A periodic review of whether assigned software access is still needed and being used. It is similar to access recertification in identity governance, but focused on paid application seats, ensuring dormant or duplicate licenses are removed before they become recurring waste.
Expanded Definition
License recertification is the scheduled review of software entitlements to confirm that each assigned seat is still justified, actively used, and properly attributed. In the NHI and IAM domain, it is closely related to access recertification, but the control objective is financial and operational as much as it is security-related: eliminate paid access that no longer delivers business value. Guidance varies across vendors on whether “recertification” means manager attestation, usage-based review, or both, so organisations should define the approval standard explicitly.
Unlike one-time provisioning checks, license recertification is recurring and evidence-driven. It typically evaluates who holds the license, when it was last used, whether the user still needs the feature tier, and whether a duplicate seat exists under another identity. This matters for SaaS estates where shadow IT, shared mailboxes, and dormant accounts can hide recurring spend. The most common misapplication is treating a budget cleanup as a security review, which occurs when teams remove unused seats without validating whether those entitlements are tied to active workflows or service integrations.
For a broader identity governance lens, compare this practice with the NIST Cybersecurity Framework 2.0 and the Ultimate Guide to NHIs — What are Non-Human Identities, which shows how entitlement sprawl becomes a governance problem when identities outgrow oversight.
Examples and Use Cases
Implementing license recertification rigorously often introduces administrative overhead, requiring organisations to weigh savings from reclaimed seats against the time needed to verify real business use.
- A SaaS admin reviews quarterly assignments in a sales platform and removes dormant premium seats after confirming that the users have moved to lower-cost tiers.
- An IT owner checks duplicate assignments across multiple subsidiaries and consolidates licenses under the correct directory identity after validating user ownership.
- A security team ties recertification to joiner-mover-leaver processes so that departed staff do not retain paid application access beyond their employment.
- An application owner uses telemetry and recent login history to distinguish a truly unused license from one exercised only by an automated workflow or delegated account.
- A governance team investigates recurring spend in the context of incidents such as the Sisense breach and compares the entitlement review process with the NIST Cybersecurity Framework 2.0 to separate waste reduction from access risk.
These use cases are most effective when recertification is based on evidence, not just manager intuition. Usage data, asset ownership, and approval history should be checked together, especially where a license supports operational automations or shared service access.
Why It Matters in NHI Security
License recertification matters in NHI security because the same control discipline that catches unused software seats also helps surface unmanaged service accounts, stale integrations, and orphaned tooling access. When entitlement reviews are skipped, organisations tend to accumulate dormant access paths that are invisible until an audit, a renewal cycle, or an incident forces inventory reconciliation. NHI Mgmt Group notes that only 5.7% of organisations have full visibility into their service accounts, which shows how quickly incomplete records undermine governance and cost control.
The security significance is not just overspend. Unreviewed licenses often indicate weak ownership, poor lifecycle hygiene, and gaps between procurement, IT, and application teams. Those gaps make it harder to prove least privilege, harder to terminate access cleanly, and harder to answer basic questions about who can still use a platform after a role change. For NHI programs, that same pattern can extend to API keys, automation seats, and shared accounts that remain active long after the business need has disappeared. The Ultimate Guide to NHIs — What are Non-Human Identities also shows why identity sprawl becomes a governance failure, not just a cost issue.
Organisations typically encounter the true impact only after a renewal audit, a misuse investigation, or a failed offboarding event, at which point license recertification becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Access rights should be reviewed and limited to approved business need. |
| NIST CSF 2.0 | GV.OV-1 | Governance requires oversight of identity and access control outcomes. |
| NIST SP 800-63 | Digital identity assurance depends on ongoing validation of account necessity. |
Track recertification completion and remediation as governance metrics, not just procurement savings.
Related resources from NHI Mgmt Group
- How should organisations measure identity security ROI beyond license savings?
- What is the difference between access recertification and access provisioning?
- What breaks when non-human identities are not included in recertification?
- When should organisations trigger access reviews outside the normal recertification cycle?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
