Access certification

Access certification (also called access attestation or recertification) is the process of periodically reviewing and validating users’ access rights to ensure they are appropriate for their current job roles​. 

In an access certification review, a manager or auditor examines each user’s permissions on applications, systems, or data and confirms whether those access privileges are still required. If any access is deemed unnecessary or excessive, it is revoked to uphold the principle of least privilege​. This process is a key part of Identity Governance and Administration (IGA) programs to keep access aligned with business needs and compliance requirements.

How does it affect identity security?

Regular access certifications are critical to identity security because they help organizations catch and remove outdated or unauthorized access that could be exploited. By ensuring each user has only the minimum necessary entitlements, access reviews reduce the risk of privilege creep (gradual accumulation of access over time) and insider threats​. 

Effective access certification identifies anomalous or high-risk access privileges and triggers corrective actions before a security breach occurs​. This practice also helps organizations demonstrate compliance with regulations and security policies by maintaining an auditable trail of who has access to what. In short, access certification enforces zero trust principles – never trust excess access, always verify and re-certify it.

Case study

A notable breach underscoring the need for access certification involved a U.S. state government in 2021. Attackers were able to penetrate the state’s network using a former employee’s VPN credentials, which were still active due to poor offboarding​. The ex-employee’s account—an administrator account that should have been disabled—allowed the intruders to log in and move laterally within the network, eventually accessing sensitive data​

This incident was a direct result of failing to review and revoke old user accounts. Investigators noted it as “a reminder of the risks associated with...former employees that have not been properly removed” and emphasized that regular review and removal of unnecessary accounts is crucial to minimize attack vectors​. In this case, a robust access certification process (identifying dormant admin accounts and revoking them promptly) could have prevented the breach by ensuring that departed staff no longer retained network access.

‍