Cookie Preferences

When you visit websites, they may store or retrieve data in your browser. This storage is often necessary for the basic functionality of the website.

Accept All Cookies
Close

These items are required to enable basic website functionality.

Always active

These items are used to deliver advertising that is more relevant to you and your interests. They may also be used to limit the number of times you see an advertisement and measure the effectiveness of advertising campaigns. Advertising networks usually place them with the website operator’s permission.

These items allow the website to remember choices you make (such as your user name, language, or the region you are in) and provide enhanced, more personal features. For example, a website may provide you with local weather reports or traffic news by storing data about your current location.

These items help the website operator understand how its website performs, how visitors interact with the site, and whether there may be technical issues. This storage type usually doesn’t collect information that identifies a visitor.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Cookies on this website

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

🔥 Discover how leading teams automate access reviews with BalkanID. Learn more
NHI Certification

NHI Certification Campaign Template

Non-Human Identity (NHI) Access Reviews & Governance
User Access ReviewsWhen and WhyTop ToolsScalabilityRecommendationsFAQs

Campaign Overview

Campaign Name:

Campaign Type: ☐ Periodic ☐ Event-Driven ☐ Risk-Triggered

Scope: ☐ All NHIs ☐ Privileged Only ☐ High-Risk Only

Review Window: Start Date → End Date

Reviewer SLA: ☐ 7 days ☐ 14 days ☐ 30 days

Approving Authority: Identity Governance / Security / IT / Engineering / App Owners

Audit Period Covered:

Objective:

Certify that all in-scope Non-Human Identities (NHIs) have valid ownership, justified access, least privilege, and compliant credential lifecycle controls.

1. NHI Inventory (Certification Objects)

Core Identity Fields

  • NHI Name
  • NHI Type
    • ☐ Service Account / Service Principal
    • ☐ API Key / Token / Secret
    • ☐ Kubernetes Service Account / Workload Identity
    • ☐ Certificate / SSH Key / mTLS Identity
    • ☐ SaaS Bot / OAuth Integration
    • ☐ IoT / Device Identity
    • ☐ AI / LLM Agent Identity
  • Source System
    • Cloud IAM / K8s / Vault / PKI / SaaS / CI/CD / AI Platform
  • Environment
    • ☐ Production ☐ Staging ☐ Dev ☐ Shared

2. Ownership & Accountability

  • Primary Owner (Human)
  • Backup Owner
  • Owning Team / Function
  • Business Purpose
  • Linked Application / Service
  • Linked Project / Pipeline / Agent

☐ Ownership confirmed

☐ Purpose still valid

☐ NHI still required

Reviewer: App Owner / System Owner / IT / Engineering

3. Access & Authorization Details

  • Access Scope (Human-Readable)
    • ☐ Read
    • ☐ Write
    • ☐ Admin
    • ☐ Data Export
    • ☐ Infrastructure Control
  • Granted Permissions
  • Used Permissions (Last 90 / 180 Days)
  • Privilege Level
    • ☐ Low ☐ Medium ☐ High ☐ Admin

☐ Least privilege validated

☐ No unused high-risk permissions

☐ No standing admin without justification

Reviewer: Security / App Owner / IT / Engineering

4. Credential & Lifecycle Posture

  • Credential Type
    • ☐ Static
    • ☐ Short-Lived
    • ☐ Certificate / mTLS
  • Creation Date
  • Last Rotated Date
  • Rotation Policy
  • Expiry / TTL
  • Lifecycle State
    • ☐ Active ☐ Deprecated ☐ Orphaned ☐ Retired

☐ Rotation compliant

☐ Expiry enforced

☐ No orphaned credentials

Reviewer: Platform / Cloud Security

5. Usage & Behavioral Context

  • Last Used Timestamp
  • Usage Frequency
  • Expected Usage Pattern
  • Observed Anomalies
    • ☐ Unexpected IP
    • ☐ Unexpected Region
    • ☐ Unusual Time
    • ☐ New Privileged Action

☐ Usage aligns with purpose

☐ No unexplained anomalies

Reviewer: SecOps / Identity Security

6. Risk Scoring & Priority Rules

Automated Risk Factors (Pre-Calculated)

☐ Privileged access in production

☐ No assigned owner

☐ Unused for >90 days

☐ Static credentials

☐ Missing or overdue rotation

☐ External / public exposure

☐ AI agent with broad scopes

Risk Score: ☐ Low ☐ Medium ☐ High ☐ Critical

Priority Queue: ☐ Immediate ☐ This Cycle ☐ Defer with Justification

7. Reviewer Decision

Certification Decision:

  • ☐ Approve (No Change)
  • ☐ Approve with Conditions
  • ☐ Modify Access
  • ☐ Rotate Credentials
  • ☐ Revoke / Decommission
  • ☐ Escalate

Reviewer Comments:

Decision Date:

☐ Decision recorded

☐ Evidence attached

8. Remediation & Workflow Tracking

  • Required Action
    • ☐ Permission Reduction
    • ☐ Credential Rotation
    • ☐ Ownership Assignment
    • ☐ Decommissioning
    • ☐ HITL Control Required
  • Automation Triggered
    • ☐ Yes ☐ No
  • Ticket / Workflow Link
  • Remediation Owner
  • Target Completion Date
  • Completion Status

☐ Remediation completed

☐ Evidence captured

9. AI / Agentic Identity Addendum (If Applicable)

Applies if NHI Type = AI / LLM Agent

  • Human Sponsor
  • Agent Purpose
  • Tools / APIs Invoked
  • Data Sets Accessed
  • Approval Required for High-Risk Actions
    • ☐ Yes ☐ No

☐ Scoped access validated

☐ HITL enforced where required

☐ Agent logs retained

10. Audit & Evidence Mapping

Control Mapping Matrix

Framework
Control
Evidence from This Campaign
SOC 2
CC6.1
Ownership, access justification
CC6.2
Least privilege validation
 
CC6.3
Credential lifecycle & rotation
 
ISO 27001
A.5.16
Identity lifecycle governance
A.5.17
Authentication information protection
 
PCI DSS 4.0
8.6
Application & system account management
NIST CSF 2.0
PR.AA
Identity & credential management
NIST SP 800-53
IA-5
Authenticator management
AC-2
Account management
 

☐ Evidence exportable

☐ Reviewer decisions traceable

☐ Remediation auditable

11. Campaign Completion Summary

  • Total NHIs Reviewed
  • High / Critical NHIs
  • Remediations Triggered
  • Decommissioned NHIs
  • Exceptions Approved
  • Outstanding Items

Campaign Owner Sign-Off:

Date:

Ready to simplify your access reviews and
strengthen your security posture?

Book a Demo with BalkanID today and see how effortless compliance can be.

Schedule a demo

Get your complimentary identity risk assessment.

As part of our extended Cybersecurity Awareness initiative, BalkanID is offering organizations a one-time complimentary ISPM Analysis.
Get My Complimentary Report

Balkan, BalkanID, and the BalkanID logo are registered trademarks of BalkanID, Inc. in the United States and/or other countries. Nothing on the BalkanID website, platform, or services constitutes legal or regulatory advice, opinion, or recommendation. For legal assistance, please consult a licensed attorney.

Solutions
Lite
User Access Reviews LiteIAM Risk Analyzer LiteLifecycle Management LiteIGA Lite
Enterprise
Access Review & CertificationRBAC & Identity RiskAccess Lifecycle ManagementCopilot & PlaybooksIGA
Alternatives
LumosZluriVezaSailpoint
Guides
User Access Review SoftwareAccess Lifecycle ManagementIdentity Governance AdministrationUAR Tools For NIST CompliancePrivileged Access ManagementCIEM SoftwareEntitlement ManagementSOC ComplianceIdentity Access ManagementUser Provisioning SoftwareSCIM ProvisioningModern Identity Security PlatformWorkforce Identity GovernanceNon Human Identity Governance
Company
AboutCareersContactPricingCase StudiesAI Info
Resources
BlogsNewsPress Release

Copyright © 2026 · BalkanID, Inc., All rights reserved.

|

Terms of Service

|

Privacy Policy