Access certification and access sprawl: is your review cycle keeping up?

TL;DR: Access certification is the formal, audit-driven process for validating user entitlements, and it is presented as the control that turns access sprawl into least-privilege decisions while supporting SOX, ISO 27001, and NIST-aligned governance, according to SecurEnds. Manual reviews and disconnected identity systems still leave many programmes unable to prove timely revocation or consistent attestations, so the issue is operational, not procedural.

NHIMG editorial — based on content published by SecurEnds: Access certification is the control gap behind access sprawl

By the numbers:

• 71% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.

Questions worth separating out

Q: How should security teams implement access certification in cloud and SaaS environments?

A: Security teams should centralise entitlement data first, then run certification against normalised access records from directory, HR, cloud, and SaaS systems.

Q: Why do access reviews fail when identity systems are disconnected?

A: Access reviews fail because reviewers cannot validate what they cannot see.

Q: What breaks when access certification is treated as a yearly compliance exercise?

A: A yearly cycle leaves excessive access in place for months, especially when employees change roles or gain new privileges mid-year.

Practitioner guidance

• Map certification to lifecycle events Trigger recertification when users change roles, move departments, or gain elevated access so stale entitlements do not wait for the next scheduled review.
• Normalise entitlement sources before campaigns Pull access data from directory services, HR records, cloud platforms, and SaaS applications into one entitlement model before sending review tasks.
• Prioritise high-risk and privileged access Review privileged accounts, SoD conflicts, and externally exposed entitlements more frequently than standard user access so reviewer attention is spent where impact is highest.

What's in the full article

SecurEnds' full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step access certification workflow design for managers, resource owners, and audit teams
• Platform-specific integration examples for Okta, Azure, AWS, HR systems, and enterprise applications
• Automation features for attestation, SoD checks, and audit-ready reporting at scale
• A worked case example showing how certification time was reduced in a real enterprise deployment

👉 Read SecurEnds' analysis of access certification and access review →

Access certification and access sprawl: is your review cycle keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →