Certification workflow is the sequence of tasks and approvals used to confirm access remains appropriate. For large organisations, the workflow must be reliable, understandable, and auditable, otherwise reviewers delay decisions or approve without enough context, which weakens governance.
Expanded Definition
A certification workflow is the structured review process used to confirm that an identity, entitlement, or access path still fits current business need. In NHI and IAM programs, it usually includes reviewer assignment, evidence gathering, approval or revocation decisions, escalation, and audit logging. The term is often used interchangeably with access certification or access recertification, although definitions vary across vendors and some teams distinguish periodic review from event-driven review. For NHI governance, the workflow must account for service accounts, API keys, tokens, certificates, and delegated agent access, not just human user entitlements. That matters because the review is only useful if the reviewer can understand what the identity does, where it is used, and what breaks if access is removed. NIST’s NIST Cybersecurity Framework 2.0 reinforces the need for governed access decisions, while NHI programs add the operational context that human-centric reviews often miss. The most common misapplication is treating certification as a checkbox exercise, which occurs when reviewers approve access without current usage evidence or clear ownership.
Examples and Use Cases
Implementing certification workflow rigorously often introduces reviewer friction and evidence-gathering overhead, requiring organisations to weigh faster approvals against stronger access governance.
- A quarterly review of production service accounts checks whether each account still has an owner, an application dependency, and a documented business justification.
- An event-driven review triggers after a team re-platforms a workload, so outdated API keys and tokens can be removed before they become latent access paths.
- A privileged access review uses logs and recent activity to help certifiers decide whether an NHI should retain elevated permissions or be reduced to least privilege.
- A third-party integration review verifies that externally exposed NHIs remain aligned to contract scope and the current trust boundary, especially after vendor changes.
The workflow becomes clearer when reviewers can trace identity purpose back to evidence, such as asset inventory, approval history, and recent access telemetry. The Ultimate Guide to NHIs — What are Non-Human Identities explains why this matters across the NHI lifecycle, and the Sisense breach shows how exposed credentials can turn a weak approval process into real compromise. In practice, certification is not just a permission review; it is a decision-quality problem.
Why It Matters in NHI Security
Certification workflow is a control point for reducing standing access, but it only works when reviewers have enough context to make timely, defensible decisions. NHIMG research shows that only 20% of organisations have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which means weak certification often leaves stale NHI access in place long after it should have been removed. That gap is especially dangerous because NHIs outnumber human identities by 25x to 50x in modern enterprises, so even a small process failure can scale quickly. Good workflow design supports auditability, ownership clarity, and exception handling, while poor design creates backlogs, rubber-stamp approvals, and unreviewed exceptions. The control also connects directly to broader governance themes in the NIST Cybersecurity Framework 2.0 and to lifecycle discipline covered in the Ultimate Guide to NHIs — What are Non-Human Identities. Organisations typically encounter the need for certification workflow after a breach, when they discover that no one can prove why an NHI still had access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Access review and ownership are core to preventing stale NHI permissions. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access management depends on periodic certification of entitlements. |
| NIST SP 800-63 | IAL | Identity proofing concepts inform confidence in who approves and owns access. |
Require periodic certification of NHI access with named owners and documented business justification.
Related resources from NHI Mgmt Group
- Why do non-human identities make access certification harder than human identities?
- When does continuous monitoring matter more than access certification?
- What is the difference between access certification and continuous monitoring in ERP security?
- How can organisations reduce manual effort in access certification and evidence collection?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 25, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
