TL;DR: Audit frameworks generally require defensible oversight, separation of duties, and evidence that access decisions are reviewed consistently, but they do not prescribe quarterly certifications or fixed governance cycles, according to OpenIAM. The real test is whether identity governance reduces exposure, not just whether it produces audit-ready documentation.
At a glance
What this is: This is an analysis of what audit frameworks actually require from identity governance, with the key finding that most standards demand defensible oversight rather than a specific certification cadence.
Why it matters: It matters because IAM, IGA, PAM, NHI, and human access programmes can pass audits while still leaving high-risk access in place if they optimise for evidence production instead of exposure reduction.
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 68% of organisations do not know how to fully address NHI risks.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
👉 Read OpenIAM's analysis of what audit frameworks require from identity governance
Context
Audit frameworks in identity governance are about proving that oversight exists, not about mandating a single operating model. For regulated enterprises, the key question is whether governance controls produce defensible evidence while also changing the underlying access exposure.
That distinction matters for both human access programmes and non-human identities. A team can run regular certifications, retain clean records, and still leave service accounts, API keys, or privileged entitlements largely untouched if the programme is built around audit artefacts rather than reduction of risk.
Key questions
A: Start with the controls the framework actually expects: oversight, accountability, and traceable access decisions. Then add programme metrics that show whether entitlement exposure is shrinking. If reviews produce clean evidence but do not revoke access, the organisation is audit-ready but still overexposed.
Q: Why do access review campaigns often fail to reduce real identity risk?
A: Because they are usually measured by completion, not by the number of privileges removed or accounts retired. A campaign can satisfy auditors while leaving stale access, dormant entitlements, and machine identities untouched. Risk falls only when reviews trigger change, not when they generate records.
Q: What do teams get wrong about audit requirements for identity governance?
A: They often assume that a framework's expectation for oversight also implies a fixed operating cadence, such as quarterly certifications. In practice, the framework usually cares about consistent control and evidence, while the review schedule is an implementation choice that should match risk and identity type.
Q: Who is accountable when governance passes audit but access exposure stays high?
A: Accountability sits with the identity, security, and compliance owners who defined success as documentation rather than exposure reduction. Frameworks usually require defensible oversight, but they do not prevent a team from optimising for evidence volume instead of privilege removal.
Technical breakdown
What audit frameworks actually require from identity governance
Most audit frameworks focus on oversight, accountability, segregation of duties, and evidence that access decisions are reviewed consistently. They generally do not prescribe a specific mechanism such as quarterly certification campaigns or identical review cycles for every system. In practice, auditors want to know that access is controlled, that approvals are traceable, and that the organisation can demonstrate that governance processes operate reliably over time. That leaves room for different operating models, but it also creates a common mistake: treating one evidence pattern as if it were the regulatory requirement itself.
Practical implication: map controls to oversight outcomes first, then choose the operating cadence that best proves them.
Audit validation vs exposure reduction in access governance
Audit validation and exposure reduction are related but not the same. Validation shows that controls exist, reviews happened, and records are available for inspection. Exposure reduction asks whether unnecessary or high-risk access actually declined. A governance programme can satisfy the first condition while doing little for the second if it optimises for completion metrics, attestation logs, and archive depth. That is why completion rates alone are a weak signal of maturity: they measure process execution, not the state of the entitlement landscape.
Practical implication: measure entitlement reduction, privilege scope, and exception decay alongside audit completion.
Why certification campaigns can distort identity governance
Certification campaigns often become the centre of gravity in regulated environments because they create visible, auditable output. The problem is that visibility can mask stasis. Large review cycles may document who looked at what, but they do not automatically remove stale access, revoke dormant machine credentials, or shrink privilege sprawl. Over time, the governance programme can start to serve the audit calendar instead of the access model. That is especially risky where non-human identities outnumber people and change faster than periodic review cycles can capture.
Practical implication: use reviews to drive revocation and re-scoping, not as an end state.
Threat narrative
Attacker objective: The objective is to exploit persistent access that survives governance ceremonies, preserving opportunities for unauthorised use, lateral movement, or privilege abuse.
- Entry occurs when access oversight is treated as evidence production rather than a control over privilege drift, allowing risky entitlements to persist unnoticed.
- Escalation happens as certification campaigns and review cycles accumulate documentation without materially changing who or what retains access.
- Impact is continued exposure, where high-risk accounts and credentials remain available even though the organisation can show audit completion and clean records.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Audit frameworks require defensible oversight, not a specific certification ritual. The article gets the core distinction right: frameworks care about whether access is monitored, segregation of duties is enforced, and evidence can be produced consistently. They do not generally dictate quarterly reviews or universal entitlement certification as the only acceptable model. Practitioners should therefore treat cadence as a design choice, not a regulatory command.
Audit-driven governance becomes a failure mode when completion becomes the success metric. A programme can generate strong evidence archives while leaving high-risk access untouched, which means the control is validating itself rather than shrinking exposure. This is a classic IGA trap: process visibility replaces risk visibility. The implication is that boards and auditors may see control maturity where the access model is still deteriorating.
Identity governance must be measured by exposure contraction, not by paperwork volume. Documentation proves that a review happened, but it does not prove that standing privilege fell, dormant accounts were removed, or machine access was re-scoped. For NHI-heavy environments, this matters even more because service accounts, API keys, and tokens rarely fit human review rhythms. Practitioners should re-rank governance metrics around entitlement reduction and exception clearance.
Governance assumptions built for human-paced access reviews do not automatically fit non-human identities. Access review cadences were designed for systems where privilege changes slowly enough to inspect. That assumption fails when service accounts, tokens, and workloads proliferate faster than quarterly attestation can track. The implication is that identity programmes must distinguish audit evidence from actual control over machine access.
Certification campaign gravity: The real organisational risk is not that reviews are absent, but that reviews become the organisation's proxy for security. Once that happens, the programme can satisfy compliance while preserving excess access, especially in environments with weak visibility into service accounts. Practitioners should treat the reduction of unused or excessive privilege as the governance outcome that matters.
From our research:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs , Key Challenges and Risks.
- Only 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- The broader lifecycle problem is covered in NHI Lifecycle Management Guide, which helps teams move from review activity to revocation and rotation discipline.
What this signals
Documentation-heavy governance will continue to underperform wherever service account visibility remains low. When only 5.7% of organisations can see their service accounts clearly, audit evidence can become a comfort blanket rather than a control signal. Teams should expect increasing pressure to prove exposure reduction, not just review completion, especially where machine identities outnumber human identities by large multiples.
Identity governance programmes need a clearer boundary between compliance artefacts and security outcomes. The next maturity step is not a bigger certification campaign, but a better feedback loop between access review, revocation, and entitlement hygiene. Teams that cannot connect those steps will keep passing inspections while preserving the same risk shape.
Exposure-led governance is the more durable operating model for mixed identity estates. A programme that covers humans, NHIs, and privileged access through the same evidence-first lens will miss the different decay rates of each actor type. Practitioners should align their governance model with NIST Cybersecurity Framework 2.0 functions and use 52 NHI Breaches Analysis to test whether controls actually change outcomes.
For practitioners
- Separate audit evidence from control outcomes Track review completion, but also measure how many entitlements were revoked, re-scoped, or retired after each cycle. Build reporting that shows whether access exposure declines, not just whether attestations closed on time.
- Rework certification scope around risk, not volume Prioritise high-risk systems, privileged roles, third-party access, and non-human identities that change faster than human review cycles. Avoid forcing low-risk, low-change access into the same review rhythm as critical entitlements.
- Align governance metrics to exposure reduction Add metrics for privilege creep, dormant access, exception age, and service account visibility. If those measures do not improve, the programme is producing audit artefacts without materially improving identity security.
- Apply lifecycle controls to machine identities Make offboarding, revocation, and rotation part of the same governance model used for access reviews. For NHI programmes, lifecycle controls should prove that access cannot outlive its business need.
Key takeaways
- Audit frameworks usually require defensible oversight, not a single mandated certification cadence.
- A governance programme can pass audit while leaving excessive access in place if it measures completion more than exposure reduction.
- For mixed human and non-human estates, entitlement shrinkage and lifecycle enforcement are better indicators of governance maturity than documentation volume.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Access control governance underpins the article's oversight requirement. |
| NIST CSF 2.0 | PR.AC-4 | Segregation of duties and access approval are central to audit expectations. |
| OWASP Non-Human Identity Top 10 | NHI-03 | NHI lifecycle gaps amplify the article's exposure-reduction problem. |
Tie reviews to NHI revocation, rotation, and offboarding so access does not outlive need.
Key terms
- Audit Validation: Audit validation is the process of proving that governance controls exist and operate consistently enough to satisfy external review. It focuses on evidence, traceability, and repeatability. In identity programmes, validation does not automatically mean risk has fallen, only that the organisation can demonstrate oversight.
- Exposure Reduction: Exposure reduction is the measurable decline in unnecessary, excessive, or stale access over time. It is the security outcome identity governance should create, not just document. In practice, it is shown by fewer standing privileges, fewer dormant entitlements, and faster removal of access that no longer has a business need.
- Certification Campaign: A certification campaign is a scheduled review cycle in which access owners attest to the correctness of entitlements. It is common in IGA programmes because it creates auditable evidence. The limitation is that completion alone does not prove access has been reduced, especially where machine identities change quickly.
- Defensible Oversight: Defensible oversight means an organisation can show how access decisions are monitored, approved, challenged, and recorded in a way that stands up to audit. It is a governance requirement across human and non-human identities. It does not require one specific review cadence, but it does require consistent accountability.
What's in the full article
OpenIAM's full article covers the operational detail this post intentionally leaves for the source:
- Examples of how regulated organisations structure certification workflows for audit evidence.
- The specific governance artefacts auditors expect to see when reviewing access decisions.
- How documentation retention supports examination readiness in practice.
- The article's own framing of compliance versus exposure reduction for identity programmes.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or identity governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-03-25.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org