The point at which access reviewers are asked to approve so many permissions that they stop evaluating them carefully. It usually appears when the entitlement list is long, the context is thin, and the reviewer lacks clear signals about which access rights are unusual. That turns governance into routine approval.
Expanded Definition
Certification fatigue is a governance failure mode in which access reviewers are exposed to so many entitlements, exceptions, and periodic attestations that the review process loses signal. The result is not a broken workflow so much as a degraded one: reviewers approve by pattern, not by evidence. In NHI and IAM programs, this often appears around service accounts, API keys, and agent credentials whose purpose is real but whose context is weak.
Definitions vary across vendors, but the core issue is consistent: review volume exceeds human attention, so risk becomes normalized. That is why certification fatigue should be distinguished from simple review backlog. A backlog delays decisions; certification fatigue produces low-quality decisions even when the queue is cleared. The NIST Cybersecurity Framework 2.0 frames this problem through access governance and ongoing risk management, which is a better lens than treating recertification as a calendar exercise alone. For a broader NHI context, the Ultimate Guide to NHIs — What are Non-Human Identities shows why NHIs multiply quickly and why entitlement visibility matters.
The most common misapplication is treating certification as proof of control when the reviewer has too many items, too little context, and no clear criteria for what is actually unusual.
Examples and Use Cases
Implementing certification rigorously often introduces review friction, requiring organisations to weigh governance confidence against reviewer time and operational delay.
- A cloud platform team runs monthly access certifications on hundreds of service accounts, but the list is so long that reviewers approve nearly everything. The process creates paperwork, not assurance.
- An engineering organization asks managers to recertify API keys and automation accounts without showing last-used data, owner, or scope. Without context, reviewers cannot distinguish normal access from risky access.
- A security team uses exception-heavy attestations for temporary admin access, but the exception queue is larger than the standard review queue. The result is a loss of attention to genuinely unusual permissions.
- After a credential incident similar to the Sisense breach, the organisation discovers that its review process had been approving stale and overbroad access for months.
- An IAM program ties review cadence to the NIST Cybersecurity Framework 2.0 and adds risk-based prompts, so reviewers only see the accounts that changed, escalated, or violated policy.
These examples show the practical distinction between a meaningful certification and a ceremonial one. The more context that can be attached to each entitlement, the less likely reviewers are to stop thinking critically.
Why It Matters in NHI Security
Certification fatigue is especially dangerous in NHI security because machine identities often outnumber human identities by 25x to 50x in modern enterprises, which means review programs can be overwhelmed long before the organisation notices the control failure. When that happens, excessive privileges, stale credentials, and weak ownership signals become routine rather than exceptional. That is how governance drift turns into exposure.
NHIMG research shows that 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface. In that environment, periodic access reviews only help if they are selective, context-rich, and tied to actual change events. Otherwise, they become a checkbox exercise that hides risk instead of reducing it. This is why the NIST Cybersecurity Framework 2.0 and Zero Trust programs both push toward continuous verification rather than relying on infrequent ceremonial approvals.
Organisations typically encounter certification fatigue only after a breach, audit finding, or access sprawl investigation, at which point the review program itself becomes operationally unavoidable to fix.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-05 | Access review overload is a known NHI governance failure when entitlements lack context. |
| NIST CSF 2.0 | PR.AC | CSF access control outcomes support least-privilege review and ongoing authorization. |
| NIST Zero Trust (SP 800-207) | ZTA policy decision inputs | Zero Trust depends on continuous evaluation, not rote approval of standing access. |
Reduce review volume with ownership, classification, and risk-based certification for NHIs.
Related resources from NHI Mgmt Group
- Why do non-human identities make access certification harder than human identities?
- When does continuous monitoring matter more than access certification?
- How can organisations reduce alert fatigue from cloud security tools?
- What is the difference between access certification and continuous monitoring in ERP security?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 25, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
