Every major PAM and IGA deployment comes with an implicit contract: your vault provider manages privileged accounts and your governance program verifies that the accounts in the vault are accurate, authorized, and still needed. The vault handles the first half. Most organizations have never built a reliable process for the second.
As NHI accounts expand what is being stored in vaults, heavily regulated institutions can no longer defer the work of verifying vault contents and confirming the status of the accounts inside. The verification requirement has always existed. What has been missing is a process connected to live data, with a clear owner, a required decision, and an audit trail that survives an exam. Most access review processes produce a spreadsheet, not evidence.
Certifications in Hydden give your team that process.
The Gap Between Vault Management and Vault Validation
Vault providers like CyberArk, Delinea and BeyondTrust are responsible for onboarding, rotating, and securing privileged credentials. What they are not built to do is continuously validate that the accounts they manage still reflect the ground truth of your environment: that every account the vault is managing still exists, still has an owner, still has a business justification, and still belongs there.
That validation is a governance requirement. SOX and most financial regulatory frameworks require demonstrable evidence that privileged access has been reviewed and that someone accountable confirmed the accounts are correct. The question auditors and examiners are asking is not whether you have a vault. It is whether you can prove what is in it is right.
The problem is that most access review processes are disconnected from live data. A reviewer receives a list exported from the vault that may already be days or weeks old. There is no audit trail tied to the actual records. The process ends when the spreadsheet is returned, not when the data has been verified against your environment.
Certifications in Hydden close that gap.
What Certifications Do
A certification is a structured access review campaign of your vaults tied directly to the identity data Hydden continuously collects from your connected systems. It assigns a reviewer, tracks the review through a defined lifecycle, and produces a closed, immutable record of the decision.
Hydden supports three certification types:
- Identity Integrity — Verify that account and identity data collected by a connector is accurate and current. For vault-connected environments, this means certifying that the accounts Hydden has collected from your CyberArk or BeyondTrust deployment are accurate, current, and reconcilable with your directory and application sources. Reviewers inspect records live in the platform, export to CSV, and can compare two sources side by side to surface discrepancies, including cases where the vault has records that no longer match what Active Directory or cloud directories show.
- Schema Integrity — Confirm that the schema definitions used in identity data collection are valid and reflect your actual environment. For institutions running complex connector configurations across on-prem directories, cloud systems, and core banking platforms, schema drift creates silent data quality problems.
- Report Integrity — Certify that a scheduled saved-search report has been reviewed and still produces accurate, relevant output. Relevant for risk and audit teams using automated reporting to monitor privileged access patterns.
Each type requires a named reviewer, a mandatory comment before the review can close, and produces an immutable activity log.
Scheduled Certifications for Recurring Compliance Cycles
Attestation settings link a certification type to a schedule for a specific connector, and when the schedule fires, a new certification is created automatically.
For institutions running quarterly access reviews across dozens of vault-connected systems, this removes the overhead of manually standing up each review cycle. Coverage does not slip when no one remembered to create the certification. The scheduler seeds each run from the most recently completed certification, preventing duplicates, and skips collectors that are unreachable or decommissioned.
Workflow Integration for Regulated Environments
Certifications integrate with Hydden's data layer through the Certification Status trigger. When status of a certification changes, workflows fire:
- Route a ServiceNow ticket to the responsible system owner when a certification is assigned.
- Notify a compliance lead when a certification is abandoned before completion.
- Escalate to a risk team when a certification is completed so findings are actioned before the review window closes.
Validating the Vault Means Validating the Data
The argument for certifications in financial services is a data quality argument. Privileged access reviews are only valid if the data being reviewed is itself accurate. A certification process disconnected from live collected data reviews a snapshot, not a verified record.
Hydden's certifications are tied to the same data layer that continuous connector collection feeds. Reviewers see what the platform has collected from your vault today. The compare mode lets them surface discrepancies between what the vault reports and what directory sources show, which is where data integrity problems in complex environments tend to appear.
Your vault is supposed to be the source of truth for privileged accounts. Certifications are how you confirm that it actually is.

