Joiner-mover-leaver governance is the process of creating, adjusting, and removing access as people or systems change state. For privileged access, it is the difference between temporary authority and lingering entitlement, and it becomes even more critical when access spans multiple infrastructure layers.
Expanded Definition
Joiner-mover-leaver governance is the control discipline that ensures access is created, adjusted, and removed at the right moment as a person, service account, workload, or agent changes state. In NHI programs, the concept extends beyond employee onboarding and offboarding to include machine identities that are minted, rotated, delegated, suspended, or decommissioned across cloud, CI/CD, and infrastructure layers. That broader scope is why lifecycle governance is closely tied to NIST Cybersecurity Framework 2.0 principles for access control, asset visibility, and continuous risk management. Definitions vary across vendors on whether “mover” includes privilege changes only or also ownership, environment, and workload transitions. In practice, the strongest interpretation treats every state change as a trigger for entitlement review, secret refresh, and revocation of stale tokens or certificates. NHI Management Group treats this as a lifecycle governance problem, not a one-time provisioning task, because static access in dynamic systems creates accumulation risk.
The most common misapplication is treating leaver workflows as an HR-only process, which occurs when teams fail to map system-to-system dependencies and service credentials that survive personnel changes.
Examples and Use Cases
Implementing joiner-mover-leaver governance rigorously often introduces orchestration overhead, requiring organisations to weigh automation speed against the cost of tighter review and approval steps.
- When a developer joins a platform team, a short-lived service account is provisioned with only the repositories, clusters, and secrets needed for day-one tasks, then reviewed after the probation period.
- When an engineer moves from application support to infrastructure, prior admin access is removed, new break-glass authority is issued only if justified, and lifecycle processes for managing NHIs are updated to reflect the new ownership boundary.
- When an AI agent is redeployed to a different environment, its API keys, certificates, and tool permissions are reissued rather than copied forward, preventing inherited trust from spreading across tenants.
- When a contractor leaves, privileged access is revoked across SaaS, cloud, and PAM layers, while connected OAuth apps are validated against the offboarding record using guidance from Top 10 NHI Issues.
- When an application is retired, the workflow removes associated tokens, secrets, and federated trust links, then confirms no dependent jobs or pipelines still authenticate under the old identity.
Why It Matters in NHI Security
Joiner-mover-leaver governance prevents entitlement drift, which is one of the most reliable paths to over-privileged non-human identities. In the NHI context, stale access is not just an audit defect; it is an attacker-friendly persistence mechanism that can survive team changes, service refactors, and cloud migrations. NHIMG research shows that 45% of organisations cite lack of credential rotation as the top cause of NHI-related attacks, with inadequate monitoring and logging and over-privileged accounts each at 37%, which makes lifecycle governance inseparable from secret hygiene and entitlement reduction. The same problem appears in audit findings when organisations cannot demonstrate who approved access, why it was retained, or when it should have been removed. That is why the regulatory and audit perspectives of NHI management emphasise traceability as much as revocation.
Organisations typically encounter the operational necessity of joiner-mover-leaver governance only after a compromise reveals that a departed user, migrated workload, or changed service still had valid access, at which point the term becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Lifecycle mistakes create stale NHI access and orphaned entitlements. |
| NIST CSF 2.0 | PR.AC-1 | Access provisioning and removal are core identity and access management functions. |
| NIST Zero Trust (SP 800-207) | Policy enforcement | Zero trust requires continuously re-evaluated access as context and state change. |
Trigger joiner-mover-leaver reviews on every identity state change and revoke unused access immediately.
