Identity GlossaryLast updated July 17, 2026

Access Certification

A neutral definition of an access certification campaign: the recurring review that confirms existing access is still needed, and revokes what isn’t.

What Is Access Certification?

Access certification is a periodic, often quarterly, review process in which managers, application owners, or data owners are asked to confirm whether each identity under their review still needs the access it holds, and to revoke what it no longer needs. It’s one of the primary deliverables of an IGA program.

Certification campaigns exist to satisfy compliance and audit requirements, SOX, HIPAA, SOC 2, and similar frameworks generally require documented, recurring access reviews, and to close the privilege creep that accumulates between reviews as people change roles and pick up access along the way.

A certification is only as good as the data behind it. A reviewer attesting to access based on a stale or partial data set isn’t actually reducing risk, they’re producing an audit artifact. And accounts that were never provisioned through IGA in the first place, local accounts, unmanaged service accounts, generally never enter a certification campaign at all, because a campaign can only review what its underlying system knows exists.

Share

How an Access Certification Campaign Works

A certification campaign runs through five stages.

1

Campaign Scoping

Defining which identities, applications, or entitlements are in scope for this review cycle.

2

Reviewer Assignment

Routing each identity’s access to the manager, application owner, or data owner best positioned to judge whether it’s still needed.

3

Attestation Collection

Collecting an explicit approve-or-revoke decision on each access grant under review.

4

Revocation Enforcement

Automatically removing access that a reviewer marked as no longer needed.

5

Audit Reporting

Producing a documented record of who reviewed what, and when, for compliance purposes.

Frequently Asked Questions

See the Identity System of Record in Action

Hydden discovers, reconciles, and continuously governs every identity (human, machine, and agentic) across your enterprise.

© 2026 Hydden Inc. All rights reserved.Privacy PolicyTerms of Service