Access Certification
Also known as: Access Review · User Access Review
Definition
Access certification is the periodic process of reviewing user access rights — by manager, application owner, or risk-tier — and confirming, modifying, or removing each entitlement.
Access certifications are central to most compliance programs (SOC 2 CC6, NIST 800-53 AC-2, FedRAMP, HIPAA, FFIEC). The cadence varies by risk: quarterly for high-risk applications, semi-annually for medium, annually for low.
The failure mode: rubber-stamping. When reviewers lack context — usage data, peer comparisons, recent activity — they default to approving everything. Mature programs combine certification cycles with risk-tiering, automated recommendations (ML-driven role mining), and continuous monitoring to keep rubber-stamp rates under 30%.