A joiner-mover-leaver feed is the lifecycle signal that tells downstream systems when a person or non-human identity has been onboarded, changed roles, or left the organisation. For detection, it turns identity activity from an isolated event into a governance-aware signal.
Expanded Definition
A joiner-mover-leaver feed is the identity lifecycle signal that notifies downstream systems when a person or NHI is created, modified, or removed. In NHI operations, it is more than a HR event stream: it is the control point that keeps access, ownership, rotation, and deprovisioning aligned across IAM, PAM, vaults, CI/CD, and application registries.
Definitions vary across vendors on whether the feed is limited to workforce records or also includes machine identities, but in NHI Management Group usage it should cover any lifecycle change that affects trust, privilege, or secret handling. That makes it a governance input, not just an integration artifact. The feed should map to events such as joiner onboarding, mover privilege changes, secret ownership changes, certificate renewal triggers, and leaver revocation. This aligns with NIST Cybersecurity Framework 2.0, which treats identity governance as an operational security function rather than a one-time setup. The most common misapplication is treating the feed as an HR-only notification, which occurs when machine identities, service accounts, and automation credentials are excluded from lifecycle processing.
Examples and Use Cases
Implementing a joiner-mover-leaver feed rigorously often introduces integration and governance overhead, requiring organisations to weigh faster access changes against the cost of synchronising multiple identity stores and approval workflows.
- A new developer is onboarded, and the feed creates an NHI owner record, grants scoped CI/CD access, and assigns vault policy at the same time.
- An application owner changes teams, and the feed updates ownership for service accounts, rotates secrets, and revalidates approvals before old access persists.
- A contractor leaves, and the feed triggers account disablement, token revocation, certificate invalidation, and removal from shared automation groups.
- A platform team modernises service account handling after reading the Ultimate Guide to NHIs, using the feed to ensure offboarding reaches every dependent system.
- An organisation aligns lifecycle events to the NIST Cybersecurity Framework 2.0 by linking identity change events to access review and revocation tasks.
In practice, the feed is most valuable when it connects otherwise isolated systems that would not independently know an identity has changed.
Why It Matters in NHI Security
Joiner-mover-leaver feeds matter because stale identity state is one of the fastest ways for excess privilege to accumulate. When the feed is incomplete, delayed, or limited to humans, downstream controls keep trusting identities that should have been reduced, rotated, or removed. That creates long-lived access paths for service accounts, API keys, certificates, and automation agents. NHI Management Group reports that only 20% of organisations have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which shows how often lifecycle handling breaks down in practice.
This is especially dangerous in environments where secrets are scattered outside vaults, because a missing leaver event can leave credentials valid in code, CI/CD pipelines, or application configs long after the business relationship has ended. The Ultimate Guide to NHIs also shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which makes lifecycle accuracy a direct security requirement. Organisations typically encounter the operational cost of a weak joiner-mover-leaver feed only after an offboarding failure, at which point revocation, rotation, and incident containment become unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Lifecycle signals reduce secret sprawl and stale access, core NHI governance concerns. |
| NIST CSF 2.0 | PR.AC-1 | Identity lifecycle changes are foundational to managed access and authorization decisions. |
| NIST Zero Trust (SP 800-207) | Zero Trust depends on continuously current identity state and timely privilege changes. |
Use JML events to trigger secret revocation, ownership updates, and access review tasks immediately.
