When recurring certification is missing, stale access stays active, temporary permissions become permanent, and dormant accounts keep their original entitlements. The result is an environment where reviewers no longer know who truly needs what, and attackers or insiders can exploit excess access that should have been removed long ago.
Why This Matters for Security Teams
Recurring access certification is the control that keeps access decisions tied to current business need. When it is skipped, reviewers lose the chance to catch permissions that outlived the project, role, or account that justified them. That is especially dangerous for NHIs, where service accounts, API keys, and automation tokens often accumulate entitlements quietly across systems. NHI Mgmt Group notes that 97% of NHIs carry excessive privileges, which makes overdue review more than an admin issue; it becomes a standing exposure problem. See the Ultimate Guide to NHIs and the OWASP Non-Human Identity Top 10 for the broader control context.
The practical failure is not just excess access. It is also false confidence. Once review cycles lapse, access records stop matching reality, and teams begin approving based on old assumptions instead of current use. That weakens least privilege, complicates offboarding, and makes incident response slower because no one can quickly tell whether a credential should still work. In practice, many security teams encounter privilege creep only after a breach review or audit finding, rather than through intentional certification.
How It Works in Practice
Recurring certification is meant to force an explicit revalidation loop. Each cycle asks a simple question: does this identity still need this access, and if so, why? For humans, that may cover app entitlements, group membership, and privileged roles. For NHIs, it should include service accounts, machine tokens, secrets, CI/CD access, and third-party integrations that often persist long after the original owner changes. The control works best when it is tied to inventory, ownership, and expiry dates, not just a spreadsheet review.
In operational terms, strong certification programs do three things: they identify the owner, confirm the current business purpose, and remove anything that cannot be justified. Where access is temporary, certification should reinforce JIT access and short-lived credentials rather than allowing long-lived permissions to remain in place. That is why access review pairs naturally with lifecycle controls such as rotation, revocation, and offboarding. The Ultimate Guide to NHIs — Key Challenges and Risks shows how quickly stale secrets and excessive entitlements become systemic, while guidance from NIST SP 800-207 Zero Trust Architecture supports continuous verification rather than one-time trust.
- Certify access on a fixed cadence based on risk, not convenience.
- Require named owners for every NHI and every privileged group.
- Remove access that lacks a current business justification.
- Revoke dormant or expired credentials immediately after review.
- Track exceptions separately so they do not become permanent by default.
Where this breaks down is in environments with thousands of unmanaged NHIs, weak inventory, or unclear application ownership, because reviewers cannot certify what they cannot reliably attribute.
Common Variations and Edge Cases
Tighter certification often increases operational overhead, requiring organisations to balance control quality against reviewer fatigue and service uptime. That tradeoff is real, especially when access spans cloud, SaaS, CI/CD, and legacy systems. Best practice is evolving, but current guidance suggests that high-risk access should be reviewed more often than low-risk access, and that automated evidence should replace manual checks wherever possible. The strongest programs treat certification as a signal to remediate, not as a paper exercise.
Edge cases usually appear where ownership is diffuse. Shared service accounts, vendor-managed integrations, and agentic workloads can all be hard to certify because no single team feels accountable. In those cases, recurring certification should be paired with better identity design, including workload identity, scoped delegation, and explicit expiration. The 52 NHI Breaches Analysis and the Sisense breach illustrate how unattended access and poor lifecycle discipline can create large blast radii.
There is no universal standard for certification frequency yet, but the consistent principle is clear: if a permission cannot be re-justified, it should not remain active. In mature environments, certification becomes one part of a broader access governance loop that includes detection, rotation, and timely revocation.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-05 | Recurring review is needed to catch stale NHI privileges and orphaned access. |
| NIST CSF 2.0 | PR.AC-4 | Access rights must be managed and reviewed to preserve least privilege. |
| NIST CSF 2.0 | PR.DS-1 | Stale access often exposes data through unused but still valid credentials. |
Certify NHI access on a schedule and revoke any entitlement without a current business owner.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 20, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
