Quarterly reviews fail because they occur after drift has already accumulated and often lack enough context for accurate decisions. Reviewers see entitlements, but not always usage, ownership, or business need, so stale access gets approved again. Continuous, event-driven governance is more effective because it can remove or recertify access when the change happens.
Why Quarterly Reviews Miss Access Drift
Quarterly access reviews are a lagging control, so they almost always confirm drift after it has already accumulated. By the time reviewers see the list, access may have changed multiple times, ownership may be unclear, and the original business justification may no longer exist. That makes the review a snapshot of yesterday’s risk, not today’s state.
This is a known weakness in identity governance for both human and non-human identities. NHIMG research on 52 NHI Breaches Analysis shows how often compromised or stale identities become the path attackers use once standing access lingers too long. The same pattern shows up in OWASP Non-Human Identity Top 10, where excessive standing privilege and weak lifecycle controls create a persistent attack surface.
In practice, many security teams discover access drift only after an audit exception, a production incident, or a lateral-movement investigation has already exposed it.
How Drift Becomes Approved Access in Practice
Quarterly reviews fail because reviewers are asked to make a yes-or-no decision without enough operational context. They often see a role, group, or entitlement, but not whether the access was used, by whom, for which system, or under what change request. As a result, stale access is frequently re-certified by default, especially when the reviewer is overloaded or lacks system ownership.
The better model is continuous governance: event-driven access control, just-in-time privilege, and lifecycle automation that reacts when something changes. For NHI and agentic workloads, that means treating identity as an operational object, not a quarterly spreadsheet row. Current guidance from the NHI Lifecycle Management Guide aligns with runtime recertification, expiration, and revocation tied to signals like job completion, inactivity, ownership change, or policy violation.
Practitioners should look for controls that combine:
- Usage telemetry, so access can be compared against actual behavior.
- Ownership metadata, so reviewers know who can approve or remove it.
- Short-lived credentials, so access naturally decays instead of persisting.
- Policy-based enforcement, so approvals are evaluated against current context rather than historical trust.
This approach is especially important for AI-driven systems and service identities, where tokens, API keys, and delegated permissions can be chained in ways a quarterly review will not reveal. NHIMG’s coverage of the Salesloft OAuth token breach illustrates how standing access and weak governance can turn a single credential into broad downstream exposure. These controls tend to break down when entitlements are shared across teams and system owners cannot reliably map access to business purpose.
Where Quarterly Certification Still Has a Role
Tighter governance often increases operational overhead, requiring organisations to balance control quality against reviewer fatigue and change velocity. That tradeoff is real, and there is no universal standard for exactly how often recertification should occur in every environment. Current guidance suggests quarterly reviews should be reserved for backstop assurance, not the primary mechanism for preventing drift.
They still have value for high-risk applications, regulatory evidence, and attesting that automated controls are working. But they work best when they verify a continuously enforced model, not when they are expected to discover every unnecessary entitlement on their own. For teams managing secrets and service identities, the problem is amplified because access can outlive the task that justified it, which is why The State of Secrets in AppSec is so relevant: remediation is often slow, and confidence in controls can exceed the actual state of cleanup.
Quarterly reviews are therefore a governance checkpoint, not a drift prevention strategy. They are most effective when paired with event triggers, automated expiry, and exception handling for privileged or orphaned access. For rapidly changing environments, especially cloud and AI-adjacent systems, waiting for the next review cycle creates too much exposure for the model to be trusted as a control.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Addresses stale credentials and lifecycle drift in non-human identities. |
| NIST CSF 2.0 | PR.AC-4 | Covers access permissions management and least-privilege enforcement. |
| NIST AI RMF | GOVERN | Supports accountability and continuous oversight for dynamic identity decisions. |
Use governance processes that monitor and adjust access continuously rather than on a fixed calendar.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
