TL;DR: One-time access certification breaks down quickly because roles, contractors, applications, and group memberships keep changing, and Zluri cites 149 person-days per quarterly cycle to show how manual recertification becomes unsustainable. Periodic re-validation is now a governance requirement, not an administrative afterthought, because access drift is the real control failure.
At a glance
What this is: This is an analysis of why periodic access recertification is necessary because access changes continuously after the initial certification cycle.
Why it matters: It matters because IAM, IGA, PAM, and NHI governance teams need evidence that access remains appropriate over time, not just at approval.
By the numbers:
- Organizations conducting quarterly recertifications spend an average of 149 person-days per cycle on manual processes.
👉 Read Zluri's analysis of why access recertification must be continuous
Context
Access recertification is the periodic re-validation of access rights after the initial approval cycle. The governance problem is simple: roles change, projects end, employees leave, and new applications appear, so a once-approved entitlement can become inappropriate without any obvious signal in the interim. That makes recertification a control for access drift, not just a compliance ritual.
The article is primarily about human identity governance, but the underlying lesson spans the broader identity programme. When access is allowed to accumulate without re-validation, the same programme gaps that create overprovisioned human accounts can also affect service accounts, workloads, and delegated access paths. For practitioners, the hard question is whether review cadence matches the speed of change.
Key questions
Q: How should organisations decide how often to recertify access?
A: Use business risk, access sensitivity, and change velocity to set cadence. High-risk systems, privileged accounts, and regulated environments usually need quarterly review, while lower-risk access can move to semi-annual or annual cycles. The right schedule is the one that catches drift before access becomes normalised through repetition.
Q: Why does one-time certification fail in practice?
A: Because access does not stay still after approval. Roles change, contractors finish work, employees leave, and new entitlements appear between review cycles. A one-time certification only proves that access was appropriate at a single moment, not that it remained appropriate as the environment changed.
Q: What do security teams get wrong about recertification?
A: They often treat recertification as a compliance event instead of a living governance process. That leads to checkbox approvals, outdated evidence, and unresolved violations carrying forward. A strong programme measures what changed, who reviewed it, and whether remediation actually closed the loop.
Q: Who is accountable when access violations persist after review?
A: Accountability sits with the access owner, the reviewer, and the governance team that owns the process. If a cycle identifies excessive access but remediation never happens, the programme failed at execution, not just assessment. Auditors will look for both the decision and the proof of follow-through.
Technical breakdown
Access drift and why certification ages quickly
Certification establishes a point-in-time approval, while recertification tests whether that approval is still valid after business change. Access drift happens when roles, departments, projects, and employment status change faster than review cycles. The result is temporal drift, accumulation drift, and missed offboarding, all of which create entitlement gaps that look legitimate on paper but are no longer justified in practice.
Practical implication: define recertification frequency by access risk and business volatility, not by calendar convenience.
Delta review versus full re-validation
Delta review only checks what changed since the last cycle, which reduces reviewer effort but can leave approved access untouched even when it has silently become excessive. Full recertification re-validates all access and is the stronger governance model because it catches drift in previously approved entitlements. Group-based recertification makes that model workable at scale by reviewing access bundles rather than every individual entitlement in isolation.
Practical implication: use delta review for triage, but keep a full recertification path for high-risk applications and privileged access.
Closed-loop remediation and audit evidence
A recertification programme only works when denial and modification decisions flow directly into revocation or adjustment. If reviewers approve changes but remediation happens later, or not at all, the next cycle starts with the same backlog. Auditability depends on timestamps, reviewer identity, changes since the last cycle, and proof that remediation completed, because compliance is judged on both decision quality and execution.
Practical implication: tie recertification decisions to automated remediation and evidence capture so unresolved violations do not roll forward.
NHI Mgmt Group analysis
One-time access certification is a snapshot, not a control. The article is right that access changes continuously after approval, which means certification ages out faster than many programmes admit. Recertification is not a nice-to-have add-on to IAM. It is the mechanism that tests whether entitlement decisions still match reality, and without it, approved access becomes stale governance theatre.
Access drift is the real failure mode recertification is designed to catch. Role drift, temporal drift, and accumulation drift are not separate administrative annoyances. They are the same governance problem showing up in different forms: access that was once appropriate no longer is, but the programme has no fresh review to expose it. Practitioners should treat drift as the measurable control gap, not the paperwork around it.
Group-based review is a governance compression strategy, not a reason to lower standards. The article shows why reviewing every entitlement individually creates fatigue, but the answer is not to reduce assurance. The better model is to compress the review unit to the access bundle or group while preserving full validation of high-risk access. The implication is that review design must match entitlement structure, or reviewers will either burn out or rubber-stamp.
Closed-loop remediation is where recertification either proves value or fails publicly. If denied access remains in place until the next cycle, recertification becomes evidence of repeated failure rather than control effectiveness. This is especially relevant to compliance frameworks that expect periodic review and follow-through. Practitioners should judge the programme by how fast it removes bad access, not by how many campaigns it completes.
Lifecycle governance is the named concept this article exposes: access review without lifecycle change detection creates stale approval debt. Certification assumes the access picture is stable enough to remain trustworthy until the next cycle. That assumption fails when people move roles, leave, or accumulate new access between reviews. The implication is that governance teams must measure how quickly approved access decays in real operating conditions.
From our research:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
- For lifecycle governance context, review the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for how periodic review and offboarding fit into broader identity control design.
What this signals
Stale approval debt is the operational risk recertification is meant to surface. In environments where access changes continuously, a certification completed in one quarter can already be obsolete by the next, especially when role churn, contractor turnover, and app sprawl are high. That is why lifecycle monitoring has to sit next to access review, not behind it.
The governance signal for practitioners is that review cadence should now be managed as a control variable, not a calendar task. If your programme cannot show what changed since the last cycle, whether denials were remediated, and how quickly exceptions were closed, the recertification process is producing documentation rather than assurance.
For readers building broader identity programmes, the lesson extends beyond human access. Periodic review, offboarding discipline, and entitlement cleanup should be designed together across human, machine, and delegated access paths, with the NIST Cybersecurity Framework 2.0 as a useful control structure for measuring governance maturity.
For practitioners
- Define risk-based recertification cadence Set quarterly review for sensitive applications, privileged access, and regulated systems, then use semi-annual or annual review only where business change is genuinely slower. Tie cadence to role volatility, contractor use, and access criticality rather than treating all applications alike.
- Switch high-risk campaigns to full re-validation Use delta review to narrow scope, but require a full recertification path for high-risk access so previously approved entitlements do not escape scrutiny. Preserve the evidence trail for what changed since the last cycle and what was explicitly re-approved.
- Automate remediation from recertification decisions Route denied or modified entitlements into immediate revocation or adjustment workflows instead of ticket queues. Keep reviewer identity, decision timestamp, entitlement state, and remediation proof together so the next cycle starts clean.
- Measure access drift between cycles Track new applications, role changes, terminated users, and orphaned permissions since the previous certification and report the volume of unresolved findings. That gives you a direct signal for whether the review programme is keeping pace with change.
Key takeaways
- One-time certification cannot keep pace with the rate at which access changes, so recertification is the real governance control.
- The scale problem is not only security risk but operating cost, because manual quarterly review consumes 149 person-days per cycle in the article’s example.
- The strongest programme couples risk-based cadence, full re-validation for sensitive access, and closed-loop remediation that removes bad access immediately.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Periodic access review directly supports least-privilege governance and entitlement validation. |
| NIST SP 800-63 | Identity lifecycle and federation evidence matter where user access must remain current. | |
| NIST Zero Trust (SP 800-207) | Continuous verification is the architectural logic behind recurring access validation. |
Map recertification cycles to PR.AC-4 and prove that access reviews trigger remediation, not just approval.
Key terms
- Access Recertification: Access recertification is the periodic re-check of whether a user, group, or entitlement still needs the access it was previously approved to have. It is a governance control that turns access from a one-time approval into an ongoing validation process.
- Access Drift: Access drift is the gradual mismatch between approved access and actual need as roles, projects, employment status, and application use change. It often appears as stale privileges, missed offboarding, or accumulated permissions that no longer match the current job.
- Closed-Loop Remediation: Closed-loop remediation means a review decision automatically results in revocation, adjustment, or escalation, with evidence recorded as part of the process. It prevents recertification from becoming a reporting exercise that finds problems but leaves them in place.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- The step-by-step recertification workflow, including scoping, delta review, decisioning, and evidence capture.
- Concrete examples of how group-based recertification reduces reviewer load without abandoning full access validation.
- The audit evidence package auditors expect, including timestamps, reviewer identity, remediation records, and historical certification trails.
- The article's discussion of automation features for highlighting changed access and preventing recertification fatigue.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.
Published by the NHIMG editorial team on 2026-04-22.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org