They become less effective because access changes faster than the campaign cycle, so reviewers approve or remove access against an outdated snapshot. In SaaS-heavy, cloud-heavy, and NHI-rich environments, that delay creates stale evidence and low-quality decisions. Continuous governance closes that gap by acting on current state instead of historical state.
Why This Matters for Security Teams
Periodic certification campaigns were designed for environments where access changed slowly and reviewers could reasonably validate a stable entitlement set. That assumption breaks as organisations scale across SaaS, cloud platforms, automation pipelines, and Non-Human Identities. By the time reviewers inspect the snapshot, the real access graph has already moved. The result is not just stale evidence, but false confidence in least privilege.
Current guidance in NIST Cybersecurity Framework 2.0 emphasises ongoing governance and continuous risk management because access decisions are only as good as the state they reflect. That matters more when secrets, service accounts, and machine identities can be created, delegated, and reused faster than a quarterly review cycle can catch up. In practice, many security teams encounter access drift only after an audit exception, a production incident, or a credential abuse event has already exposed the gap.
How It Works in Practice
Certification campaigns lose effectiveness at scale because they are a point-in-time control applied to a continuous-change problem. Human reviewers are asked to approve or remove access based on an inventory that may already be outdated, especially in environments with ephemeral workloads, delegated admin rights, and rotating service credentials. That creates a structural mismatch: the control measures yesterday’s state while the risk lives in today’s state.
More effective programmes shift from periodic recertification to continuous entitlement governance. That usually means:
- Pulling access evidence from live identity, cloud, and secrets systems instead of static spreadsheets.
- Flagging high-risk entitlements for immediate review when ownership, workload, or environment changes.
- Separating human access from machine access so service accounts and tokens are governed on a different cadence.
- Automating revocation for stale, unused, or orphaned credentials rather than waiting for the next campaign.
This is especially important for secrets-heavy operations. NHIMG’s research on The State of Secrets in AppSec shows how fragmented secrets management and slow remediation can undermine even well-funded programmes. Continuous governance closes the loop by pairing review with detection, so an entitlement is not merely approved once, but revalidated against current context. It also aligns with the operational direction of NIST Cybersecurity Framework 2.0, which favours adaptive, repeatable risk treatment over occasional paperwork exercises.
Campaigns also benefit from risk-based scoping. Rather than reviewing every entitlement equally, security teams typically prioritise privileged roles, internet-facing systems, shared credentials, and non-human accounts that can be reused across environments. These controls tend to break down when identity data is fragmented across too many directories and secrets managers because no single source of truth can prove who still needs access.
Common Variations and Edge Cases
Tighter certification often increases operational overhead, requiring organisations to balance assurance against reviewer fatigue and business disruption. That tradeoff is real, especially in large enterprises where thousands of entitlements change each week. The practical answer is not to eliminate certification, but to narrow its role to exceptions, high-risk access, and evidence of control ownership.
There is no universal standard for exact certification frequency yet. Best practice is evolving toward event-driven reviews, where access is rechecked after role changes, contract changes, secret rotation failures, or workload redeployment. In highly automated environments, continuous governance is usually more effective than monthly or quarterly campaigns because the lifecycle of a token or service identity may be measured in hours, not months.
One useful pattern is to certify the control framework instead of every individual entitlement. For example, teams can validate that automated revocation, ownership assignment, and alerting are working, then reserve manual review for the small set of access paths that remain genuinely ambiguous. That approach is especially useful when a single breach could expose many identities at once, as seen in NHIMG coverage of the DeepSeek breach. Once environments become identity-dense and machine-driven, periodic campaigns start failing because they are too slow to match the speed of change.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Periodic reviews must reflect current access, not stale snapshots. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Stale non-human credentials make recertification less reliable at scale. |
| NIST AI RMF | Continuous governance supports ongoing risk monitoring in dynamic environments. |
Track machine identities and rotate or retire stale credentials before the next review cycle.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
