Account lifecycle is the full sequence of join, use, recovery, change, and removal for an identity. For passkeys, it includes enrollment, device replacement, credential binding, support escalation, and deprovisioning, because security breaks when any lifecycle step falls back to weaker controls.
Expanded Definition
Account lifecycle is the operational sequence that governs how an identity is created, activated, used, modified, recovered, suspended, and removed. In NHI security, that lifecycle applies not only to human user accounts but also to service account, API keys, workload identities, and passkeys that depend on device binding and support workflows. NHI Management Group treats lifecycle control as a governance problem, not just an onboarding task, because risk often appears at the handoff points between teams and systems. The OWASP Non-Human Identity Top 10 reflects this reality by tying identity exposure to weak provisioning, rotation, and deprovisioning practices. The NHI Lifecycle Management Guide frames lifecycle as a control chain, where each step must preserve assurance rather than quietly falling back to shared credentials or manual exceptions. Definitions vary across vendors on whether recovery and binding are part of lifecycle or adjacent support functions, but in practice they are inseparable once the identity can authenticate independently. The most common misapplication is treating account lifecycle as a one-time provisioning event, which occurs when teams ignore recovery, ownership changes, and offboarding.
Examples and Use Cases
Implementing account lifecycle rigorously often introduces coordination overhead, requiring organisations to weigh stronger assurance against slower support and more process discipline.
- Service account onboarding: a workload is created with a scoped identity, approved privileges, and a defined owner before it is allowed to call production APIs.
- Passkey enrollment and recovery: a user binds a passkey to an approved device, then uses a controlled recovery path when the device is replaced or lost.
- Credential rotation: a secret is replaced on schedule, with downstream systems updated before the old credential is revoked to avoid outage risk. The Guide to NHI Rotation Challenges explains why this step often fails operationally.
- Offboarding and deprovisioning: access is removed when an application is retired, a contractor leaves, or a token is no longer tied to an active owner.
- Secrets cleanup: duplicated credentials are found in code, ticketing systems, or vaults and are retired as part of a formal closure workflow, not left to linger. See Guide to the Secret Sprawl Challenge.
Why It Matters in NHI Security
Lifecycle failure is one of the fastest ways for NHI risk to become visible outside the identity team. NHIMG research shows that 91% of former employee tokens remain active after offboarding, and that is not a theoretical issue. It means account lifecycle gaps directly create exploitable persistence, especially when service ownership is unclear or deprovisioning is manual. The same pattern appears when identities are overused across applications, when credentials are stored outside secrets managers, or when recovery paths weaken assurance under pressure. NHI Management Group notes that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which makes lifecycle discipline central to containment as well as prevention. The Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs and Top 10 NHI Issues both show that lifecycle breakdowns usually combine with secret sprawl and poor rotation to magnify blast radius. Organisations typically encounter account lifecycle as an urgent problem only after a token is exposed, a service is retired, or an employee leaves and the old access still works, at which point lifecycle control becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Lifecycle gaps drive secret exposure, stale access, and deprovisioning failures covered by NHI controls. |
| NIST CSF 2.0 | PR.AA-04 | Identity proofing, lifecycle, and revocation align to account management and access enforcement outcomes. |
| NIST Zero Trust (SP 800-207) | SP 800-207 | Zero Trust depends on continuously validated identities whose lifecycle state is always current. |
Track join, use, rotation, recovery, and removal as one control chain and close every orphaned identity path.
