Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk Who should be accountable when certification models fail…
Governance, Ownership & Risk

Who should be accountable when certification models fail to remove risky access?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 8, 2026 Domain: Governance, Ownership & Risk

Accountability should sit with the identity governance owner and the business leaders who approve the review design, because the problem is usually structural. If the model buries high-risk access inside low-risk noise, responsibility is not just with reviewers. It belongs to the programme that chose the certification architecture.

Why This Matters for Security Teams

When certification models fail, the issue is usually not that reviewers are careless. The deeper problem is that the access review design can hide risk behind broad roles, stale entitlements, and exception sprawl. That turns certification into a checkbox exercise instead of a control that actually reduces exposure. In NHI programmes, this is especially dangerous because secrets, tokens, and service accounts often look operationally routine until they are abused.

Security teams should treat review failure as a governance and architecture problem, not a reviewer problem. The control owner has to ask whether the certification model can actually surface privileged access, long-lived secrets, and dormant NHI paths before approval is granted. NHIMG guidance on Ultimate Guide to NHIs — Key Challenges and Risks is useful here, because it frames why non-human access tends to accumulate faster than teams can manually inspect it. The same concern shows up in the OWASP Non-Human Identity Top 10, where weak lifecycle control and over-privilege are treated as structural risks.

In practice, many security teams encounter risky access only after an incident review exposes what the certification process missed, rather than through intentional detection.

How It Works in Practice

Accountability should follow control design, not just reviewer clicks. The identity governance owner is accountable for whether the certification workflow is capable of identifying risky access at all, while business leaders are accountable for approving the risk model, remediation thresholds, and exception handling rules. Reviewers can only validate what the model surfaces. If the model groups high-risk and low-risk access together, or relies on static role labels that do not reflect real usage, the failure sits upstream.

In mature programmes, the review design should map entitlements by actual risk signals: privileged actions, access to secrets, dormant accounts, unusual service-to-service pathways, and NHI ownership gaps. The NIST Cybersecurity Framework 2.0 supports this by emphasizing governance, risk management, and access control outcomes rather than compliance theatre. For NHI-heavy environments, this must also align with what NHIMG calls out in Top 10 NHI Issues, where ownership gaps and credential sprawl repeatedly undermine clean certification outcomes.

  • Define who owns the certification design, not just who signs off on the report.
  • Separate low-risk access from privileged and secret-bearing access so reviewers can actually see the difference.
  • Track remediation completion, not only review completion, because a passed certification does not equal reduced risk.
  • Escalate any model that depends on manual reviewers to identify hidden privilege inside noisy entitlements.

At a minimum, the accountable parties should be able to explain why the review model would catch risky access before the next cycle begins. These controls tend to break down when entitlement data is fragmented across systems and no single owner can reconcile human, service, and application access in time.

Common Variations and Edge Cases

Tighter certification controls often increase operational overhead, requiring organisations to balance reviewer workload against risk reduction. That tradeoff becomes visible in large NHI estates, where service accounts, API keys, and machine-to-machine tokens do not fit neatly into human-centric recertification templates. Current guidance suggests that this is not a reason to dilute accountability; it is a reason to redesign the model.

There is no universal standard for this yet, but best practice is evolving toward risk-tiered certifications, automated evidence, and clearer exception ownership. If a business unit insists on broad, inherited access models, that unit should also own the acceptance of missed-risk outcomes. If the identity team chooses to compress many entitlements into a single review item, the identity function owns the resulting blindness. NHIMG’s 52 NHI Breaches Analysis is a useful reminder that compromised non-human access is rarely a one-off control miss; it is usually the result of repeated governance failure.

Where automation is available, the review process should move toward continuous entitlement analysis rather than periodic human sign-off alone. Where automation is not available, the accountable owner must be explicit about residual risk, because a certification process that cannot detect hidden privilege should never be treated as proof of control effectiveness.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Risky access often persists because NHI credentials are not governed across their lifecycle.
NIST CSF 2.0PR.AC-4Access permissions must be reviewed in a way that exposes excessive or stale entitlements.
NIST AI RMFAI RMF governance maps to accountability for risk decisions and review design outcomes.

Assign ownership for NHI credential lifecycle checks and require remediation when cert reviews miss privileged access.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org