Recertification campaign

Expanded Definition

A recertification campaign is a controlled review cycle used to confirm that existing access remains justified, but in NHI and IAM environments the scope is broader than simple permission reapproval. It often includes service accounts, application entitlements, API keys, certificates, and delegated privileges that are owned by a manager, system custodian, or application owner. The goal is to catch access that was once valid but is now stale, overextended, or orphaned.

Definitions vary across vendors and identity programs, especially when campaigns are blended with attestation, access review, or periodic access certification. In practice, a strong campaign depends on accurate ownership mapping, meaningful entitlement labels, and a review set small enough for humans to make informed decisions. That aligns with the broader control expectations in the NIST Cybersecurity Framework 2.0, where access governance must be repeatable and evidence-based.

The most common misapplication is treating the campaign as a calendar-driven approval exercise, which occurs when reviewers are asked to rubber-stamp outdated access lists without context or asset ownership clarity.

Examples and Use Cases

Implementing recertification campaigns rigorously often introduces operational friction, requiring organisations to balance access hygiene against review fatigue and business disruption.

• A quarterly review of privileged NHI accounts verifies whether automation jobs still need production database access or whether the entitlement can be removed.
• An application owner confirms that a legacy integration token is still tied to an active service, using inventory evidence from the Ultimate Guide to NHIs — What are Non-Human Identities as the baseline for classifying the identity.
• A manager reviews contractor access to a CI/CD platform and rejects permissions that are broader than the role currently requires.
• A security team runs a focused campaign after a merger to remove duplicated accounts, expired API keys, and unowned secrets, a pattern often seen in breach investigations such as the Sisense breach.
• An engineering org uses NIST-style access review logic to recertify cloud admin roles before a new release window, instead of waiting for an annual audit scramble.

Why It Matters in NHI Security

Recertification campaigns matter because NHIs tend to accumulate access faster than teams can track ownership, especially when service accounts outlive the application, token rotation is inconsistent, or multiple secrets manager instances fragment control. In The State of Secrets in AppSec, GitGuardian and CyberArk reported that organisations maintain an average of 6 distinct secrets manager instances, a fragmentation pattern that makes access reviews harder to scope and verify. That kind of sprawl turns certification into guesswork unless identity records, entitlement meaning, and revocation paths are kept current.

When campaigns are done poorly, they create false confidence: access looks reviewed, but stale keys, dormant integrations, and inherited privileges remain active. That is why NHI governance treats recertification as a control for both least privilege and accountability, not as a compliance ritual. The operational value is highest when campaigns are targeted, evidence-backed, and tied to removal workflows that actually execute after approval or rejection.

Organisations typically encounter the need for recertification only after a dormant account, forgotten token, or inherited integration is involved in an incident, at which point the campaign becomes operationally unavoidable to address.

Related resources from NHI Mgmt Group

• What is the difference between access recertification and access provisioning?
• Who is accountable for third-party access after a campaign or project ends?
• What breaks when non-human identities are not included in recertification?
• Why do campaign-based reviews often miss NHI risk?