Because most access changes happen between those events. Promotions, transfers, temporary elevations, project assignments, and manager changes all alter what access is appropriate, but many organisations treat them as exceptions. The result is accumulated privilege creep and stale access that survives long after the role has changed.
Why This Matters for Security Teams
Joiner and leaver workflows were built for human role changes, but most access risk now accumulates outside those neat event boundaries. Promotions, temporary project access, cross-functional assignments, and manager changes all create entitlement drift that stays active unless someone actively cleans it up. Current guidance suggests treating access as a lifecycle problem, not a one-time HR transaction, because stale access is exactly what attackers look for once an account becomes overprovisioned.
That is why NHI Management Group treats lifecycle visibility as core security work, not administrative hygiene. The same pattern appears in machine access too: once credentials or entitlements are granted, they tend to persist far longer than intended. The Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs shows how unmanaged lifecycle gaps drive privilege creep, while the NIST Cybersecurity Framework 2.0 frames identity governance as an ongoing control function rather than a periodic event.
In practice, many security teams discover excessive access only after a role change has already been exploited or after offboarding has failed to remove a lingering entitlement.
How It Works in Practice
The practical failure is that joiner and leaver processes are usually event-driven, while access risk is state-driven. A person does not stop needing access the moment their job title changes, and they rarely need all their old access the moment they leave a team. That mismatch creates the classic buildup of privilege creep: access granted for one purpose remains attached to the identity long after the original need has passed.
A stronger model treats access as continuously evaluated. Security teams should maintain a current inventory of entitlements, compare them to role and project context, and remove anything that is no longer justified. The OWASP Non-Human Identity Top 10 is about machine identities, but the operational lesson carries over: static access without lifecycle control becomes stale access. NHIMG’s Ultimate Guide to NHIs also highlights how long-lived privileges and poor visibility compound over time.
- Trigger access reviews on promotions, transfers, manager changes, and project exits, not just onboarding and termination.
- Use role mining and entitlement baselines to identify where access exceeds current need.
- Apply just-in-time elevation for temporary exceptions instead of granting permanent access for convenience.
- Revoke access automatically when the business justification expires, and verify removal in downstream systems.
Where organisations mature further, they connect HR, IAM, PAM, and ticketing so access changes follow the business event automatically instead of waiting for a manual review. That guidance breaks down in highly decentralized environments with many shadow systems because entitlements drift faster than governance processes can reconcile them.
Common Variations and Edge Cases
Tighter access governance often increases operational overhead, so organisations must balance security gain against business friction. That tradeoff is especially visible in matrixed teams, contractors, and shared-service environments where one person may legitimately need several overlapping access profiles at once. Current guidance suggests handling those cases with explicit expiry dates, approval ownership, and periodic recertification rather than granting broad standing access.
There is no universal standard for perfectly modeling every access change yet, but the direction is clear: reduce standing privilege and make exceptions visible. NHI Management Group’s Top 10 NHI Issues and the 52 NHI Breaches Analysis both reinforce the same operational lesson, which is that access left in place is access that can be reused, abused, or forgotten.
For teams already struggling with leaver cleanup, the priority is usually not a perfect entitlement model. It is eliminating the largest stale-access paths first, especially shared accounts, dormant admin rights, and exceptions that never expire. In mixed human and machine estates, the risk compounds because the same process weaknesses that leave people overprivileged also leave secrets and service accounts exposed.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access permissions must be managed continuously, not only at join/leave events. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Stale identity lifecycle controls mirror the same access persistence risk in machine identities. |
| NIST AI RMF | Risk governance should account for changing identity context and access drift over time. |
Use AI RMF governance practices to monitor identity-related risk continuously across the lifecycle.
