A certified transaction is a business action that has been evaluated for appropriateness at the moment of execution, not just for whether the actor had standing access. In identity governance, it shifts control from entitlement review to runtime proof, which is especially relevant in ERP and other compliance-heavy systems.
Expanded Definition
A certified transaction is not just an approved action, it is a runtime decision that confirms the action is appropriate for the actor, the target system, the data involved, and the current context. In NHI governance, that distinction matters because a service account can have standing access and still be unsafe to use for a specific operation.
Definitions vary across vendors, but the practical meaning is consistent: a certified transaction adds proof at execution time rather than relying only on periodic entitlement review. That makes it closer to Zero Trust thinking than to classic access recertification, and it aligns with the broader NHI lifecycle guidance described in the Ultimate Guide to NHIs — What are Non-Human Identities. It is also compatible with the control discipline in NIST Cybersecurity Framework 2.0, where access decisions should reflect current risk, not inherited permission alone.
The most common misapplication is treating a certified transaction as a one-time approval, which occurs when teams validate the account but do not validate the specific action at the moment it executes.
Examples and Use Cases
Implementing certified transactions rigorously often introduces latency and workflow complexity, requiring organisations to weigh real-time assurance against operational friction.
- An ERP payment run is allowed only after the transaction is checked against amount thresholds, business hours, and the service account’s current role scope.
- A privileged API call to create vendor records is certified only when the request matches an approved ticket and the caller’s automation context is expected.
- A batch job posting journal entries is blocked if the target ledger period is closed, even though the account still has standing database access.
- A high-risk update to master data is certified with additional context such as source system, change window, and segregation-of-duties rules.
- A suspicious automation path is compared with patterns seen in the Sisense breach discussion, where compromised identities became dangerous because execution was not constrained tightly enough.
For implementation design, the control logic usually sits between identity, policy, and transaction layers rather than inside the application alone. That is why teams often pair certified transaction checks with Zero Trust guidance from NIST Cybersecurity Framework 2.0 and broader NHI governance patterns from Ultimate Guide to NHIs — What are Non-Human Identities.
Why It Matters in NHI Security
Certified transactions matter because compromise is often less about whether an NHI exists and more about what it is allowed to do at the exact moment it is used. That distinction becomes critical in ERP, finance, healthcare, and supply chain platforms where a valid service account can still be abused for destructive or fraudulent actions. NHI Mgmt Group research shows that 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, which makes runtime authorization far more valuable than entitlement review alone.
Used properly, certified transactions reduce the blast radius of overprivileged accounts, support separation of duties, and make audit evidence more meaningful because the approval is tied to the business action itself. This is especially important in environments with secrets sprawl, rotating automation, and agentic workflows, where an NHI lifecycle model cannot rely on static trust. The most common misunderstanding is assuming a strong login proves a safe transaction, when in practice the risky event is often the privileged operation that follows authentication.
Organisations typically encounter the need for certified transactions only after an audit exception, fraud event, or production misuse, at which point the concept becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers secret and execution risk for non-human identities in runtime workflows. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access decisions should reflect current context, not just standing rights. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous verification of access at the point of use. |
Require continuous, transaction-level authorization for NHI actions instead of relying on static trust.
Related resources from NHI Mgmt Group
- What is the difference between entitlement review and transaction-first governance?
- How should security teams implement continuous transaction monitoring across business systems?
- When does transaction monitoring become more useful than manual review?
- What do organisations get wrong about transaction control assurance?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 4, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
