Continuous validation is replacing quarterly access reviews for NHI

At a glance

What this is: This is an analysis of why quarterly access reviews are no longer sufficient for modern identity governance, especially where non-human identities dominate the privileged estate.

Why it matters: It matters because IAM, IGA, PAM, and security teams need governance that tracks real identity behaviour across humans, workloads, and AI-driven identities instead of relying on stale certification records.

👉 Read Hydden's analysis of why continuous validation is replacing quarterly access reviews

Context

Identity governance breaks down when the programme assumes access stays stable long enough to be reviewed. The article argues that this assumption no longer holds for non-human identities, which are created dynamically, change with deployments, and often outlive the workflows that created them.

For IAM and IGA teams, the problem is not review frequency alone. It is that service accounts, cloud principals, OAuth tokens, and AI agent identities are increasingly governed from static records that do not reflect what those identities are actually doing in production.

Key questions

Q: What breaks when quarterly access reviews are used for non-human identities?

A: Quarterly access reviews break when applied to non-human identities because the control assumes stable identities, known ownership, and slow entitlement change. Service accounts, workload identities, and ephemeral tokens can be created outside formal workflows and change faster than the certification cycle, so the review documents history rather than governing live access.

Q: Why do non-human identities complicate access governance more than human accounts?

A: Non-human identities complicate access governance because their purpose, ownership, and usage are often derived from runtime behaviour rather than a source system like HR. That means static records rarely answer whether the identity is still needed, what depends on it, or how much damage it could do if compromised.

Q: How can security teams know if access reviews are actually working?

A: Access reviews are working only if they change live identity risk, not just close tickets. Teams should measure whether they can identify current owners, map dependencies, detect unused credentials, and revoke access without breaking production services. If those answers still require log reconstruction, the programme is retrospective, not governed.

Q: Who should own non-human identity governance when no business owner is recorded?

A: Ownership should be assigned from operational evidence, not left blank because a provisioning workflow never captured it. The accountable owner is usually the service, application, or platform team that depends on the identity in production. If no team can answer usage and breakage questions, the identity is already outside effective governance.

Technical breakdown

Why quarterly access reviews fail for non-human identities

Quarterly access reviews were designed for human lifecycle governance, where identities are persistent, ownership is known, and entitlements can be certified against an organisational role. Non-human identities operate differently. Service accounts, cloud service principals, and ephemeral tokens can be created outside formal provisioning, change with deployments, and expire before the next certification cycle. That means the review process is looking at a historical snapshot, not the active trust relationship. The result is governance theatre, not control. Practical implication: if the identity estate changes faster than the review cadence, the programme is certifying stale state.

Practical implication: if the identity estate changes faster than the review cadence, the programme is certifying stale state.

Runtime identity context versus static entitlement records

The article draws a sharp line between what a governance platform records and what an identity is doing right now. Static entitlement data can say what access was provisioned, but it cannot answer whether the identity is still in use, what depends on it, or what would break if it were removed. Those questions require behavioural telemetry, dependency mapping, and ownership inferred from runtime context. In other words, identity governance becomes an observation problem before it becomes a certification problem. Practical implication: governance tooling has to ingest behavioural evidence, not just authoritative records.

Practical implication: governance tooling has to ingest behavioural evidence, not just authoritative records.

Continuous validation and the data layer for identity governance

Replacing periodic attestation with continuous validation is fundamentally a data infrastructure change. It requires a current model of the estate that maps every identity, credential, and dependency to an operational purpose and an accountable owner, even when no explicit owner exists in a source system. Legacy IGA and SIEM platforms can analyse events, but they do not maintain that living model by default. Continuous validation closes the gap between discovery, ownership, and action. Practical implication: the control objective shifts from periodic review completion to current-state identity knowledge.

Practical implication: the control objective shifts from periodic review completion to current-state identity knowledge.

NHI Mgmt Group analysis

Quarterly access review is the wrong control for a majority-NHI estate. The article's central point is that review cadence cannot keep pace with identities that are created dynamically, authenticate with secrets, and change faster than the certification cycle. That means the control is being applied to a population it was never designed to govern. The implication is that governance teams should stop treating certification completion as evidence of control maturity.

Ownership derived from HR or provisioning workflows is no longer a reliable governance premise. That assumption was designed for human identities and formal source systems, but it fails when service accounts, cloud principals, and agent identities are created outside those workflows. The identity exists in production behaviour, not in the source record. The implication is that identity ownership must be inferred from runtime context when no authoritative owner exists.

Continuous validation is a data-model problem before it is an operational process. The article is right to frame this as infrastructure, because a platform cannot validate what it cannot currently see. If the estate is only reconstructable after the fact, governance becomes retrospective evidence gathering rather than live control. The implication is that identity programmes need a current-state inventory that includes behaviour, dependency, and purpose.

Access review of yore: the governance model itself has become the risk. The article captures a broader industry shift from periodic attestation to behavioural governance, and that shift applies across human, NHI, and AI-adjacent identities wherever runtime state matters more than provisioning history. The implication is that practitioners should re-evaluate which controls are actually governing active access versus merely documenting it.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• That visibility gap matters because governance cannot certify what it cannot continuously observe, and 47% of organisations report only partial visibility into those connections.
• For a broader governance baseline, see NHI Lifecycle Management Guide for lifecycle controls that move beyond periodic review.

What this signals

Access review of yore: the practical shift is from certifying entitlements to validating live identity behaviour, which will force many programmes to reclassify what counts as governance evidence. The organisations that keep relying on review completion as a success metric will keep producing paperwork while their operational risk remains unchanged.

Where cloud service principals and ephemeral tokens dominate, the next maturity step is not more review forms but a current-state identity model that connects ownership, dependency, and use. That is why the control conversation is moving toward continuous validation and why static attestation is becoming a backstop rather than a governing mechanism.

The programme implication is straightforward: if you cannot tell what an identity is doing right now, you are not governing it. Teams should align identity controls with the NIST Cybersecurity Framework 2.0 and the OWASP Non-Human Identity Top 10, because the issue is not just lifecycle handling but whether the estate is observable enough to defend.

For practitioners

• Replace certification-only coverage with runtime validation Identify which identities are still governed only through quarterly or annual attestation, then map the telemetry needed to confirm current use, dependency, and behavioural drift before the next review cycle closes.
• Build ownership from behaviour when no source owner exists For service accounts, cloud principals, and ephemeral tokens created outside formal workflows, derive accountable ownership from application and dependency evidence instead of leaving blank stewardship fields.
• Separate governance records from operational truth Treat entitlement registers as historical records and create a live identity data layer that tracks authentication activity, calling systems, and change events so review decisions are based on current state.
• Prioritise identities that can outlive the review cycle Target the identities most likely to evade quarterly review, including short-lived deployment credentials, workload identities, and AI agent service principals that can change between syncs.

Key takeaways

• Quarterly access reviews are increasingly a documentation exercise when non-human identities change faster than certification cycles.
• The scale problem is structural, because service accounts, cloud principals, OAuth tokens, and AI agent identities now make up much of the privileged estate.
• Practitioners need continuous validation, behavioural ownership, and live dependency mapping if they want governance to reflect production reality.

Key terms

• Non-Human Identity: A non-human identity is any machine or software identity used to authenticate to systems, such as service accounts, API keys, tokens, certificates, workload identities, or AI agent credentials. These identities often lack the human lifecycle anchors that make quarterly review and ownership straightforward.
• Continuous Validation: Continuous validation is a governance approach that checks identity state using live behavioural evidence instead of waiting for periodic certification. It relies on runtime context, dependency mapping, and current ownership so access decisions reflect what the identity is doing now, not what it was allowed to do earlier.
• Identity Dependency Mapping: Identity dependency mapping is the practice of identifying which services, applications, and workflows rely on a given identity. It matters because revocation decisions cannot be safely made from static entitlements alone when the true blast radius is defined by production dependencies and runtime use.
• Behavioural Ownership: Behavioural ownership is accountable ownership inferred from how an identity is used in production when no authoritative owner exists in a source system. It links stewardship to the team that depends on the identity operationally, which is often the only workable model for service-created and ephemeral identities.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Hydden: Continuous validation is replacing quarterly access reviews for NHI. Read the original.