Attestation

What attestation means in access governance, how it differs from an access review, who attests, and what makes an attestation defensible to an auditor.

3 min read · Last updated July 2026

Attestation is the formal statement by an accountable person that a set of access is correct as of a point in time. It is the sign-off step of an access review or certification: the reviewer puts their name to the decision. An attestation is only as good as the context behind it and the enforcement that follows.

Also known as: Attestation, Access attestation, Sign-off

Attestation is the moment someone with authority puts their name to a set of access and says it is correct. It is the sign-off. In identity governance it is the closing act of an access review or certification: after the access has been examined, the accountable person formally confirms the result.

The word carries weight on purpose. To attest is to take responsibility for a statement. An attestation is meant to mean that a specific person, with the standing to judge, looked at this access and stands behind it.

Where attestation sits

A review has two halves. The examination, where access is looked at and decisions are made, and the attestation, where those decisions are formally recorded and owned. The examination is the work. The attestation is the accountability.

Compliance frameworks lean on the attestation because it is what makes access reviewable after the fact. A framework cannot inspect the quality of someone's thinking during a review. It can require a named, timestamped sign-off from an accountable party, and hold the organization to it. That is why the paperwork centers on the attestation step.

Who attests, and why it matters

The attester should be someone accountable for the access. The person's manager, who knows what their reports do. The owner of an application or resource, who knows what its entitlements grant. The requirement is both standing and knowledge: authority to make the call, and enough understanding to make it truthfully.

This is where attestation gets hollow. When the sign-off is routed to someone without context, a manager handed a list of entitlements they cannot interpret, the attestation still gets signed. It satisfies the form. It means nothing. A signature from someone who could not actually evaluate the access is the identity-governance version of a rubber stamp.

What makes an attestation defensible

Three things separate a real attestation from a signature.

Context. The attester saw what the access does, whether it has been used, and how it was granted. The decision was informed.

Granularity and record. The sign-off was per entitlement, not a single approval covering everything, and it was recorded with who, what, and when.

Enforcement. Whatever the attester rejected was actually removed. An attestation that confirms some access should go, followed by that access staying, is a contradiction an auditor will find.

An attestation with all three is evidence. An attestation with none is a liability, because it looks like a control while providing none of the protection.

Related terms

  • Access certification. The formal review process attestation completes.
  • User access review. The everyday term for that process.
  • Authorization. Granting access up front, as opposed to confirming it later.
  • Audit trail. The record that gives an attestation its weight.

Frequently asked questions

How is attestation different from an access review?

The review is the examination; the attestation is the sign-off. During a review a person looks at the access and decides. The attestation is the formal record that they did, and that they stand behind the result. In practice attestation is the closing step of a review or certification, not a separate exercise.

Who attests to access?

Someone accountable for the access: usually the person's manager, or the owner of the resource or application. The point is that the attester has both the standing to make the call and enough knowledge to make it honestly. An attestation from someone with neither is a signature, not a control.

What makes an attestation defensible?

That the attester had real context (what the access is, whether it is used, why it was granted), that the decision was recorded per entitlement with a timestamp, and that rejections were enforced. An attestation with none of that is a check-the-box exercise an auditor can see through.

Is attestation only for compliance?

Compliance is the usual driver, since frameworks require periodic sign-off on access. But the underlying value is accountability: a named person deciding that access is correct. Without attestation, nobody owns the state of access, and it drifts.

What is the difference between attestation and authorization?

Authorization is granting access in the first place, at the moment of the request. Attestation is confirming later that the access granted is still appropriate. One happens at the front door; the other is the periodic recheck.