Access review of yore: what changes when NHIs become the majority?

TL;DR: Quarterly access reviews are losing effectiveness as enterprises shift to service accounts, cloud principals, OAuth tokens, and AI agent identities that change faster than review cycles can track, according to Hydden. Static attestation cannot govern runtime behaviour, so identity programmes now need continuous validation, dependency mapping, and ownership derived from observed activity.

NHIMG editorial — based on content published by Hydden: Continuous validation is replacing quarterly access reviews for NHI

Questions worth separating out

Q: What breaks when quarterly access reviews are used for non-human identities?

A: Quarterly access reviews break when applied to non-human identities because the control assumes stable identities, known ownership, and slow entitlement change.

Q: Why do non-human identities complicate access governance more than human accounts?

A: Non-human identities complicate access governance because their purpose, ownership, and usage are often derived from runtime behaviour rather than a source system like HR.

Q: How can security teams know if access reviews are actually working?

A: Access reviews are working only if they change live identity risk, not just close tickets.

Practitioner guidance

• Replace certification-only coverage with runtime validation Identify which identities are still governed only through quarterly or annual attestation, then map the telemetry needed to confirm current use, dependency, and behavioural drift before the next review cycle closes.
• Build ownership from behaviour when no source owner exists For service accounts, cloud principals, and ephemeral tokens created outside formal workflows, derive accountable ownership from application and dependency evidence instead of leaving blank stewardship fields.
• Separate governance records from operational truth Treat entitlement registers as historical records and create a live identity data layer that tracks authentication activity, calling systems, and change events so review decisions are based on current state.

What's in the full article

Hydden's full article covers the operational detail this post intentionally leaves for the source:

• The article lays out the shift from periodic attestation to continuous validation in more operational terms, including how reviewers should think about runtime evidence.
• It expands on the data-layer requirement for identity governance, including dependency mapping and ownership derived from behaviour when source records are incomplete.
• It explains why existing IGA and SIEM tooling tends to produce retrospective evidence rather than live governance for non-human identities.
• It frames the practical ceiling of manual review cycles for environments where identity state changes faster than quarterly certification windows.

👉 Read Hydden's analysis of why continuous validation is replacing quarterly access reviews →

Access review of yore: what changes when NHIs become the majority?

Explore further

View Full Forum →  |  NHI Foundation Course →