Attestation is the moment someone with authority puts their name to a set of access and says it is correct. It is the sign-off. In identity governance it is the closing act of an access review or certification: after the access has been examined, the accountable person formally confirms the result.
The word carries weight on purpose. To attest is to take responsibility for a statement. An attestation is meant to mean that a specific person, with the standing to judge, looked at this access and stands behind it.
Where attestation sits
A review has two halves. The examination, where access is looked at and decisions are made, and the attestation, where those decisions are formally recorded and owned. The examination is the work. The attestation is the accountability.
Compliance frameworks lean on the attestation because it is what makes access reviewable after the fact. A framework cannot inspect the quality of someone's thinking during a review. It can require a named, timestamped sign-off from an accountable party, and hold the organization to it. That is why the paperwork centers on the attestation step.
Who attests, and why it matters
The attester should be someone accountable for the access. The person's manager, who knows what their reports do. The owner of an application or resource, who knows what its entitlements grant. The requirement is both standing and knowledge: authority to make the call, and enough understanding to make it truthfully.
This is where attestation gets hollow. When the sign-off is routed to someone without context, a manager handed a list of entitlements they cannot interpret, the attestation still gets signed. It satisfies the form. It means nothing. A signature from someone who could not actually evaluate the access is the identity-governance version of a rubber stamp.
What makes an attestation defensible
Three things separate a real attestation from a signature.
Context. The attester saw what the access does, whether it has been used, and how it was granted. The decision was informed.
Granularity and record. The sign-off was per entitlement, not a single approval covering everything, and it was recorded with who, what, and when.
Enforcement. Whatever the attester rejected was actually removed. An attestation that confirms some access should go, followed by that access staying, is a contradiction an auditor will find.
An attestation with all three is evidence. An attestation with none is a liability, because it looks like a control while providing none of the protection.
Related terms
- Access certification. The formal review process attestation completes.
- User access review. The everyday term for that process.
- Authorization. Granting access up front, as opposed to confirming it later.
- Audit trail. The record that gives an attestation its weight.