Periodic certification breaks down when access changes, interdependencies, and runtime use evolve faster than the review cycle. A system can look compliant on paper while the actual process path remains risky because entitlement combinations have shifted elsewhere. Teams end up confirming stale states instead of managing current exposure.
Why Periodic Certification Alone Leaves Exposure Behind
Periodic access certification is useful for audit evidence, but it is a weak control for live NHI risk. Certification answers whether an entitlement looked acceptable on the review date, not whether the entitlement is still safe after downstream changes, token reuse, workload drift, or new tool chaining. That gap is why teams can pass a review and still carry active exposure. NHI risk is also hard to see at scale: the Ultimate Guide to NHIs notes that only 5.7% of organisations have full visibility into their service accounts, which means many reviews are built on incomplete inventories. The practical issue is not just overprivilege, but stale trust in a system where machine identities often change faster than governance cycles. OWASP also treats identity lifecycle weaknesses as a core non-human identity failure mode in the OWASP Non-Human Identity Top 10. In practice, many security teams discover exposure only after an incident, when a clean certification record has been used to justify a control that no longer reflects runtime reality.
How the Control Fails at Runtime
Certification breaks down because access is usually reviewed as a snapshot, while risk behaves like a moving system. A service account can remain approved even after its secret is copied into code, its role expands through a new CI/CD path, or its permissions become dangerous in combination with another workload identity. That is why NHI governance needs continuous visibility, not just periodic attestation. The Ultimate Guide to NHIs — Key Challenges and Risks shows how unmanaged identity sprawl and weak rotation practices create durable exposure. In parallel, the 52 NHI Breaches Analysis is useful because it reflects a repeated pattern: compromised machine credentials tend to be discovered after they have already been used for lateral movement or privileged access.
Practitioners usually need three control layers working together:
- continuous inventory and ownership of every NHI, so reviews are not based on stale records
- runtime detection of credential use, privilege change, and unusual access paths
- automated removal or reduction of standing access when usage no longer matches purpose
This is where guidance from OWASP Non-Human Identity Top 10 aligns with operational reality: entitlement review is necessary, but it must be paired with rotation, revocation, and policy enforcement at the point of use. These controls tend to break down in fast-moving CI/CD environments because access is often granted through templates, reused secrets, and automated pipelines that change faster than the certification cadence.
Where Periodic Review Still Helps, and Where It Does Not
Tighter certification often increases operational overhead, requiring organisations to balance audit confidence against response speed. That tradeoff matters because periodic review still has value for accountability, attestation, and backlog reduction, but it is not a substitute for live controls. Current guidance suggests treating certification as one input to an access governance program, not the mechanism that keeps exposure low.
The main exception is low-change environments with stable service ownership and very limited entitlements. Even there, reviews should be paired with short-lived secrets, rotation rules, and clear revocation triggers. The Sisense breach is a reminder that exposed machine credentials can become a material incident long after they were originally issued. The NHI lifecycle view in the Ultimate Guide to NHIs also supports the same operational lesson: good governance requires discovery, ownership, rotation, and offboarding together, not as isolated tasks. Where teams rely on certification alone, the weakest point is usually not the review process itself, but the assumption that a past approval still describes present-day access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Periodic review misses stale and overprivileged machine access. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions must reflect current use, not old approvals. |
| NIST Zero Trust (SP 800-207) | 4.1 | Zero Trust requires ongoing verification instead of periodic trust. |
Reassess machine identity access at request time and revoke standing trust.
Related resources from NHI Mgmt Group
- How should security teams run access reviews for non-human identities?
- How should security teams govern non-human identities that have persistent access?
- How should security teams govern API keys used for generative AI access?
- How should security teams implement independent evidence for Oracle ERP access reviews?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 2, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
