Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Access recertification fatigue: why quarterly reviews still matter


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9223
Topic starter  

TL;DR: One-time access certification breaks down quickly because roles, contractors, applications, and group memberships keep changing, and Zluri cites 149 person-days per quarterly cycle to show how manual recertification becomes unsustainable. Periodic re-validation is now a governance requirement, not an administrative afterthought, because access drift is the real control failure.

NHIMG editorial — based on content published by Zluri: Security & Compliance Access Recertification: Why One-Time Certification Isn't Enough

By the numbers:

Questions worth separating out

Q: How should organisations decide how often to recertify access?

A: Use business risk, access sensitivity, and change velocity to set cadence.

Q: Why does one-time certification fail in practice?

A: Because access does not stay still after approval.

Q: What do security teams get wrong about recertification?

A: They often treat recertification as a compliance event instead of a living governance process.

Practitioner guidance

  • Define risk-based recertification cadence Set quarterly review for sensitive applications, privileged access, and regulated systems, then use semi-annual or annual review only where business change is genuinely slower.
  • Switch high-risk campaigns to full re-validation Use delta review to narrow scope, but require a full recertification path for high-risk access so previously approved entitlements do not escape scrutiny.
  • Automate remediation from recertification decisions Route denied or modified entitlements into immediate revocation or adjustment workflows instead of ticket queues.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

  • The step-by-step recertification workflow, including scoping, delta review, decisioning, and evidence capture.
  • Concrete examples of how group-based recertification reduces reviewer load without abandoning full access validation.
  • The audit evidence package auditors expect, including timestamps, reviewer identity, remediation records, and historical certification trails.
  • The article's discussion of automation features for highlighting changed access and preventing recertification fatigue.

👉 Read Zluri's analysis of why access recertification must be continuous →

Access recertification fatigue: why quarterly reviews still matter?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8662
 

One-time access certification is a snapshot, not a control. The article is right that access changes continuously after approval, which means certification ages out faster than many programmes admit. Recertification is not a nice-to-have add-on to IAM. It is the mechanism that tests whether entitlement decisions still match reality, and without it, approved access becomes stale governance theatre.

A few things that frame the scale:

  • 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.

A question worth separating out:

Q: Who is accountable when access violations persist after review?

A: Accountability sits with the access owner, the reviewer, and the governance team that owns the process. If a cycle identifies excessive access but remediation never happens, the programme failed at execution, not just assessment. Auditors will look for both the decision and the proof of follow-through.

👉 Read our full editorial: Why one-time access certification fails as access keeps changing



   
ReplyQuote
Share: