"Access review." "Access certification." "Entitlement review." "User recertification."
Same thing? Close, but the nuance matters. Especially when your auditor asks: "Show me your access certification records for Q3."
They want evidence that someone with authority certified—formally attested—that the access was appropriate at a specific point in time.
Not just "we reviewed it." But "Sarah Johnson, VP Engineering, certified on September 15, 2024 that these 47 users should have access to the production database."
That signature—that certification—is what auditors need. It's also what organizations with manual processes struggle to produce.
A note on this guide: At some places in this article, we'll use Zluri as the implementation example—it's the platform we know best. But the principles and processes apply to any access certification system. Most modern platforms include these capabilities, though specific implementations vary. Where Zluri differs significantly from standard approaches, we'll call that out explicitly.
What is access certification?
Access certification is the formal process of having designated reviewers (managers, app owners, or security) attest that a user's access to applications and data is appropriate based on their current role and business need.
Review and certification are not the same thing
Access Review = The process of examining access (you CAN do this informally)
Access Certification = The formal attestation with recorded approval/denial (required for compliance)
Think of it like:
- Review = Looking at the data
- Certification = Signing off that it's correct
Access certification covers three types of access
1. User-to-application access
Does this user need access to this app? What level of access do they need? (user, power user, admin) Is this access still required?
2. Entitlements (permissions)
What can they do in the app? (read, write, delete, admin) Are permissions appropriate for their role? Have permissions expanded beyond the original need?
3. Group memberships (the modern focus)
Which SSO/IdP groups are they in? Does group membership match their current role? Are groups granting appropriate access levels?
Certification creates audit-ready evidence with five key elements
When certification is complete, you have audit-ready evidence: WHO certified (reviewer name), WHAT was certified (user access, app, permissions), WHEN certification occurred (timestamp), DECISION made (approved, revoked, modified), and ACTIONS taken (if revoked, proof of remediation).
This documentation is what satisfies SOC 2, SOX, ISO 27001, and HIPAA requirements.
Why access certification matters (for compliance)
Auditors need four types of evidence from your certification process
1. Evidence of a formal review process
Not just "we looked at access." But a documented process showing who is responsible for reviewing, what criteria are used for decisions, how often reviews occur, and escalation path for violations.
2. Signed attestations
Specific individuals certifying specific access:
- Good: "John Smith, Engineering Manager, certifies that these 12 engineers should have GitHub admin access"
- Bad: "IT team reviewed GitHub access"
3. Remediation proof
When access is revoked: evidence it was actually removed (not just "ticket created"), timestamp of removal, who performed remediation, and verification it worked.
4. Completeness
All in-scope apps were reviewed. All users in those apps were reviewed. No gaps in coverage.
Six major frameworks require formal certification with specific frequencies
Manual certification creates four gaps that fail audits
Organizations with manual processes struggle with incomplete records (email approvals lost, spreadsheets scattered), timing gaps (certifications weeks late, delays undocumented), no remediation proof (tickets sit for weeks, some never close), and inability to tie back (which certification led to which action?).
Our research on access certification effectiveness shows that organizations with manual approaches report significantly lower success in enforcing access policies during reviews. The gap isn't just inconvenient—it's what fails audits.
Automated certification eliminates audit gaps and provides instant evidence
Complete audit trail: Every decision timestamped and logged automatically.
Remediation proof: Automated actions mean automatic evidence with exact timestamps.
Always available: Reports generated instantly, not during audit panic.
Provable completeness: System shows 100% of users and apps were certified with no gaps.
The certification process
Phase 1: Scoping the certification
What to include: Risk-based (start with high-risk apps like finance, customer data, admin tools), compliance-driven (apps in SOX/HIPAA/PCI scope), and frequency-based (quarterly for critical, semi-annual for others).
Who reviews: Manager certification (manager certifies their direct reports' access), app owner certification (app owner certifies all users with access to their app), or security certification (security team certifies high-risk permissions like admins and sensitive data access).
Platform flexibility to look for: Modern platforms should support multiple certification approaches—user-based (individual user access across apps), group-based (certify SSO group memberships, which is typically 10x faster), application-based (all access to specific high-risk apps), or hybrid approaches that mix methods based on risk.
Phase 2: Launching the certification campaign
Setup: Define scope (which apps, users, reviewers), configure workflows (single-level or multi-level approval for high-risk), and set remediation actions (auto-revoke on denial or create remediation tasks for manual actions).
Schedule: One-time or recurring (quarterly/semi-annual) with automated reminders for reviewers.
Reviewer experience: Modern platforms provide reviewers with dashboards showing all access requiring certification, context (last login, usage data, risk scores), AI-driven recommendations that flag anomalies, and clear actions (Approve, Deny, Modify, Request More Info).
Group-based certification: Instead of certifying 2,000 users individually, certify 50 SSO groups where each group represents 10-50 users. Same security outcome, 10x reduction in certification workload.
Phase 3: Decision-making
Approval scenarios: Approve (access remains, logged as certified), Deny (trigger remediation), Modify (change permission level from admin to user), or Delegate (escalate to app owner or security for decision).
Contextual data that helps: Modern certification platforms provide contextual data to help reviewers make informed decisions—last login dates (never logged in? easy to deny), usage frequency (accessed daily vs. not in 90 days), risk scores (external user, admin access, sensitive data), and employment status (active, terminated, contractor).
When reviewers see "User X: Never logged in. Last login: N/A. License cost: $50/month," the decision becomes obvious. Without this context, they're guessing.
Phase 4: Remediation
The certification/remediation gap: Here's where the distinction between review and certification becomes critical. You can certify that access should be revoked. But if it's not actually removed, you haven't solved the problem.
Traditional approach: Certification complete → Export CSV of denials → Create Jira tickets for each app → IT manually logs into apps to remove access → Weeks later, maybe 70% are done → For the audit: "We're working on the remaining 30%."
Closed-loop approach: The goal is immediate remediation with automatic audit trail. Certification identifies violations → System triggers remediation → Access removed → Evidence captured with timestamps.
For apps with direct integrations: Automated revocation via API with instant confirmation and audit log with timestamp.
For apps without integrations: SDK-based revocation (for apps without APIs), guided manual actions with proof of completion, still tracked centrally for audit evidence.
Zluri's implementation: Click "Execute Remediation" and access is removed automatically for API or SDK connected applications—all tracked for audit evidence. Most platforms require manual ticket creation and separate tracking systems.
The audit evidence after remediation: Complete list of denied access, proof each was actually revoked, timestamp of remediation, who performed action, and verification it worked.
Phase 5: Generating audit-ready reports with compliance mapping
What platforms should generate automatically: Certification summary (users reviewed, approved, denied, completion %), reviewer activity (who certified what, when), remediation report (all access revoked with proof), exception report (outstanding items), and trend analysis (quarter-over-quarter changes).
Compliance mapping: Reports should be filterable by framework—SOX (all financial system certifications), HIPAA (all ePHI system certifications), and SOC 2 (all in-scope app certifications).
Storage consideration: Some platforms (like Okta) retain audit logs for 90 days before requiring paid archival. Others (like Zluri) store certification evidence indefinitely at no additional cost. When auditors ask for certifications from 18 months ago, you need to have them available.
Here's a walkthrough of the complete access certification campaign setup in Zluri.
Four certification challenges that break manual processes
Challenge 1: Reviewing 50,000 data points leads to approval fatigue
The problem: Reviewing 1000 users across 50 apps equals 50,000 data points. Reviewers click "Approve All" without reading.
Solution: Look for platforms that offer group-based certification (reduces to 50 groups instead of 1000 users), AI recommendations that flag anomalies for focused review, and bulk approval capabilities for low-risk cases (auto-approve users with clean usage patterns, focus human attention on anomalies).
When a manager sees "Review 50 users" versus "Review 5 groups," engagement changes completely. The cognitive load drops from overwhelming to manageable.
Challenge 2: IDPs only show half your applications
The problem: Your IDP shows 80 apps. You actually have 200. You're certifying less than half your risk.
Where Zluri differs: Most IGA platforms rely on IDP/SSO integrations for visibility. Zluri uses 9 discovery methods including browser extensions, finance system integrations, and network analysis—typically finding 60-120 critical applications (apps with sensitive data) beyond what IDPs or SSO show. This matters for certification because you can't certify access you can't see.
A financial services company discovered this gap when they implemented comprehensive discovery: fewer than half their critical applications were visible to their existing IDP-based reviews.
Challenge 3: Denied access stays active for months after certification
The problem: Certification complete. Access denied for 47 users. Three months later, 25 still have access because tickets were "in progress."
Solution: Closed-loop remediation where access is revoked immediately (not via tickets), with an audit trail that proves completion. The platform should handle the removal, not create work for IT.
Research shows organizations with manual processes often have substantial portions of violations persisting weeks after certification completes.
Challenge 4: Email threads don't satisfy auditor evidence requirements
The problem: Auditor asks: "Show me who certified Engineer access to Production DB in Q2." You have email threads, maybe a spreadsheet.
Solution: Platforms should maintain complete audit trails showing WHO certified, WHAT access, WHEN, WHAT decision, and PROOF of remediation—all stored and easily retrievable.
Review versus certification: one is process, one is proof
Access review is the process. Access certification is the outcome—formal attestation with audit-ready evidence.
Compliance frameworks require attestation, not informal reviews
Compliance frameworks require formal certification, not informal reviews. Auditors need evidence of attestation, not just "we looked at it." Security incidents require proof you were diligent, not just "we tried."
Email threads versus timestamped signatures: what auditors accept
Without formal certification: Manager emails "Team access looks fine." You have an email thread, no structured data. Auditor asks "Who certified this?" Answer: "Well, the manager said it was fine..."
With formal certification: Manager logs into the platform, reviews each user with context (last login, role, risk score), clicks "Certify" for appropriate access and "Deny" for violations. System records: Sarah Johnson, Manager, certified on Sept 15, 2024 at 2:47pm. The auditor asks "Who certified this?" Answer: "Here's the certification record with timestamp and signature."
That's the difference between review and certification. Between "we looked at it" and "here's the proof."
Automated certification provides complete visibility and permanent evidence
What to look for in modern certification platforms: Complete visibility across all applications (not just SSO-integrated), group-based efficiency for manageable review workloads, closed-loop remediation that eliminates ticket-based gaps, and permanent audit evidence with no retention limits.
Certifications that actually certify. Compliance that actually complies.
See who has access to what in your environment and prioritize access risks.
[Start Discovery Scan] → Book a Demo to understand your complete access landscape across all applications
.png)
.svg)
.webp)
.webp)
.webp)
.webp)