Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk What do security teams get wrong about recertification?
Governance, Ownership & Risk

What do security teams get wrong about recertification?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 5, 2026 Domain: Governance, Ownership & Risk

They often treat recertification as a compliance event instead of a living governance process. That leads to checkbox approvals, outdated evidence, and unresolved violations carrying forward. A strong programme measures what changed, who reviewed it, and whether remediation actually closed the loop.

Why This Matters for Security Teams

Recertification becomes ineffective when teams treat it as a periodic approval exercise instead of a control that should reflect current access, current ownership, and current business need. That mistake is especially damaging for NHIs because machine accounts, API keys, and service identities can retain access long after the original use case has changed. Current guidance from the NIST Cybersecurity Framework 2.0 supports ongoing governance, not stale sign-off cycles.

The real issue is that recertification often asks the wrong question: “Who can approve this?” rather than “What has changed since the last review?” That leads to checkbox approvals, inherited privileges, and unresolved violations staying in place until the next audit. For NHIs, that gap is dangerous because access is often embedded in code, pipelines, and integrations rather than a user directory. The Ultimate Guide to NHIs — What are Non-Human Identities shows how broad and persistent this exposure can be across modern environments.

In practice, many security teams discover broken recertification only after an access review has already been “completed” multiple times without removing any real risk.

How It Works in Practice

Effective recertification should be built as a living workflow with evidence, remediation, and enforcement tied together. That means the review is not complete when a manager clicks approve. It is complete only when the identity state, entitlements, and exception handling are updated across the systems that actually grant access.

For NHI governance, that usually includes service accounts, OAuth grants, API keys, secrets vault entries, and automation identities. Teams should verify three things at each review cycle: whether the identity is still needed, whether the scope still matches the current workload, and whether any prior exceptions were actually closed. The review should also record who validated the decision and what evidence supported it. This is consistent with the governance direction in NIST Cybersecurity Framework 2.0, which emphasizes continuous risk management rather than isolated events.

  • Compare current entitlements to last review evidence, not to an assumed baseline.
  • Require an explicit disposition for each identity: retain, reduce, rotate, or revoke.
  • Link recertification to remediation tickets so unresolved findings cannot disappear into audit notes.
  • Use ownership records that identify both the technical owner and the business approver.

Where this becomes practical is in high-change environments such as CI/CD pipelines, third-party integrations, and shared platform accounts. There, a quarterly review can already be obsolete by the time it is signed. The NHI Management Group has documented how delayed remediation leaves secrets valid long after notification in its research on NHIs, which is why closed-loop enforcement matters more than approval volume. These controls tend to break down when recertification is run from spreadsheets disconnected from vaults, identity providers, and ticketing systems because the approval never changes the underlying access.

Common Variations and Edge Cases

Tighter recertification often increases operational overhead, requiring organisations to balance governance depth against reviewer fatigue and system complexity. That tradeoff is real, especially when thousands of NHIs must be reviewed across cloud, SaaS, and internal automation platforms.

Best practice is evolving, but current guidance suggests different review cadences based on risk, not a single blanket schedule. High-risk identities, production secrets, and externally exposed integrations may need more frequent validation than low-impact internal automations. Exception handling also needs special care: temporary approvals should expire automatically, and stale exceptions should be treated as failed controls, not paperwork.

One common edge case is delegated ownership. If a service account is “owned” by a team that no longer maintains the workload, recertification will pass the review but fail the control. Another is shared infrastructure identities, where no single person feels accountable enough to revoke access. In those environments, the stronger question is whether the identity itself should exist at all. The Sisense breach is a useful reminder that third-party and machine access can create exposure when governance does not keep pace with reality.

For teams building a programme from scratch, the practical standard is simple: recertification should prove that access is still justified, still monitored, and still remediated when it is not.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Covers stale non-human credentials and weak lifecycle review.
NIST CSF 2.0PR.AC-4Access review must enforce least privilege, not just approval.
NIST AI RMFGOVERNGovernance requires ongoing accountability for changing access risk.

Define review ownership, evidence, and remediation tracking as living governance controls.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 5, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org