Accountability should sit with the identity governance process owner, not with whichever team spots the problem last. HR owns source events, IT owns technical enforcement, and application owners own access decisions for their systems. When those responsibilities are not explicit, stale access and provisioning delays become routine.
Why This Matters for Security Teams
When HR and IT handoffs fail, the problem is not just process friction. It becomes an access governance failure that can leave former employees active in systems, delay new-hire access, and create ambiguous ownership for exceptions. The practical question is not who noticed the issue first, but who is accountable for the control that should have prevented it. That is why the OWASP Non-Human Identity Top 10 matters even in human-led workflows: identity lifecycle failures often become the first sign that ownership is unclear.
For security teams, the stakes are broader than onboarding and offboarding. Handoff gaps can also affect service accounts, shared admin access, and application-specific entitlements that rely on HR data for triggers but IT controls for enforcement. NHI Management Group has documented how identity failures compound into exposure across the lifecycle in the Ultimate Guide to NHIs. In practice, many security teams encounter stale access only after a termination, audit finding, or incident has already exposed the gap, rather than through intentional control design.
How It Works in Practice
Accountability should be assigned by control ownership, not by whichever team operates the ticketing queue. HR is accountable for source-of-truth events such as hire, transfer, leave, and termination. IT is accountable for technical enforcement across identity stores, directories, and provisioning tools. Application owners are accountable for access decisions inside their systems, including privileged entitlements and exceptions. That division is the only way to make the handoff testable.
A workable model usually includes three layers:
- Source event integrity: HR records must be timely, complete, and mapped to downstream identity attributes.
- Provisioning enforcement: IT must translate those events into joiner, mover, and leaver actions with clear service-level targets.
- Application approval: app owners must review role design, exception handling, and periodic recertification.
Current guidance suggests that the identity governance process owner should track end-to-end performance because no single team can see the whole failure chain. This is where the 52 NHI Breaches Analysis is useful as a cautionary reference: access problems persist when lifecycle ownership is diffuse. A practical control set also includes audit trails, escalation paths, and clear remediation deadlines when HR and IT records disagree. The OWASP Non-Human Identity Top 10 frames this as an identity governance weakness, not just an operations issue, because accountability must survive organizational boundaries. These controls tend to break down when mergers, contractor workflows, or decentralized app onboarding create multiple systems of record that do not reconcile cleanly.
Common Variations and Edge Cases
Tighter accountability often increases coordination overhead, requiring organisations to balance faster provisioning against stronger review and escalation discipline. That tradeoff is real, especially where HR data quality is inconsistent or where business units insist on local exceptions.
There is no universal standard for every handoff model, but current guidance suggests a few common patterns. In small organizations, one identity governance owner may cover HR and IT workflow alignment as a single function. In larger enterprises, accountability is often split across a central IAM team, HR operations, and application governance councils. Contractors, interns, and contingent workers usually need separate treatment because their lifecycle events may come from procurement or vendor management rather than HR.
One operational edge case is emergency access removal. If IT disables access before HR updates the source record, the control still “worked,” but the organization may not know whether the termination event was complete. Another is delegated administration, where app owners approve access but IT cannot enforce cleanup without a reliable entitlement inventory. In those cases, the accountable party is still the process owner for the broken control, while the contributing teams own their specific inputs. NHI Management Group’s DeepSeek breach coverage is a reminder that identity and access failures become more dangerous when records, credentials, and enforcement drift apart.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OV-01 | Clarifies accountability for governance outcomes across HR and IT handoffs. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Identity lifecycle breakdowns are a core non-human identity governance risk. |
| NIST SP 800-63 | IAL/AAL lifecycle governance | Identity proofing and lifecycle assurance depend on clear source-of-truth responsibilities. |
Tie identity lifecycle events to authoritative sources and enforce timely updates across systems.
