The review outcome in which access is approved, modified, or revoked based on defined criteria. In a mature programme, the decision must be traceable to role expectations, usage history, and policy rules so it can be defended during audit and reproduced consistently by different reviewers.
Expanded Definition
A certification decision is the formal outcome of a review cycle for a non-human identity, where access is approved, reduced, time-bound, or revoked based on policy, usage evidence, and role expectations. In NHI programmes, the decision should be reproducible, auditable, and tied to an explicit control objective rather than reviewer intuition.
In practice, certification decisions sit between identity governance and operational access control. They are closely related to recertification, but the term is broader because the outcome may be modification instead of binary approval or denial. Definitions vary across vendors, especially when access reviews are bundled with ownership validation, entitlement cleanup, or privilege attestation. A mature process treats each decision as a documented control action that can be explained to auditors and repeated by a different reviewer using the same criteria. The NIST Cybersecurity Framework 2.0 reinforces this governance mindset by emphasizing access control, oversight, and continuous risk management. The most common misapplication is treating certification as a one-time checkbox, which occurs when reviewers approve stale access without checking current service function, dependency scope, or secret exposure.
For a broader NHI context, the Ultimate Guide to NHIs — What are Non-Human Identities frames why these decisions matter across service accounts, API keys, and automation identities.
Examples and Use Cases
Implementing certification decisions rigorously often introduces review friction, requiring organisations to weigh faster operations against stronger control over standing access.
- A service account used by a production integration is approved only for the exact systems it still calls, while unused entitlements are removed.
- An API key assigned to a CI/CD pipeline is downgraded to a narrower scope after usage logs show it no longer needs write access.
- A machine identity tied to a retired application is revoked after the owner confirms the workload has been decommissioned.
- An agentic workflow is re-certified after the reviewer confirms the agent still needs tool access and the approval trail matches policy.
- A certification package is rejected until ownership is verified and the secret is rotated, reducing the chance of orphaned access.
The Sisense breach is a useful reminder that access decisions become urgent when identities and secrets outlive the conditions under which they were granted. In identity governance terms, certification decisions are often the last checkpoint before dormant access becomes a live exposure.
Why It Matters in NHI Security
Certification decisions are a practical defense against privilege drift, secret sprawl, and abandoned machine access. NHIMG reports that 97% of NHIs carry excessive privileges, which means a weak review process can leave broad access in place long after the original need has disappeared. That risk is amplified because NHIs often operate continuously, are embedded in automation, and are difficult to notice when they stop being legitimate.
When certification is handled well, reviewers can explain why access remained, why it was narrowed, or why it was revoked, and the decision supports auditability across identity, operations, and security teams. It also helps translate policy into action when standing privileges have to be reduced under Zero Trust expectations. Organisations typically encounter the operational importance of certification decisions only after a breach, failed audit, or emergency secret rotation, at which point the review process becomes unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers review and lifecycle control of NHI access and secrets. |
| NIST CSF 2.0 | PR.AA | Access authorization and governance support disciplined identity review outcomes. |
| NIST Zero Trust (SP 800-207) | JIT access / policy enforcement | Zero Trust requires continuously evaluated, policy-based access decisions. |
Tie certification decisions to current business need, least privilege, and repeatable approval criteria.
Related resources from NHI Mgmt Group
- What is the core decision loop Agentic AI follows and why does it create security risk?
- Why do non-human identities make access certification harder than human identities?
- When does continuous monitoring matter more than access certification?
- What is the difference between access certification and continuous monitoring in ERP security?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org