Identity teams should recertify access whenever a lending, payments, insurance, or customer-experience workflow changes in substance. That includes new automation, new data sharing, or a new AI-assisted decision path. Access that was correct for the old process may be over-privileged or irrelevant once the workflow is redesigned.
Why This Matters for Security Teams
In a banking transformation programme, recertification is not a calendar exercise. It is a control check that must follow the business design. When lending, payments, insurance, or customer-experience workflows change, the supporting identities, service accounts, API keys, and entitlements often change in meaning even if the technical systems look familiar. That is especially true when automation or AI-assisted decision paths are introduced, because access can expand beyond the original human approval model.
The practical risk is that old entitlements survive into the new operating model. A reviewer may see a familiar application name and miss that a downstream service can now read more customer data, trigger payments, or call another system through an agentic workflow. Current guidance from the OWASP Non-Human Identity Top 10 is clear that non-human access must be governed as a lifecycle issue, not just an initial provisioning issue. NHI Mgmt Group also notes that the majority of organisations still struggle with NHI visibility and rotation, which makes change-driven recertification even more important.
In practice, many security teams encounter excessive access only after a workflow migration, vendor replacement, or AI pilot has already altered the control environment.
How It Works in Practice
The most reliable trigger is a substantive change in business process, not a quarterly review date. If a programme changes the underwriting flow, introduces straight-through processing, adds a chatbot that can initiate account actions, or shifts customer data into a new analytics path, identity teams should recertify every access path that supports that workflow. That includes human roles, but also NHI credentials, integration accounts, secrets, and any agent or automation that can act on behalf of the business.
In practical terms, the review should start with the new process map and then trace every permission needed end to end. Teams should validate:
- Which systems now receive, store, or transform regulated data
- Which service accounts, API keys, and certificates support those systems
- Whether new approvals, write actions, or export paths were added
- Whether privileged access can be reduced, split, or made time-bound
- Whether new automation requires separate identity, logging, and owner assignment
This aligns with the broader lifecycle view in the Top 10 NHI Issues, where stale access and weak rotation are recurring failure points. For implementation, many banks now pair recertification with workload identity, short-lived credentials, and policy checks at request time rather than relying only on static RBAC. That approach is consistent with the NIST AI Risk Management Framework emphasis on governance and measurement, and with the operational direction in OWASP guidance.
For transformation programmes, the safest rule is simple: if the workflow’s purpose, data scope, or decision authority changed, the access model must be recertified before go-live or immediately after controlled cutover. These controls tend to break down when recertification is treated as a periodic audit task in fast-moving programmes with shared platform teams and overlapping change windows.
Common Variations and Edge Cases
Tighter recertification often increases delivery overhead, requiring organisations to balance speed against assurance. That tradeoff becomes visible in banking transformation when multiple releases are grouped together, or when a new platform inherits hundreds of legacy entitlements from the old one.
Best practice is evolving for AI-assisted workflows. There is no universal standard for exactly how often an agent’s access should be recertified, but current guidance suggests recertifying whenever the agent’s toolset, prompt scope, decision threshold, or data domain changes. A customer-service copilot that can draft responses is one thing; a copilot that can approve refunds or update customer records is materially different. The access review should reflect that difference, even if the underlying application account is unchanged.
Edge cases matter in outsourced or shared-service banking models. A vendor-run platform may hide the real identity boundary, so the team should validate the actual workload identities and secrets, not just the contract owner. Likewise, emergency access or temporary migration permissions should be reviewed as soon as the cutover task is complete. NHI Mgmt Group’s 52 NHI Breaches Analysis shows why stale machine access is rarely benign once transformation work goes live.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Change-driven recertification helps prevent stale NHI privileges after workflow redesign. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions must be managed and reviewed as systems and data flows change. |
| NIST AI RMF | AI-assisted decision paths require governance when access scope or autonomy changes. |
Tie access reviews to workflow change approvals and remove unneeded privileges before cutover.
Related resources from NHI Mgmt Group
- How should security teams govern identity access across Entra and other platforms?
- Who is accountable for access when a vendor supports a transformation programme?
- How should security teams reduce privileged access risk in banking operations?
- How should security teams run access reviews for non-human identities?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org