Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Access review of yore: what changes when NHIs become the majority?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Quarterly access reviews are losing effectiveness as enterprises shift to service accounts, cloud principals, OAuth tokens, and AI agent identities that change faster than review cycles can track, according to Hydden. Static attestation cannot govern runtime behaviour, so identity programmes now need continuous validation, dependency mapping, and ownership derived from observed activity.

NHIMG editorial — based on content published by Hydden: Continuous validation is replacing quarterly access reviews for NHI

Questions worth separating out

Q: What breaks when quarterly access reviews are used for non-human identities?

A: Quarterly access reviews break when applied to non-human identities because the control assumes stable identities, known ownership, and slow entitlement change.

Q: Why do non-human identities complicate access governance more than human accounts?

A: Non-human identities complicate access governance because their purpose, ownership, and usage are often derived from runtime behaviour rather than a source system like HR.

Q: How can security teams know if access reviews are actually working?

A: Access reviews are working only if they change live identity risk, not just close tickets.

Practitioner guidance

  • Replace certification-only coverage with runtime validation Identify which identities are still governed only through quarterly or annual attestation, then map the telemetry needed to confirm current use, dependency, and behavioural drift before the next review cycle closes.
  • Build ownership from behaviour when no source owner exists For service accounts, cloud principals, and ephemeral tokens created outside formal workflows, derive accountable ownership from application and dependency evidence instead of leaving blank stewardship fields.
  • Separate governance records from operational truth Treat entitlement registers as historical records and create a live identity data layer that tracks authentication activity, calling systems, and change events so review decisions are based on current state.

What's in the full article

Hydden's full article covers the operational detail this post intentionally leaves for the source:

  • The article lays out the shift from periodic attestation to continuous validation in more operational terms, including how reviewers should think about runtime evidence.
  • It expands on the data-layer requirement for identity governance, including dependency mapping and ownership derived from behaviour when source records are incomplete.
  • It explains why existing IGA and SIEM tooling tends to produce retrospective evidence rather than live governance for non-human identities.
  • It frames the practical ceiling of manual review cycles for environments where identity state changes faster than quarterly certification windows.

👉 Read Hydden's analysis of why continuous validation is replacing quarterly access reviews →

Access review of yore: what changes when NHIs become the majority?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Quarterly access review is the wrong control for a majority-NHI estate. The article's central point is that review cadence cannot keep pace with identities that are created dynamically, authenticate with secrets, and change faster than the certification cycle. That means the control is being applied to a population it was never designed to govern. The implication is that governance teams should stop treating certification completion as evidence of control maturity.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • That visibility gap matters because governance cannot certify what it cannot continuously observe, and 47% of organisations report only partial visibility into those connections.

A question worth separating out:

Q: Who should own non-human identity governance when no business owner is recorded?

A: Ownership should be assigned from operational evidence, not left blank because a provisioning workflow never captured it. The accountable owner is usually the service, application, or platform team that depends on the identity in production. If no team can answer usage and breakage questions, the identity is already outside effective governance.

👉 Read our full editorial: Continuous validation is replacing quarterly access reviews for NHI



   
ReplyQuote
Share: