Joiner, Mover, Leaver Workflow

A joiner, mover, leaver workflow is the process that grants, updates, and removes access as a user or identity changes state. In modern programs, the same logic should extend beyond employees to service accounts and AI agents so access does not persist after need ends.

Expanded Definition

A joiner, mover, leaver workflow is the lifecycle control that grants, modifies, and removes access when an identity is created, changes role, or exits. In NHI programs, the same process should cover service accounts, API keys, workloads, and AI agents, not just human users.

Definitions vary across vendors because some IAM teams treat the workflow as an HR trigger, while security teams treat it as an authorization state machine. For NHI security, the practical goal is consistent entitlement change tied to source of truth, policy, and time-bound approval. That means a joiner event may create a service account with scoped access, a mover event may rotate credentials and narrow permissions, and a leaver event may revoke tokens, disable accounts, and archive audit evidence. This is closely aligned with the lifecycle thinking reflected in Ultimate Guide to NHIs and the access governance expectations in NIST Cybersecurity Framework 2.0.

The most common misapplication is treating leaver processing as a human-offboarding task only, which occurs when service accounts, secrets, and AI agents are excluded from the same lifecycle controls.

Examples and Use Cases

Implementing joiner, mover, leaver workflows rigorously often introduces coordination overhead, requiring organisations to balance automation speed against approval quality and evidence retention.

• A new CI/CD pipeline is onboarded as a joiner, assigned a narrowly scoped role, and issued secrets from a managed vault instead of hardcoded credentials.
• An AI agent becomes a mover when its tool access expands to production systems, triggering reauthorization, logging, and a fresh risk review.
• A departing contractor is a leaver, so tokens, certificates, and API keys are revoked immediately rather than waiting for a manual ticket queue.
• A platform team rotates a service account during a mover event because the workload changed clusters and inherited broader permissions than intended.
• An organisation validates offboarding against the lifecycle guidance in the Ultimate Guide to NHIs while using NIST Cybersecurity Framework 2.0 to tie access changes to governance and auditability.

These examples show why the workflow is not just an HR bridge. It is the mechanism that keeps identity state, privilege state, and business state aligned as systems change.

Why It Matters in NHI Security

Joiner, mover, leaver discipline matters because access drift is a primary cause of overprivilege, orphaned secrets, and stale agent permissions. When an identity changes state but its entitlements do not, the result is standing access that no longer matches operational need. That is especially dangerous for NHIs, where credentials are often embedded in code, pipelines, or machine-to-machine trust paths.

NHIMG research shows that Ultimate Guide to NHIs reports only 20% of organisations have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them. In practice, that gap means many leaver events never fully complete, and mover events may widen access instead of narrowing it. The risk is consistent with the governance focus of NIST Cybersecurity Framework 2.0, which emphasises access control, asset visibility, and continuous protection.

Organisations typically encounter the consequences only after a breach, a failed audit, or an incident response review reveals that old credentials and permissions were never removed, at which point joiner, mover, leaver control becomes operationally unavoidable to fix.

Related resources from NHI Mgmt Group

• Developer Workflow Security