90%+
approval rate in most access certification campaigns, indicating rubber-stamping rather than genuine review
68%
of identity-related breaches involve overprivileged accounts that passed access certification review
200-500
access items per reviewer in a typical annual campaign, far exceeding the 10-15 items where meaningful review is possible
3x
more access items revoked in campaigns that surface anomaly signals to reviewers versus campaigns that do not

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Access certification exists to answer one question: does this person still need this access? In most organizations, it answers a different question: can we generate an audit report showing that someone clicked approve on everything? The distinction matters because attackers exploit exactly the access that certification campaigns should catch. Orphaned accounts, excessive admin permissions accumulated over years, and service accounts with human identities attached all survive certification because reviewers have no realistic path to evaluating them properly. This guide covers how to redesign campaigns so that reviewers can actually make informed decisions.

Diagnosing Your Certification Campaign: What the Metrics Are Telling You

Before redesigning campaigns, measure the baseline to understand the severity of the problem. Pull these metrics from your last three certification campaigns:

  • Overall approval rate: Anything above 85% is a red flag. Approval rates above 95% indicate systemic rubber-stamping.
  • Time per decision: Most IGA platforms log when each certification decision was made. If reviewers are completing 200 items in 8 minutes, they are not reading anything.
  • Completion rate vs. revocation rate: High completion rates paired with near-zero revocation rates mean the campaign is being completed for compliance reasons, not security reasons.
  • Escalation rate: If few items are escalated to secondary reviewers, either access is genuinely clean or reviewers are approving rather than escalating uncertain items.
  • Reviewer response to anomaly-flagged items: If your IGA platform surfaces outlier access and reviewers are approving anomaly-flagged items at the same rate as normal access, the anomaly signals are not working.

Present these metrics to the IAM governance committee. The typical reaction is to blame reviewers. The accurate diagnosis is a campaign design problem, not a reviewer behavior problem. Reviewers are responding rationally to a system that makes approval the path of least resistance.

Right-Sizing Campaign Scope: Risk-Based Item Prioritization

The root cause of certification fatigue is volume. When a manager receives 300 access items to review, she cannot spend meaningful time on any of them. The fix is to scope campaigns based on risk rather than completeness.

A risk-based campaign design assigns each access item a review priority based on:

  • Entitlement risk: Privileged access (admin roles, elevated permissions) is higher priority than basic resource access
  • Usage recency: Access not used in 90+ days is higher priority than recently used access
  • Identity risk: Access held by contractors, terminated-pending accounts, or accounts with anomalous sign-in patterns is higher priority
  • Regulatory scope: Access to data in PCI, HIPAA, or SOX scope is higher priority than access to non-regulated systems

In SailPoint IdentityNow, configure risk scores in the access request schema and use them in the certification campaign configuration to sort or filter items. In Saviynt, use the Access Risk scoring engine to tag each access item before the campaign launches.

For the initial redesign, run a high-risk-only campaign with 15-30 items per reviewer. The goal is to demonstrate that reviewers can make genuine decisions when the workload is manageable. Once you have a process that produces meaningful revocations, expand scope incrementally.

Automate the low-risk tail. Any access item held by an active employee, used within the last 30 days, of low privilege level, and with no regulatory tag can be auto-certified through a defined IGA policy. Document the auto-certification logic so auditors can see which items were auto-certified and why.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Surfacing Context to Enable Real Decisions

Reviewers cannot make informed decisions about access they cannot interpret. Most IGA platforms show reviewers a table of entitlement names, application names, and assigned dates. These raw fields are insufficient for decision-making.

To enable real review, surface context alongside each access item:

Last used date: The single most actionable signal. Access not used in 180 days is a strong candidate for revocation. If your IGA platform pulls usage data from your SaaS applications or AD event logs, display it in the certification interface.

How the access was granted: Provisioned via role, via access request (with the request ticket number), or via direct assignment. Directly assigned access without a request ticket is higher risk and should be flagged.

Peer comparison: Does anyone else in the same department/title hold this access? Access held by only one person in a role is an outlier worth scrutinizing.

Historical certification outcome: Has this item been approved in 3+ consecutive certification cycles without being used? Flag it explicitly for the reviewer with that context.

In SailPoint, use the description field on entitlements and the attributes configuration in the certification definition to surface these fields in the review UI. In Saviynt, configure the Certification Dashboard to include usage analytics columns.

When you surface last-used date and the reviewer can see that a privileged account last used its database admin access 14 months ago, the revocation decision becomes obvious rather than uncertain.

Accountability Mechanisms That Change Reviewer Behavior

Accountability changes behavior. In most certification implementations, there is no consequence for approving everything. Add structural accountability to the process:

Certifier audit trail reporting: After each campaign, generate a report showing each reviewer's approval rate, time spent per item, and how many of their approved items were flagged as anomalous by the IGA system. Share this report with the reviewer's manager and with the IAM governance committee. The act of making the data visible changes behavior without requiring any policy enforcement.

Post-certification validation sampling: After each campaign, pull a random sample of approved items and re-review them with the IAM team. If the review finds that the sample contains clearly revocable access (terminated contractor's system access, dormant admin account, access to a decommissioned system), escalate the specific findings to the certifier's manager with documentation.

Mandatory comment for anomaly approvals: Configure the IGA platform to require a free-text justification comment when a reviewer approves an item that is anomaly-flagged (not used in 90+ days, access type is privileged, peer outlier). The friction of having to type a justification causes reviewers to think before approving and reduces rubber-stamping on the highest-risk items.

Revocation rate as a KPI: Report the revocation rate (number of items revoked / total items reviewed) as a campaign success metric, not just the completion rate. A campaign with a 2% revocation rate is healthier evidence of a working process than a 100% completion rate with a 0.1% revocation rate.

Implementing Micro-Certifications Between Annual Campaigns

Annual access certification campaigns accumulate 12 months of unchecked access changes. A more effective model pairs an annual comprehensive campaign with event-triggered micro-certifications that check access at the time a risk event occurs.

Configure micro-certifications to trigger on:

  • Role change: When a user moves to a new department or title, trigger a certification of their old role's access within 5 business days
  • Prolonged inactivity: If a user has not logged in for 60 days, trigger a lightweight certification of their high-risk access items
  • New privileged access request approval: When a user is granted a privileged role, schedule a 90-day certification of that specific entitlement
  • Manager departure: When a manager leaves the organization, trigger a certification of all access items they previously certified, re-routed to the new manager

In SailPoint IdentityNow, micro-certifications are configured as access review triggers in the governance workflows. In Saviynt, use the Campaign Trigger feature to launch scoped campaigns based on identity lifecycle events.

Micro-certifications with 5-15 items are completed in minutes and produce meaningful decisions because the context is fresh. The reviewer who just got a new direct report can immediately assess whether the inherited access is appropriate, rather than being asked 11 months later in an annual campaign.

The bottom line

Access certification is not a compliance checkbox. It is the control that catches the access an attacker will use six months after the initial compromise. Fixing it requires changing the design, not lecturing reviewers. Start by measuring your approval rate, right-size campaign scope to 15-30 high-risk items per reviewer, surface last-used date and anomaly flags in the review UI, and report revocation rate as your primary success metric.

Frequently asked questions

How do you handle access reviews for shared service accounts that no single manager owns?

Assign a technical owner (usually the application team lead or system architect who owns the application the service account authenticates to) rather than an HR manager. In the IGA platform, create a custom attribute for `technical_owner` on non-human identities and route certification campaigns for service accounts to that attribute rather than the default manager field. For orphaned service accounts with no identifiable technical owner, escalate to the CISO or application owner table for a disposition decision rather than auto-certifying them.

What is the right frequency for access certification campaigns?

For most frameworks, quarterly certification of privileged access (admin roles, Tier 0 entitlements) and annual certification of standard access satisfies audit requirements. However, frequency alone does not determine quality. A quarterly campaign with rubber-stamping produces less actual risk reduction than an annual campaign with proper risk-based scoping and accountability mechanisms. Prioritize campaign quality over campaign frequency.

How do you handle access certification for contractors and third-party users?

Contractor and third-party access deserves more frequent certification than employee access because offboarding is less reliable and contractors often accumulate access from multiple engagements. Configure separate certification campaigns for non-employee identities on a 90-day cycle. Include the contract end date in the certification UI so reviewers can see when the engagement is expected to end. Any contractor access extending more than 30 days past the contract end date should be flagged for mandatory review.

How do you demonstrate access certification effectiveness to auditors?

Auditors evaluate whether the control is operating effectively, not just whether it ran. To demonstrate effectiveness: provide the revocation rate per campaign, show the before-and-after entitlement count for at least 3 users whose access was revoked, demonstrate that anomaly-flagged items were reviewed with documented justification, and show that auto-certified items meet documented criteria. A 0% revocation rate across three annual campaigns will attract auditor scrutiny regardless of completion rate.

What technology can automate access certification to reduce reviewer burden?

Modern identity governance platforms (SailPoint, Saviynt, Omada, Microsoft Entra ID Governance) offer AI-assisted certification that pre-populates reviewer recommendations based on peer group analysis and usage data. For example, if a user has not used an application in 90 days and no peer in their department has the same access, the platform flags it for revocation with a one-click action. Some platforms support auto-remediation: if a reviewer is non-responsive past the deadline, the system automatically revokes access for flagged items. This reduces the per-reviewer decision burden from hundreds of manual clicks to reviewing only edge cases the AI is uncertain about.

How do I handle access certifications for highly privileged accounts without creating reviewer fatigue for those specific reviews?

For privileged accounts (Domain Admins, Global Admins, PAM vault admins), separate the certification campaign from the standard access review. Run privileged account certifications quarterly (versus annually for standard access) but limit the scope to only the privileged accounts, making each review small and focused. Assign certification responsibility to the CISO or security leadership rather than line managers, who often lack context to evaluate privileged access. Require a written justification for every approved privileged account, not just for revocations. Consider requiring a secondary approver for any certification that approves continued privileged access. The goal is to make approving privileged access a deliberate decision that requires effort, not a default click-through.

Sources & references

  1. Gartner: Market Guide for Identity Governance and Administration
  2. NIST SP 800-53: AC-2: Account Management, Access Reviews
  3. SailPoint: Access Certification Best Practices Guide
  4. Ponemon Institute: The Cost of Excessive Access

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.