The application owner and identity governance team remain accountable, because lifecycle control failed at the integration boundary even if the directory changed correctly. In practice, teams should define ownership for event consumption, reconciliation, and offboarding validation, then review that ownership against access review and audit requirements.
Why This Matters for Security Teams
When a user disappears from the directory but remains active in an application, the failure is not just administrative. It is a lifecycle control failure across identity systems, provisioning workflows, and downstream application enforcement. Ownership usually sits with the application owner and the identity governance team, because the directory event may have been correct while the consuming system failed to consume or enforce it. That distinction matters for auditability, incident response, and access review.
This is why framework guidance increasingly treats identity as an end-to-end control plane issue, not a single-tool issue. The NIST Cybersecurity Framework 2.0 frames identity governance as a shared accountability problem, while NHIMG research on the State of Secrets in AppSec shows how control fragmentation creates blind spots that persist long after teams believe a change is complete. In practice, many security teams discover orphaned access only after an access review, a post-incident audit, or a failed offboarding reconciliation has already exposed the gap.
How It Works in Practice
The practical question is not who clicked delete in the directory, but which control owns the downstream state change. A robust offboarding process should define three separate responsibilities: the directory system as the source of truth for status, the integration layer as the event delivery mechanism, and the application owner as the party accountable for verifying that deprovisioning actually happened. Identity governance should enforce reconciliation, exception handling, and evidence collection.
Current best practice is to make deprovisioning observable at the boundary. That usually means:
- consuming disable and delete events from the directory through a durable integration path
- mapping each application to an accountable owner for lifecycle validation
- reconciling active accounts against terminated identities on a fixed cadence
- revoking sessions, tokens, API keys, and delegated grants, not just login status
- recording exception workflows when an application cannot consume lifecycle events reliably
For identity programs, this is where standards thinking becomes operational. The NIST Cybersecurity Framework 2.0 supports accountability across identify, protect, and detect functions, while NHIMG analysis in the DeepSeek breach illustrates how a single control failure can expose many downstream assets when lifecycle governance is fragmented. That is why the application owner remains accountable even if the directory change was technically successful: the application still owns enforcement. These controls tend to break down when applications cache entitlements, run asynchronous sync jobs, or depend on custom middleware that does not reliably process termination events.
Common Variations and Edge Cases
Tighter lifecycle enforcement often increases integration overhead, requiring organisations to balance faster offboarding against application complexity and exception handling. That tradeoff becomes visible in SaaS environments, legacy platforms, and partner-managed systems where directory sync is partial rather than authoritative.
There is no universal standard for every edge case, but current guidance suggests a few practical rules. If the application cannot consume directory removal events, ownership should shift toward manual reconciliation with documented service-level expectations. If the user account is technically disabled but still holds active tokens, then identity governance must treat the access as incomplete until session and credential revocation is confirmed. If the directory is merely one upstream source among several, then the accountable party is the one responsible for resolving conflicting identity state, not the source system that reported deletion.
In mature programs, this accountability model should be reflected in access reviews, separation-of-duties records, and incident playbooks so the same failure does not recur under a different name. The operational test is simple: if a terminated user can still act, the control that should have stopped them was not the directory alone, but the owner of the system that failed to enforce the removal.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Identity lifecycle failures are access-control failures across systems. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Stale non-human access patterns mirror broken lifecycle removal controls. |
| NIST AI RMF | Shared accountability for autonomous decision paths aligns with governance needs. |
Assign governance owners for lifecycle decisions, monitoring, and exception handling across integrated systems.
Related resources from NHI Mgmt Group
- How should security teams govern Active Directory service accounts?
- Who is accountable when a workload secret remains active after compromise?
- Who is accountable when vendor access remains active after a banking engagement ends?
- When do service accounts become a higher risk than ordinary user accounts?
