Movers accumulate permissions across roles, teams, and inherited groups, while joiners and leavers usually follow clearer lifecycle checkpoints. If governance only focuses on onboarding and offboarding, it misses the point where stale access quietly builds up and becomes difficult to unwind later.
Why Movers Create More Governance Risk Than Lifecycle Checkpoints
Movers are harder to govern because their access changes are incremental, not discrete. A joiner enters through a defined onboarding path, and a leaver exits through a termination path, but a mover may inherit new groups, retain legacy entitlements, and accumulate exceptions across departments. That creates identity sprawl inside a single account, especially when entitlement reviews are tied to hire and exit events instead of role change events. The risk shows up in standing access, over-permissioned accounts, and access drift that remains invisible until an audit or incident. NHI Management Group’s Ultimate Guide to NHIs shows why lifecycle gaps matter so much in practice, while NIST Cybersecurity Framework 2.0 reinforces that access governance has to track changes, not only entrances and exits. In practice, many security teams encounter mover risk only after a role change has already expanded access beyond what the original approval ever intended.
How Access Drift Builds Up During Role Changes
Most organisations grant access through a mix of RBAC, inherited group membership, app-specific permissions, and manual exceptions. When a person changes jobs, managers often request new access quickly, but old access is not always removed with the same urgency. That creates a layered entitlement stack that can include project folders, SaaS admin roles, cloud privileges, and legacy permissions from prior teams. The control problem is not just who approved the new access, but whether the old access was explicitly revalidated.
Current guidance suggests using periodic access recertification plus event-driven reviews for movers, because a scheduled quarterly review alone often arrives too late. A practical approach is to trigger governance whenever a title, department, manager, or location changes. The review should compare current entitlements against the new role baseline, then remove anything that is no longer required. This is especially important for privileged accounts and service-linked access where broad inheritance can mask excessive permissions.
- Trigger access review on role, team, or manager change.
- Compare entitlements to the new job baseline, not the old one.
- Remove inherited groups and exceptions that no longer have business justification.
- Reissue sensitive access only after explicit reapproval.
The operational lesson is that movers should be treated as a change-control event, not a routine user update. The Lifecycle Processes for Managing NHIs section highlights the same principle for non-human identities: permissions must be re-evaluated when context changes, because standing access tends to outlive its original purpose. These controls tend to break down in decentralised organisations where each department can approve access independently because no single owner sees the full entitlement history.
Where Standard Access Reviews Break Down
Tighter mover governance often increases operational overhead, requiring organisations to balance speed against accuracy. The biggest edge case is when access is bundled into broad job families, because the new role may still need some legacy permissions for a transition period. Best practice is evolving here: there is no universal standard for how long transitional access should remain in place, so teams should define expiry dates and require documented justification. Another common exception is high-churn environments where frequent transfers make manual reviews too slow; in those cases, workflow automation and entitlement baselines become more important than meeting-driven approval chains.
Security teams should also watch for “soft movers” such as contractors, internal transfers, and temporary acting roles, because these users often bypass the formal joiner-mover-leaver workflow even while their effective access changes substantially. NHI Management Group’s Top 10 NHI Issues points to the same governance failure pattern: identity risk rises when credentials and permissions are left to accumulate without lifecycle discipline. For broader access governance context, CISA Zero Trust Maturity Model and SPIFFE both support the idea that identity must be continuously re-evaluated against current context rather than assumed stable. The hard part is not approving change, but proving that obsolete access was actually removed.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-03 | Identity lifecycle controls should track access changes during role moves. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Excess standing access and weak lifecycle revocation mirror NHI governance gaps. |
| NIST AI RMF | Adaptive governance is needed when identity context changes over time. |
Use continuous monitoring and human oversight to reassess access whenever operational context shifts.
