Joiner, mover, and leaver processes stop at the identity provider and never change the app state. That means access can persist after role changes or departures, especially when credentials are shared or partially admin-managed. The result is orphaned access, audit gaps, and revocation that exists in policy but not in practice.
Why This Matters for Security Teams
When joiner, mover, and leaver workflows stop at the identity provider, disconnected applications continue to trust stale app-local state. That creates a gap between policy and enforcement: access can survive role changes, offboarding, and emergency revocation because the application never receives the update. For non-human identities, the problem is worse when secrets are reused, embedded in code, or managed by application owners rather than central IAM.
NHI Management Group’s Ultimate Guide to NHIs shows why lifecycle failures matter so much in practice: 91.6% of secrets remain valid five days after the targeted organisation is notified, showing how slowly revocation can propagate when downstream systems are not reached. OWASP’s Non-Human Identity Top 10 treats stale credentials and weak lifecycle control as core identity risks, not edge cases.
In practice, many security teams encounter orphaned access only after an audit, incident, or departure has already exposed the gap.
How It Works in Practice
A complete lifecycle workflow has to do more than disable a directory account. It must discover every application, service, vault, and API that relies on the identity, then push the change into each trust boundary. That includes SaaS apps with their own local users, legacy systems with file-based accounts, custom APIs, and service accounts that are not federated back to the IdP. NHI Mgmt Group’s NHI Lifecycle Management Guide emphasizes that lifecycle control is only real when deprovisioning reaches the resource, not just the directory.
Operationally, teams usually need four linked steps:
- Maintain an inventory of every disconnected application that stores local identity state or long-lived secrets.
- Map each identity to its app-specific account, token, API key, or certificate.
- Trigger revocation or disablement inside the app when HR or IAM status changes.
- Verify completion with logs, API responses, or periodic access attestations.
This is also where the Top 10 NHI Issues become operationally visible: overused identities, duplicated secrets, and weak offboarding all make the blast radius larger when one workflow misses a target. For implementation guidance, current best practice is to pair lifecycle automation with standards-based identity and privilege management, using the OWASP Non-Human Identity Top 10 and NIST zero-trust principles to reduce reliance on manual cleanup. NIST SP 800-207 frames this as a continuous trust decision rather than a one-time account event, which is the right model when applications are not centrally managed. These controls tend to break down when the environment includes unmanaged legacy systems, shared admin consoles, or applications that have no API for account revocation because the workflow cannot verify state change end to end.
Common Variations and Edge Cases
Tighter deprovisioning often increases operational overhead, requiring organisations to balance faster revocation against application compatibility and change control. That tradeoff is real in hybrid estates, where some applications can be automated and others still need manual tickets or maintenance windows. Best practice is evolving, and there is no universal standard for this yet, especially for disconnected apps that lack modern identity hooks.
One common edge case is shared service access. If multiple apps use the same service account or the same token is reused across environments, a leaver event may require credential rotation rather than simple disablement. Another is break-glass access, where emergency accounts must remain usable but tightly monitored. In both cases, the control objective is not just revocation but proof that no live path remains once the person or workload should no longer have access. The 2025 State of NHIs and Secrets in Cybersecurity reports that 91% of former employee tokens remain active after offboarding, which is exactly the kind of persistence disconnected apps create when lifecycle changes never land locally. NHI Mgmt Group’s research also shows that only 20% of organisations have formal processes for offboarding and revoking API keys, so gaps usually come from process absence, not just tooling. This guidance breaks down most clearly in third-party-managed applications where the owning vendor controls account state and the customer cannot directly enforce revocation.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Addresses stale credentials and lifecycle gaps in non-human identities. |
| NIST CSF 2.0 | PR.AC-4 | Supports access revocation and least-privilege enforcement across systems. |
| NIST AI RMF | Governance requires accountable lifecycle controls for autonomous workloads too. |
Map every app-local identity to a revocation path and automate disablement on departure or role change.
