TL;DR: Access certification is the formal, audit-driven process for validating user entitlements, and it is presented as the control that turns access sprawl into least-privilege decisions while supporting SOX, ISO 27001, and NIST-aligned governance, according to SecurEnds. Manual reviews and disconnected identity systems still leave many programmes unable to prove timely revocation or consistent attestations, so the issue is operational, not procedural.
NHIMG editorial — based on content published by SecurEnds: Access certification is the control gap behind access sprawl
By the numbers:
- 71% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.
Questions worth separating out
Q: How should security teams implement access certification in cloud and SaaS environments?
A: Security teams should centralise entitlement data first, then run certification against normalised access records from directory, HR, cloud, and SaaS systems.
Q: Why do access reviews fail when identity systems are disconnected?
A: Access reviews fail because reviewers cannot validate what they cannot see.
Q: What breaks when access certification is treated as a yearly compliance exercise?
A: A yearly cycle leaves excessive access in place for months, especially when employees change roles or gain new privileges mid-year.
Practitioner guidance
- Map certification to lifecycle events Trigger recertification when users change roles, move departments, or gain elevated access so stale entitlements do not wait for the next scheduled review.
- Normalise entitlement sources before campaigns Pull access data from directory services, HR records, cloud platforms, and SaaS applications into one entitlement model before sending review tasks.
- Prioritise high-risk and privileged access Review privileged accounts, SoD conflicts, and externally exposed entitlements more frequently than standard user access so reviewer attention is spent where impact is highest.
What's in the full article
SecurEnds' full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step access certification workflow design for managers, resource owners, and audit teams
- Platform-specific integration examples for Okta, Azure, AWS, HR systems, and enterprise applications
- Automation features for attestation, SoD checks, and audit-ready reporting at scale
- A worked case example showing how certification time was reduced in a real enterprise deployment
👉 Read SecurEnds' analysis of access certification and access review →
Access certification and access sprawl: is your review cycle keeping up?
Explore further
Access certification is the control that exposes privilege creep before it becomes policy failure. The article correctly frames certification as more than a periodic audit task, because entitlement sprawl is usually visible only when someone is forced to validate it. In IGA terms, certification turns hidden over-access into a decision point, and that decision point is what keeps least privilege operational rather than aspirational. The practitioner takeaway is that certification must be treated as a live governance control, not an after-the-fact compliance ritual.
A few things that frame the scale:
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
- Another 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, which shows that governance change is already underway in operating assumptions.
A question worth separating out:
Q: Who is accountable when revoked access is not removed after certification?
A: Accountability sits with the access owner, the reviewer, and the governance process that failed to complete remediation. Certification only works when approval, removal, and evidence are tied together. If access stays active after a denial, the organisation has a control failure, not just a documentation gap.
👉 Read our full editorial: Access certification is the control gap behind access sprawl