Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk How should organisations decide how often to recertify…
Governance, Ownership & Risk

How should organisations decide how often to recertify access?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 5, 2026 Domain: Governance, Ownership & Risk

Use business risk, access sensitivity, and change velocity to set cadence. High-risk systems, privileged accounts, and regulated environments usually need quarterly review, while lower-risk access can move to semi-annual or annual cycles. The right schedule is the one that catches drift before access becomes normalised through repetition.

Why This Matters for Security Teams

Recertification cadence is not just an audit checkbox. It is a control that determines how long access drift can persist before someone has to justify it. For non-human identities, especially service accounts, API keys, and automation tokens, stale access can remain invisible long after the original business need has changed. NHI Mgmt Group notes that Ultimate Guide to NHIs shows 97% of NHIs carry excessive privileges, which makes delayed review a direct risk multiplier.

That is why fixed annual reviews are often too slow for privileged or high-change environments, while overly frequent review cycles can become performative and produce blind approval. The better question is whether the review interval matches the rate at which access can become unsafe. Guidance from the OWASP Non-Human Identity Top 10 reinforces that unmanaged identity sprawl and credential persistence are central failure modes, not edge cases.

In practice, many security teams encounter access creep only after an incident review reveals the entitlement had been left untouched for months, rather than through intentional recertification design.

How It Works in Practice

A useful recertification model starts with classification, not a universal calendar. Group access by business criticality, privilege level, data sensitivity, and change velocity. High-risk systems should be reviewed more often because their entitlement value and blast radius are both higher. Low-risk access can usually tolerate a longer cycle if it is tightly scoped and monitored.

For NHIs, the review process should ask whether the identity still exists for a live workload, whether its permissions still match the task, and whether the credential lifecycle is still aligned to the operating model. The 52 NHI Breaches Analysis is useful here because repeated compromise patterns often involve long-lived credentials and overlooked service access. That is why organisations should combine recertification with inventory hygiene, ownership tagging, and expiry data from the secrets platform or IAM system.

  • Quarterly review is a common baseline for privileged, production, regulated, or externally exposed access.
  • Semi-annual review is often suitable for stable internal access with limited blast radius.
  • Annual review can work for low-risk, low-change access if automated controls detect drift in between reviews.
  • Event-driven recertification should trigger on role change, application migration, vendor change, incident response, or anomalous usage.

Current guidance suggests the best cadence is the one that reflects how fast access can become stale, not how easy the review is to schedule. Teams should also distinguish human review from machine enforcement: access recertification can confirm business need, while policy and telemetry should continuously detect misuse. These controls tend to break down in environments with thousands of ephemeral service accounts, fragmented ownership, and no authoritative inventory because reviewers cannot reliably tell what still matters.

Common Variations and Edge Cases

Tighter review cadence often increases operational overhead, requiring organisations to balance risk reduction against reviewer fatigue and automation limits. That tradeoff matters most when access is short-lived, highly dynamic, or embedded in CI/CD pipelines. In those cases, best practice is evolving toward continuous control signals plus periodic attestation, rather than depending on manual recertification alone.

For contractor access, third-party integrations, and production break-glass accounts, cadence should usually be more aggressive than for ordinary internal access because ownership changes and business need can shift quickly. For long-lived machine identities, there is no universal standard for how often to recertify if the credential itself is rotated frequently and usage is tightly monitored, so many teams pair quarterly attestation with automated expiry, anomaly detection, and revocation on inactivity.

Different regulations also influence tolerance for delay, but they do not remove the need for risk-based judgment. The operational goal is to ensure review happens before access normalises through repetition, not after the organisation has learned to ignore it.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Maps to credential lifecycle review and rotation discipline.
NIST CSF 2.0PR.AC-1Access authorisation should reflect business need and least privilege.
NIST AI RMFGOVERNGovernance requires defined accountability for access oversight decisions.

Set recertification cadence by NHI risk and revoke stale access before credentials age into routine exposure.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 5, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org