Because authentication strength does not limit what an account can do after login. A valid certificate can still unlock excessive or outdated entitlements if authorisation is not reviewed separately. Access reviews help ensure that certificate holders retain only the applications and privileges required for their current role.
Why This Matters for Security Teams
Certificate-based login proves that a device, workload, or service can authenticate, but it does not prove that its access is still appropriate. That gap matters because authorisation drift is common in long-lived machine accounts, service principals, and automated jobs. NHI Management Group’s Ultimate Guide to NHIs notes that 97% of NHIs carry excessive privileges, which is exactly why authentication reviews and access reviews solve different problems. The OWASP Non-Human Identity Top 10 also treats privilege sprawl as a core control gap, not a minor hygiene issue.
Security teams often assume strong certificates reduce review requirements, but certificates only answer “who or what is this?” and not “should it still have this access?” That distinction becomes critical when service accounts are reused across apps, roles change without cleanup, or certificate holders retain permissions from past projects. In practice, many security teams encounter over-privileged certificate-backed accounts only after a compromise, an audit exception, or a failed offboarding process has already exposed the gap.
How It Works in Practice
Access reviews should be applied to certificate-backed identities using the same discipline as human accounts, but with controls tailored to machine identity lifecycle. The review target is not the certificate alone. It is the entitlements, trust relationships, application scopes, and administrative rights that certificate validation unlocks. This is consistent with NHI governance guidance in the NHI Lifecycle Management Guide, which emphasises visibility, ownership, and timely revocation.
Practically, a useful review process includes:
- Mapping each certificate to a named owner, workload, or service function.
- Checking whether the certificate still supports an active business or technical need.
- Verifying that entitlements match the current role, environment, and data sensitivity.
- Removing stale permissions, especially broad admin rights and cross-environment access.
- Aligning certificate renewal with entitlement recertification, not just expiry management.
For machine identities, this review should also consider where the certificate is used, how often it is used, and whether the workload can move to shorter-lived credentials or workload identity patterns. NHI Mgmt Group research reports that only 38% of organisations have automated certificate lifecycle management in place, which helps explain why manual review remains necessary even in mature environments. The key operational point is that login assurance and privilege assurance must be governed separately. That is also why standards bodies and practitioners increasingly connect identity review to Zero Trust thinking, including the NIST Zero Trust Architecture model, which evaluates trust continuously rather than assuming a one-time authenticated session is enough.
These controls tend to break down in high-churn CI/CD environments where certificates are embedded in pipelines, ownership is unclear, and access changes faster than review cycles can keep up.
Common Variations and Edge Cases
Tighter certificate governance often increases operational overhead, requiring organisations to balance review depth against deployment speed. That tradeoff is real, especially for engineering teams that issue many certificates for ephemeral workloads. Current guidance suggests using risk-based review cadences rather than forcing every certificate through the same manual process, but there is no universal standard for this yet.
Some environments also blur the line between authentication and authorisation. For example, mutual TLS may validate a service, yet the service can still inherit broad database, message bus, or API permissions. In those cases, access reviews should cover the downstream permissions, not just the certificate issuance record. The same applies to third-party integrations, where certificate holders may retain access long after a vendor relationship or project has ended. NHI Mgmt Group research shows that only 20% of organisations have formal offboarding and revocation processes for API keys and related machine credentials, which is a warning sign for certificate-backed access too.
Where certificates support privileged administrative functions, the best practice is evolving toward shorter-lived credentials, explicit ownership, and periodic entitlement attestations. That approach is more defensible than relying on certificate expiry alone. For organisations building a more mature program, the question is not whether certificate authentication is strong enough, but whether the access behind that certificate is still justified today.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers stale or excessive machine entitlements that survive valid certificate login. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions must be managed separately from authentication strength. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous trust evaluation after authentication, not one-time approval. |
Treat certificate login as one input and continuously verify entitlement validity for each access request.
Related resources from NHI Mgmt Group
- Who is accountable when identity reviews confirm access was approved but a breach still happens?
- Why do SSO, MFA, and access reviews still leave organisations exposed?
- How should security teams run access reviews for non-human identities?
- When do NHI access reviews create more value than a one-time cleanup?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
