Access certification is the formal act of confirming that the access people hold is still the access they should hold. A reviewer signs off, entitlement by entitlement, and anything they reject gets removed. It is the same control as a user access review, seen from the compliance side, where the emphasis lands on the sign-off and the paper trail.
If there is any distinction between the two terms, it is one of emphasis. Certification stresses the attestation, the formal statement that the access is correct. Review stresses the examination, the act of looking. Auditors and legacy IGA vendors say certification. Practitioners say review. They are talking about the same thing.
The campaign model
Certification has traditionally been run as campaigns. A campaign is a scheduled batch: pick a scope (a set of apps, a department, a class of entitlements), pull all the access in it, push it to reviewers, and give them a deadline to clear it.
This is how legacy IGA works, and the model has a built-in flaw. Batching a quarter's worth of access into a single deadline creates a wall of work that arrives all at once. Reviewers facing hundreds of unfamiliar entitlements with a Friday deadline do the rational thing and approve in bulk. The campaign completes, the evidence is generated, and the actual access barely changes. It is efficient to administer and hollow in effect.
Continuous certification
The alternative is to stop batching. Continuous certification evaluates access as it changes: a new grant, an unusual entitlement, a role change that adds permissions, each reviewed close to when it happens. The heavy quarterly campaign shrinks, because most access has already been confirmed in the flow of work. What is left for the scheduled run is exceptions, not the entire population.
The benefit is not only lighter campaigns. Access stays current in between, rather than drifting for three months and getting corrected in a rush.
What certification has to prove
The evidence bar is the same as any review, and it has five parts. Scope: what was covered. Reviewers: who signed off, and whether they had the standing to. Decisions: keep or remove, recorded per item. Timing: when the certification opened and closed. Enforcement: proof that rejected access was actually revoked.
The fifth is where certifications most often fall short. A campaign can produce a complete set of decisions and still leave the rejected access in place because nobody wired the removal to the sign-off. The certification then says one thing and the system says another. Real certification closes that loop: the sign-off drives the revocation, and the evidence reflects actions taken, not intentions logged.
Related terms
- User access review. The everyday term for the same control.
- Attestation. The reviewer's formal statement that access is correct.
- Certification campaign. A scheduled, scoped certification run.
- Identity Governance and Administration (IGA). The discipline certification is part of.