Beyond Rubber-Stamping: How to Fix Account Recertification
TL;DR
Annual access reviews are a broken, compliance-driven ritual that often increases risk. This post breaks down how to move beyond traditional, manual recertification to a modern, automated, and continuous model. We’ll cover event-driven reviews, micro-certifications, and how to leverage automation to reduce risk, eliminate rubber-stamping, and build a system that governs access in real-time.
The ‘Why’
For decades, account recertification has been a cornerstone of identity and access management (IAM). The process is simple in theory: on a regular basis (usually annually), managers review the access rights of their direct reports and “recertify” that the access is still necessary. This ritual is a key control for regulations like Sarbanes-Oxley (SOX), HIPAA, and PCI-DSS.
However, the traditional model is fundamentally broken. Annual reviews have devolved into a “rubber-stamping” exercise, where overwhelmed managers, facing a spreadsheet with hundreds of entitlements, approve everything without proper scrutiny just to meet a deadline.
Consider ‘Jane,’ a developer who moved to a new team six months ago. Her access to her old team’s production code was never revoked. For six months, that dormant, high-privilege access has been a ticking time bomb, invisible to security teams and waiting for an attacker to discover it. This isn’t a rare oversight; it’s the default outcome of an outdated process. In today’s fast-paced, cloud-first world, waiting a year to fix a problem that happened in January is no longer acceptable. Does this sound like effective risk management to you? We need a more dynamic and intelligent approach.
The ‘What’ and ‘How’
The future of access certification is not about doing the same thing more frequently. It’s about changing the paradigm from a time-based ritual to a risk-based, event-driven process. This means integrating your governance controls directly into your core business and IT workflows.
The Old Way vs. The New Way
| Dimension | Traditional (Annual) Review | Modern (Continuous) Certification |
|---|---|---|
| Trigger | Fixed Calendar Date (e.g., annually) | Business Event (e.g., role change, project end) |
| Scope | All users, all access, all at once | Focused, context-specific (e.g., one user, one app) |
| Accuracy | Low (Rubber-stamping is common) | High (Context is fresh, scope is small) |
| Timeliness | Low (Up to 12 months of risk exposure) | High (Risk is addressed in near real-time) |
| Overhead | High (Massive effort for managers) | Low (Small, manageable reviews spread over time) |
Key Concept 1: Event-Driven Recertification
Instead of waiting for a calendar date, event-driven recertification triggers a review based on a specific, meaningful event in a user’s lifecycle. This is the essence of “just-in-time” governance.
- Job Change/Promotion: This is the most critical event. When an employee moves to a new role or department, their existing access should be immediately reviewed. The new manager is prompted to certify or remove access based on the new role’s requirements. This prevents the slow, silent accumulation of privileges that is so dangerous. Technically, this can be triggered by an update to the
managerordepartmentattribute in your HR system (like Workday or SuccessFactors), which then sends a SCIM signal to your IGA platform. - High-Risk Access Grant: If a user is granted access to a critical system (e.g., production database, financial reporting application, or a “Global Admin” role), this can trigger an immediate secondary review by the system owner or a higher-level manager. This ensures that sensitive access is always subject to multi-level approval.
- Project Completion: When a project team is disbanded (e.g., a Jira project is closed or an Azure DevOps team is archived), the access granted for that project should be automatically de-provisioned or reviewed.
Key Concept 2: Micro-Certifications
Instead of a massive, all-encompassing annual review, micro-certifications break down the process into smaller, more manageable, and more frequent chunks. This makes the process less daunting and the results more reliable.
- By Application: Instead of reviewing all of a user’s access at once, you can have application owners certify access to their specific systems on a rolling, quarterly basis. The owner of the Salesforce instance certifies Salesforce access; the owner of the data warehouse certifies database access.
- By Risk Level: Not all access is created equal. High-risk entitlements (like administrative roles) should be reviewed quarterly, while low-risk access (like access to a company-wide wiki) might remain on an annual or semi-annual schedule.
- By User Group: You can focus on specific user populations with more frequent and targeted reviews. Contractors, for example, should have their access reviewed every 90 days, or upon contract renewal. Privileged administrators should be under constant scrutiny.
The ‘What’s Next’
The next evolution in access recertification is already here, with the application of AI and machine learning. Leading IGA platforms are now introducing AI-powered features that can analyze user access patterns, compare them to peers in similar roles, and automatically flag anomalies for review.
These new capabilities are moving us from a reactive to a proactive and predictive model:
- Outlier Detection: The system can automatically identify users with outlier permissions that don’t match their job function (e.g., “Why does this marketing analyst have access to a production database?”).
- Access Recommendations: AI can recommend the removal of unused or redundant access. For example, if a user has not logged into an application for 90 days, the system can automatically trigger a workflow to have that access removed.
- Predictive Governance: These platforms can even predict potential separation of duties (SoD) violations before a request is even approved, preventing toxic combinations of access from ever being granted.
This “intelligent governance” is the future, turning a manual, human-driven process into a smart, data-driven one.
The ‘Now What’
Ready to move beyond annual reviews? Here’s a practical, step-by-step guide to get started:
Identify Your Key Events: Start by identifying the 3-5 most critical events in your HR and IT processes that should trigger an access review (e.g., role changes, project assignments, new high-risk access).
- Pro-Tip: Don’t boil the ocean. Start with the most impactful event: a user changing their manager or department. This single event is often the source of the most significant privilege creep.
Automate Your Leavers Process: Before you do anything else, ensure you have a rock-solid, automated process for immediately de-provisioning all access when an employee leaves the company. This is your biggest and most immediate risk.
- Common Pitfall: Relying on manual tickets or emails for offboarding is a recipe for disaster. The process must be automated, triggered directly from your HR system as the single source of truth.
Pilot an Event-Driven Review: Choose a specific event, like a departmental transfer, and pilot an automated recertification workflow for a single, high-turnover department. Use this to demonstrate the value and efficiency of the event-driven model to stakeholders.
- Pro-Tip: Choose a department like Sales or Customer Support for your pilot. The frequent role changes in these departments will provide ample data to prove the value of your new process quickly.
Integrate with your IGA/IAM Platform: Leverage your existing Identity Governance and Administration (IGA) or IAM platform to build these automated workflows. Most modern platforms (like SailPoint, Saviynt, or Okta Workflows) have the capability to create event-driven certification campaigns triggered by API calls or SCIM signals.
- Common Pitfall: Don’t try to build this from scratch with custom scripts if you don’t have to. A dedicated IGA platform will provide the necessary auditing, reporting, and user-friendly interface for managers.
Start Small with Micro-Certifications: Pick one or two critical, high-risk applications and move them from an annual review to a quarterly, application-focused review cycle.
- Pro-Tip: Communicate clearly with the application owners about why you are doing this. Frame it as a way to give them more control and visibility over their application, rather than just another compliance task.
Conclusion
The annual access review is a relic of a slower, more static era. It provides a false sense of security while creating massive operational overhead. By embracing event-driven workflows, micro-certifications, and the power of automation, you can transform your access governance from a once-a-year chore into a continuous, intelligent, and risk-aware process. It’s time to stop rubber-stamping and start governing access in real-time.
References
- NIST SP 800-53 (Rev. 5) - Access Control (AC) & Review (PR.AC-4)
- Sarbanes-Oxley Act of 2002, Section 302 & 404
✅ Accuracy Badge
This post is based on established best practices in Identity and Access Management, particularly in the area of Identity Governance and Administration (IGA). The concepts of event-driven certification and micro-certifications are widely recognized as modern approaches to access governance.
