Identity security needs proactive access decisions, not annual reviews

At a glance

What this is: This blog argues that traditional certification campaigns are too backward-looking to manage identity risk effectively and that proactive analytics plus automation improve access decisions.

Why it matters: It matters because IAM, IGA, and PAM teams need faster risk detection and cleaner revocation paths across human, NHI, and machine-driven access programmes.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

👉 Read SailPoint's analysis of proactive identity security and access decisions

Context

Identity security breaks down when access review becomes a retrospective compliance exercise instead of a current risk control. Annual or quarterly certifications can confirm what was approved in the past, but they often miss whether entitlements are already anomalous, over-broad, or no longer justified.

That gap matters across human identity, NHI, and lifecycle governance because the same failure pattern repeats: reviews happen too slowly, managers lack context, and revocations lag behind exposure. Proactive identity security tries to shorten that decision loop by turning access data into signals that support timely remediation rather than after-the-fact attestation.

Key questions

Q: How should security teams reduce access risk without relying on annual certifications?

A: Use continuous identity analytics, context-rich review workflows, and automated remediation for routine cases. Certifications still have value, but they should validate decisions that have already been prioritised by risk signals rather than acting as the only place risk is discovered. That approach reduces delay, improves decision quality, and makes revocation more timely.

Q: Why do access certifications often fail to improve real security outcomes?

A: They fail when the process measures completion instead of correction. If reviewers lack context, they tend to rubber-stamp access, and risky entitlements survive until the next cycle. The result is audit evidence without meaningful reduction in exposure, especially in fast-changing environments.

Q: How can organisations tell whether identity governance is actually working?

A: Look at whether risky access is identified early, whether approvers receive enough context to make defensible decisions, and whether revocation happens promptly after a risk is found. A governance programme that completes reviews on time but rarely removes risky entitlements is performing administratively, not operationally.

Q: When should automation be used in identity governance workflows?

A: Use automation when the decision is repetitive, threshold-driven, and well understood, such as notifying managers, initiating mini-reviews, or disabling clearly risky access. Keep humans focused on ambiguous cases that require business judgment. The goal is faster containment, not removing accountability from the process.

Technical breakdown

Why access certification campaigns miss live identity risk

Certification campaigns are periodic attestations, not continuous control points. They ask reviewers to validate access after it has already existed, which means the process is blind to changes between cycles, blind to context drift, and vulnerable to rubber-stamping when managers lack enough evidence to judge risk. In practice, this turns access governance into a snapshot exercise rather than a control that tracks entitlement behaviour over time. The core mechanism problem is not the absence of review, but the delay between entitlement creation, risk detection, and remediation.

Practical implication: Treat certification as one governance signal, not the primary detection method for risky access.

How identity analytics turns entitlements into decision support

Identity analytics uses attributes, roles, access history, and entitlement patterns to identify access outliers. The point is not simply to score users, but to surface why a person or account looks unusual relative to peers, job function, or historical behaviour. Contextual insights help managers separate legitimate exceptions from true risk by explaining the factors behind the anomaly. That changes access governance from a binary approve-or-deny task into a more evidence-based decision workflow.

Practical implication: Require context-rich anomaly evidence before approvers can certify or revoke access.

Why automation matters in identity remediation workflows

Automation closes the gap between identifying risky access and acting on it. When workflows can trigger from predefined thresholds, the organisation can route different responses such as manager notification, mini-certification, or access disablement without waiting for the next review cycle. This matters most when the same entitlement issue repeats across many identities or systems, because manual remediation creates delay and inconsistency. Automation does not replace governance judgment, but it makes governance operational at the speed of change.

Practical implication: Use workflow triggers for repetitive remediation so identity teams can focus on exceptions and policy design.

Threat narrative

Attacker objective: The attacker aims to exploit stale, excessive, or unjustified access before governance catches up.

1. Entry occurs when risky entitlements accumulate without timely review, leaving access in place long after it should have been questioned.
2. Escalation follows when managers rubber-stamp certifications, allowing unauthorized or overly broad access to persist across systems and roles.
3. Impact is broader attack surface, delayed revocation, and non-compliance that may already have enabled identity-related breaches.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Backward-looking certification is a weak control when identity risk changes continuously. The article is right to challenge annual and quarterly review cycles because they measure historical approval, not present-day legitimacy. Access drift, role change, and entitlement sprawl all happen between certification windows, so the review process often confirms yesterday’s risk. The implication is that governance programmes must treat attestation as one input, not the primary control.

Identity outlier detection is the missing bridge between data and decision quality. Managers rarely rubber-stamp because they want to; they rubber-stamp because the review task lacks enough context to support a defensible decision. A score plus explanation changes the quality of the approval conversation by making risk visible in operational terms. That is where AI and analytics have real value in IAM: not replacing judgement, but sharpening it.

Automation is most valuable when it shortens the path from risk discovery to revocation. The article’s strongest point is that lengthy manual workflows are not just inefficient, they are governance latency. When remediation is delayed, the organisation is effectively tolerating exposure until the next scheduled cycle. Practitioners should treat automated deprovisioning and triggered mini-reviews as control compression, not convenience.

Access governance fails when approval workflows are built for compliance optics instead of security outcomes. Annual or quarterly campaigns can produce tidy audit evidence while leaving dangerous access in place. That is a governance design problem, not a process tuning problem. Security teams should measure whether a review cycle actually removes risky access, not just whether it completes on schedule.

Lifecycle acceleration: Access decisions built for scheduled review windows are too slow for modern identity estates, where risk emerges continuously across users, applications, and automated workflows. The organisation that can detect anomalies, explain them, and act immediately has a materially better control posture than one that waits for the next campaign. Practitioners should rethink certification as a support function for remediation, not the centre of gravity for identity governance.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• Only 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• The visibility problem compounds across lifecycle and review processes, which is why practitioners should also study 52 NHI Breaches Analysis for real-world failure patterns.

What this signals

Identity programmes that still depend on periodic certification are carrying a structural blind spot. In environments where access changes faster than review cycles, the control that matters is not whether a campaign closed, but whether it reduced the live exposure window before abuse could occur. Teams should align review frequency, anomaly detection, and remediation routing to the actual change rate of identities and entitlements.

Outlier scoring becomes most useful when it is tied to specific business context and control action. The practical signal is not the score itself, but whether the organisation can explain, prioritise, and resolve high-risk entitlements without waiting for the next audit round. That is where identity governance starts to behave like a security control instead of a compliance calendar.

With 79% of organisations having experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs, the broader lesson is clear: identity risk is a live operational problem, not a periodic review problem. Teams that link review output to automated remediation will move faster than teams that still rely on manual sign-off to discover exposure.

For practitioners

• Shorten certification cycles where risk is highest Move from uniform annual or quarterly campaigns to risk-based review cadences for privileged, sensitive, and high-change entitlements. Prioritise accounts where access changes quickly or where manager context is weak.
• Add context to every access decision Pair anomalies with role, peer, and entitlement history so approvers can see why access looks unusual. Use that context to distinguish acceptable exceptions from access that should be revoked.
• Automate repetitive remediation paths Trigger manager notification, mini-certification, or disablement when predefined score thresholds are crossed. Reserve manual effort for exceptions that need business judgment.
• Measure revocation outcomes, not just review completion Track how many risky entitlements are actually removed after a campaign and how long it takes to revoke them. If completion is high but revocation is low, the programme is producing audit artefacts instead of security control.

Key takeaways

• Periodic access certification is too slow to catch identity risk that changes between review cycles.
• Decision quality improves when managers receive context-rich identity signals instead of raw entitlement lists.
• Automation should compress the time from risk detection to revocation, not replace governance judgment.

Key terms

• Access Certification: A scheduled review where a manager or owner confirms whether a person or account should keep its access. In practice, it is a governance checkpoint, not a continuous security control, so its value depends on how quickly the programme can detect and remove risk between review cycles.
• Identity Analytics: The use of identity, entitlement, role, and behavioural data to find access patterns that look unusual or high risk. It supports more informed decisions by explaining why an identity is an outlier, which helps approvers distinguish legitimate exceptions from access that should be removed.
• Remediation Workflow: An operational process that turns a risk finding into action, such as notification, mini-review, deprovisioning, or disabling access. The control value comes from reducing delay between detection and response, which is often where identity governance programmes lose effectiveness.
• Certification Fatigue: The tendency for reviewers to approve access with little scrutiny when certification campaigns are too frequent, too broad, or too poorly contextualised. It is a human failure mode created by process design, and it usually signals that the programme is optimising completion rather than security.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance maturity in your organisation, it is worth exploring.

This post draws on content published by SailPoint: Rethinking the Identity Security Paradigm: Three Ways to Stay Ahead of Identity-related Threats. Read the original.