Access Certifications Without the Rubber-Stamp

The access certification is the most widely performed and least effective control in identity governance. Everyone does them because frameworks demand them. Almost nobody does them in a way that removes meaningful access, because the default design guarantees rubber-stamping: hand a manager a list of 400 entitlements once a quarter and ask them to attest. They click "approve all" and get back to their day job. You have generated evidence and changed nothing.

The problem is cognitive load, not manager laziness

A reviewer cannot make 400 risk decisions in one sitting. When you overwhelm them, they satisfice — approve everything to clear the queue. So the design goal is not "more reviews," it is fewer, higher-signal decisions. Every item you put in front of a reviewer should be one they can plausibly reason about.

Risk-based scoping: review what matters, when it matters

Not all access deserves the same scrutiny. I tier certifications:

• High-risk entitlements — privileged roles, access to regulated data, anything with SoD implications — reviewed frequently and by someone who genuinely understands them (often the application owner, not the line manager).
• Standard business access — reviewed less often, and increasingly by exception rather than wholesale.
• Birthright/role-derived access — not reviewed line-by-line at all; you review the role definition, which is far more efficient than re-attesting the same baseline for 5,000 people.

Micro-certifications beat the quarterly carpet-bomb

Instead of one giant event, trigger small, targeted reviews on risk signals: a mover changed teams, an entitlement was granted out-of-band, a user accumulated a toxic combination, an account went dormant. These micro-certifications arrive in context, when the reviewer still remembers why the change happened, and they ask one question instead of four hundred.

Make revocation the path of least resistance

Reviewers approve-all partly because revoking feels risky — "what if they need it?" Lower that fear. Give reviewers the usage data (last-used date, peer comparison) so removal is informed. And make revocation reversible and fast: if access is wrongly pulled, restoring it should take minutes. When the cost of a wrong revocation is low, reviewers stop defaulting to "keep."

Measure the thing you actually care about

The metric for a certification programme is not completion rate — 100% completion with 0% revocation is a failure dressed as success. Track the revocation rate and the time-to-revoke. If reviews consistently remove nothing, your scoping is wrong or your reviewers are overwhelmed. Healthy programmes always find something, because access genuinely drifts.

Certifications are worth doing — but only if they are designed to change reality. Smaller, smarter, contextual reviews that reviewers can actually reason about will remove more risk than the most diligent quarterly carpet-bomb ever will.