Quarterly reviews assume access is stable long enough to be observed and certified. Machine identities and AI agents can gain, use, and expand access between review points, so the review evidence is always late. Continuous monitoring and event-triggered controls are needed to catch entitlement drift while it still matters.
Why Quarterly Reviews Miss the Real Risk
Quarterly access reviews assume access is stable, visible, and slow to change. That model breaks for machine identities and AI agents, which can be created, cloned, delegated, or over-scoped between review cycles. By the time certifiers see the entitlement, the activity may already have happened. NHIMG’s reporting on AI Agents: The New Attack Surface report shows why this matters: 80% of organisations say their AI agents have already acted beyond intended scope. In agentic systems, the gap between issuance and review is where risk accumulates.
Security teams often treat certification as if it were a control on usage, when in practice it is only a point-in-time attestation of yesterday’s state. That is too slow for workloads that can call APIs, chain tools, and expand privilege in minutes. Current guidance from NIST AI Risk Management Framework and OWASP Agentic AI Top 10 points toward continuous governance rather than periodic certification. In practice, many security teams discover entitlement drift only after an AI agent has already touched data or tools that should never have been in scope.
What Works Better for Machine Identities and AI Agents
Better control starts with treating the identity as a workload, not a person. Machine identities and AI agents need short-lived credentials, runtime policy checks, and a clear link between what the workload is, what it is trying to do, and what it is allowed to do right now. That means replacing quarterly certification with continuous telemetry, event-triggered review, and JIT issuance for secrets and tokens. For AI agents, the question is not just “who approved access?” but “what context justified access at execution time?”
Practical programmes usually combine these controls:
- Issue ephemeral secrets with narrow TTLs so access dies with the task, not the review cycle.
- Bind workload identity to the agent using cryptographic proof, such as OIDC-based workload tokens or SPIFFE/SPIRE patterns, rather than relying on static usernames and passwords.
- Evaluate policy at request time using policy-as-code so approvals reflect current data sensitivity, tool chain, and execution context.
- Log tool calls, data access, and privilege changes continuously so drift is visible before the next quarterly window.
This is consistent with the operational direction in NHIMG’s Ultimate Guide to NHIs and the threat patterns described in CSA MAESTRO agentic AI threat modeling framework. It also aligns with the warning in NIST AI Risk Management Framework that AI controls need ongoing measurement, not one-time approval. These controls tend to break down when agents share a common service account or inherit broad platform permissions because attribution and revocation become too coarse to contain misuse.
Where the Quarterly Model Still Breaks Down
Tighter review discipline often increases operational overhead, requiring organisations to balance governance confidence against review fatigue and false positives. That tradeoff is real, but it does not restore quarterly reviews as a fit-for-purpose control. Current guidance suggests quarterly certification can still serve as a backstop for legacy systems, yet it should not be the primary control for autonomous workloads. For machine identities, the better pattern is to review the rules that mint and renew access, not the end state months later.
There are also edge cases where even continuous review is not enough. High-churn AI agents may create and discard permissions so quickly that human review only validates the control design, not the live event. In those environments, teams should prefer runtime guardrails, automated revocation, and segregation of duties around sensitive tool access. NHIMG’s NHI Lifecycle Management Guide and 52 NHI Breaches Analysis both reinforce the same operational lesson: lifecycle control matters more than periodic sign-off when identities are non-human. The quarterly model fails most sharply in environments where agents can self-serve credentials, call external tools, or delegate sub-tasks without a human in the loop.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A01 | Quarterly reviews fail when agent permissions shift at runtime beyond static certification. |
| CSA MAESTRO | MT-03 | MAESTRO focuses on agentic threat modeling and control validation across dynamic workflows. |
| NIST AI RMF | GOVERN | The AI RMF requires ongoing governance, not only periodic access attestation. |
Add runtime authorization and continuous telemetry for every agent tool call and privilege change.
Related resources from NHI Mgmt Group
- When does just-in-time access reduce risk for agentic AI, and when does it fall short?
- How can teams govern machine identities and AI agents in access reviews?
- When is it crucial to implement least-privilege access for AI agents?
- What is the difference between managed identities and hardcoded secrets for AI agents?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 25, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
