What Is Access Certification?
Access certification is a periodic, often quarterly, review process in which managers, application owners, or data owners are asked to confirm whether each identity under their review still needs the access it holds, and to revoke what it no longer needs. It’s one of the primary deliverables of an IGA program.
Certification campaigns exist to satisfy compliance and audit requirements, SOX, HIPAA, SOC 2, and similar frameworks generally require documented, recurring access reviews, and to close the privilege creep that accumulates between reviews as people change roles and pick up access along the way.
A certification is only as good as the data behind it. A reviewer attesting to access based on a stale or partial data set isn’t actually reducing risk, they’re producing an audit artifact. And accounts that were never provisioned through IGA in the first place, local accounts, unmanaged service accounts, generally never enter a certification campaign at all, because a campaign can only review what its underlying system knows exists.