Organisations should connect all three through a shared entitlement workflow, not separate manual queues. Onboarding should provision only approved access, access requests should use the same approval and logging model, and offboarding should revoke through the same source of truth. That prevents leftover access and makes lifecycle changes auditable end to end.
Why This Matters for Security Teams
Onboarding, access requests, and offboarding often fail because they are treated as separate administrative events instead of one entitlement lifecycle. That gap creates inconsistent approvals, orphaned access, and incomplete audit trails. For human users, the risk is usually visible in delayed deprovisioning. For non-human identities, the impact is wider because secrets, tokens, API keys, and service accounts can keep operating long after the business owner thinks access ended.
Current guidance from the OWASP Non-Human Identity Top 10 and NHIMG’s NHI Lifecycle Management Guide points to a shared source of truth: entitlements should be approved once, provisioned once, and revoked through the same workflow that created them. That is the only reliable way to keep lifecycle changes auditable end to end. In practice, many security teams discover leftover access only after an app owner departs or a token shows up in a log, not through intentional offboarding control.
How It Works in Practice
The practical model is a single entitlement workflow that spans joiner, mover, and leaver events. Onboarding should not create broad default access. It should issue only the minimum approved entitlements, tie them to an owner, and write the decision to an audit record that can be reused later. Access requests should flow through the same policy and approval path, so every new permission is treated as a lifecycle change rather than an exception.
Offboarding should then consume the same entitlement record to revoke access, disable credentials, and remove group membership or role assignments without relying on manual memory. This matters for both people and NHIs, because service accounts and workload identities often outlive the project that created them. NHIMG’s 2025 State of NHIs and Secrets in Cybersecurity notes that 91% of former employee tokens remain active after offboarding, which shows how quickly lifecycle controls fail when revocation is disconnected from provisioning.
- Use one identity record per subject, whether that subject is a person, service account, or workload identity.
- Route onboarding and access requests through the same approval logic and logging model.
- Trigger offboarding from authoritative HR, ITSM, or directory events, then revoke downstream access automatically.
- Keep a time-stamped entitlement ledger so reviewers can see who approved what, when, and for which business purpose.
The strongest implementations also link credential issuance to the same workflow, so secret rotation or token invalidation happens when the entitlement expires. That aligns with the emerging direction in zero standing privilege and lifecycle-based access management, where access is granted only when needed and removed as soon as the task or employment state ends. These controls tend to break down in hybrid environments with many unmanaged apps because the same entitlement record does not reach every downstream system.
Common Variations and Edge Cases
Tighter lifecycle control often increases process overhead, requiring organisations to balance automation against approval latency and application compatibility. That tradeoff is real, especially when legacy systems cannot consume modern provisioning events or when business teams want rapid temporary access. Current guidance suggests handling these cases with explicit exceptions, short expiration windows, and documented owner approval rather than bypassing the workflow entirely.
One common edge case is shared infrastructure accounts. Best practice is evolving, but there is no universal standard for this yet. Where shared access cannot be eliminated, organisations should still bind it to a named owner, record the reason for use, and force review at each renewal. Another edge case is contractor and vendor access, where onboarding and offboarding may be managed outside HR. In those situations, the same entitlement workflow should be fed by procurement or vendor-management events, not ad hoc tickets.
For NHIs, lifecycle failures often show up as duplicated secrets, overused identities, or tokens copied into chat and ticketing tools. NHIMG’s Top 10 NHI Issues and Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs both reinforce the same point: if the workflow cannot revoke what it provisions, the organisation does not really have lifecycle management. Practitioners should expect exceptions to accumulate wherever the source of truth is split across HR, IAM, and application teams.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Lifecycle control must prevent stale or overexposed NHI credentials. |
| NIST CSF 2.0 | PR.AC-4 | Access authorisation and review depend on consistent entitlement governance. |
| NIST CSF 2.0 | PR.AC-1 | Identity and credential issuance should be managed from a trusted source of truth. |
Bind provisioning and revocation to one lifecycle workflow and rotate or retire credentials on every entitlement change.
Related resources from NHI Mgmt Group
- How should organisations connect HR systems to IAM without creating access drift?
- When should organisations prioritise deprovisioning over new access requests?
- What is the difference between onboarding access and offboarding control?
- How do organisations know whether temporary access is actually working?
