove least privilege, document approval decisions, and remove access that no longer has a business purpose. In mature programmes, it becomes a lifecycle control, not just an audit activity.
- Just-In-Time Access: A privilege model that grants access only when it is needed and removes it when the task ends. It reduces standing privilege and narrows exposure windows, but it still requires strong ownership, logging, and revocation to keep the access lifecycle under control.
- Privilege Creep: The gradual accumulation of access that no longer matches the current job, task, or system need. It often appears when permissions are granted faster than they are reviewed or revoked. For human and non-human identities alike, it is one of the clearest signs that governance is lagging the environment.
- Standing Privilege: Access that remains active by default rather than being provisioned only when required. It creates a persistent attack and misuse window because the entitlement exists even when the identity is idle. Reducing standing privilege is central to least privilege, PAM, and NHI governance.
Deepen your knowledge
Access certification, least privilege, and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your organisation is trying to bring human, service account, and privileged access under one governance model, it is worth exploring.
This post draws on content published by StrongDM: What Is Access Certification? Process, Benefits & Best Practices. Read the original.
Published by the NHIMG editorial team on 2025-08-21.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
