TL;DR: Access onboarding and termination policies are meant to enforce least privilege, automate offboarding, and prevent internal misuse, but StrongDM’s guidance shows they still fail when role changes, third-party systems, and manual handoffs are left outside the process. The real issue is that access review cadences assume lifecycle events are captured consistently, which is often untrue.
At a glance
What this is: This is a best-practices article on access onboarding and termination policy design, with the key finding that least privilege only works when lifecycle handoffs and offboarding are tightly controlled.
Why it matters: It matters because IAM teams still lose control when onboarding, role change, and termination workflows do not cover every system, every owner, and every external portal in the access chain.
By the numbers:
- Employees and other internal users were the cause of 60% of data breaches, both intentional and accidental, in 2016.
👉 Read StrongDM's access onboarding and termination policy guidance
Context
Access onboarding and termination policy is the governance layer that decides who gets access, when that access changes, and how quickly it is removed. In plain terms, it is the control that turns HR events into technical entitlement changes across systems, including external portals and support tools.
The problem is not the policy concept itself, but the lifecycle gap between people, process, and systems. When role changes are not recertified and termination is handled manually, standing access lingers past its intended purpose, which creates risk across human IAM, privileged access, and adjacent non-human accounts managed through the same workflows.
Key questions
Q: How should security teams write an access onboarding and termination policy?
A: Start with the full lifecycle of access, not just account creation. Define who requests access, who approves it, how role changes are handled, and how termination triggers revocation across every system that can reach data. The policy should include ownership, review cadence, and evidence capture so access always maps to current job function.
Q: Why do role changes create access risk in IAM programmes?
A: Role changes often preserve old permissions while adding new ones, which creates privilege creep. If the access model does not remove prior rights at the same time it adds new entitlements, users can keep access that no longer matches their job. That is a least-privilege failure and a governance problem, not just an admin oversight.
Q: What breaks when offboarding does not cover third-party systems?
A: Access revocation becomes incomplete, even if the central directory is cleaned up. Users may still reach data through support portals, managed service accounts, ticketing systems, or other external tools. That gap leaves a live path into company data after termination, which is exactly what offboarding is meant to eliminate.
Q: What is the difference between onboarding and access review?
A: Onboarding assigns the initial minimum access needed for a role, while access review checks whether the current access still fits the current job. Onboarding is a provisioning control, and review is a lifecycle control that catches drift, inherited privilege, and stale permissions that were not removed when the role changed.
Technical breakdown
Least privilege during onboarding
Least privilege onboarding means access is provisioned only for the role being filled, with application owners approving the entitlement set before accounts are created. The mechanism depends on accurate role mapping, an authoritative request path from HR to IT, and a defined checklist that includes internal systems plus required external portals. If the role template is broad, onboarding becomes privilege inflation at creation time rather than controlled access assignment.
Practical implication: map every job role to a minimal entitlement baseline and require application owner approval before account creation.
Termination workflows and access revocation
Termination control works only when offboarding reaches every identity surface, not just the central directory. The article points to automation because manual suspension creates delay windows, and delay windows are where internal threat and exfiltration risk grows. In practice, this includes HR triggers, IT suspension, and revocation from ticketing, managed service, and support portals that may use separate authentication paths.
Practical implication: build automated revocation steps for all systems tied to the employee, including third-party portals and support tools.
Role changes and periodic permission review
Access governance is incomplete if promotions or lateral moves do not trigger entitlement reduction as well as addition. A mature review cadence, monthly or quarterly depending on scale, is the mechanism that catches privilege drift, especially for staff who inherited access from prior roles. This is lifecycle governance, not just provisioning, because the control objective is to keep access aligned with current job function over time.
Practical implication: treat role changes and periodic reviews as entitlement reduction events, not only as administrative updates.
Breaches seen in the wild
- DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
- JetBrains GitHub plugin token exposure — CVE-2024-37051 in JetBrains IntelliJ GitHub plugin exposed GitHub access tokens.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Lifecycle control is the real policy boundary, not onboarding alone. The article treats onboarding and termination as paired processes, and that is the correct lens. Access becomes unsafe when organizations manage grants more carefully than revocation, because entitlement drift is created by the gap between event and enforcement. Practitioner conclusion: lifecycle governance has to cover creation, change, and removal as one control chain.
Standing access after role change is the failure mode this policy is trying to suppress. Promotions and internal moves often preserve prior permissions, which means the access profile no longer matches the current job function. That is a governance failure, not just an administrative miss, because it breaks least privilege at the moment the role changes. Practitioner conclusion: recertification must be tied to change events, not only calendar reviews.
Offboarding blind spots in external portals are where policy scope usually fractures. The article correctly notes that many companies focus on a central directory and forget systems used by HR, managed service providers, and support staff. That creates a fragmented lifecycle where access outlives employment in more than one system. Practitioner conclusion: scope the policy to every authentication surface that can still reach company data.
Access review cadence is a control, but only if it is connected to source-of-truth events. Monthly or quarterly reviews can surface drift, but they cannot compensate for missing HR triggers or unrevoked termination paths. The deeper issue is not review frequency alone, but whether the review process sees complete entitlement state across all connected systems. Practitioner conclusion: evaluate lifecycle evidence quality before increasing review cadence.
Least privilege for human access remains the model, but the same lifecycle logic now extends to NHI governance. The policy pattern is human-centric here, yet the same failure shape appears in service accounts and other non-human identities when access persists beyond ownership or purpose. That is why lifecycle governance should be treated as a shared discipline across human and machine identities. Practitioner conclusion: use this policy as a template for broader identity lifecycle design.
From our research:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- From our research: 62% of all secrets are duplicated and stored in multiple locations, creating unnecessary redundancy and increasing the risk of accidental exposure, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- For a broader control lens, see the NHI Lifecycle Management Guide for provisioning, rotation, and offboarding patterns that apply across identity types.
What this signals
Lifecycle programmes increasingly fail at the same point: the organization thinks access was removed, but the identity still has reachable paths through secondary systems. That is why lifecycle evidence, not policy language, is becoming the deciding factor in audit readiness and breach containment.
Offboarding shadow: when termination is handled in one system but not across adjacent portals, the identity remains operational long enough to matter. The practical signal is that IAM teams need a complete revocation map, not just a directory event, and that map should be tested against real access paths rather than assumed.
As access environments become more distributed, the distinction between a human entitlement and a machine entitlement matters less than the lifecycle discipline behind it. Teams that can prove timely removal, role-change reduction, and review evidence will be better positioned to manage both human access and non-human identity sprawl.
For practitioners
- Map every onboarding step to a role-specific entitlement baseline Create access checklists by role, then require application owner approval before provisioning any account or external portal access. Include internal systems, HR tools, payroll-adjacent portals, and support platforms in the scope so the initial grant is minimal and auditable.
- Automate termination across every authentication surface Trigger revocation from HR termination events and suspend access in the central directory, ticketing systems, managed service portals, and any external tools the employee can still reach. Do not leave suspension dependent on weekly manual follow-up if the system can be integrated into the offboarding workflow.
- Tie role changes to entitlement reduction reviews Treat promotions, lateral moves, and reassignment as access reduction events as well as access grants. Recheck previous permissions against the new role, remove inherited access that is no longer needed, and document the decision path for auditability.
- Set a review cadence that reflects account volume and risk Use monthly reviews for smaller or fast-changing environments and quarterly reviews where entitlement volume is higher, but do not rely on cadence alone. Use the review to validate complete account state, especially for staff with elevated access or cross-system permissions.
Key takeaways
- Access onboarding and termination fails when lifecycle control stops at the directory and does not reach every live access path.
- The strongest evidence in this article is the offboarding gap: stale access persists after termination when revocation depends on manual follow-up.
- Practitioners should treat role changes, termination, and review cadence as one connected entitlement-control process, not separate admin tasks.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Offboarding failures leave secrets and access active after employment ends. |
| NIST CSF 2.0 | PR.AC-1 | Access provisioning and revocation are core identity protection controls. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Least privilege and continuous access management depend on current entitlements. |
Align onboarding, role-change, and offboarding procedures to PR.AC-1 and test them against real lifecycle events.
Key terms
- Access Onboarding: The process of granting a new user the minimum access needed to perform a role. In identity governance, onboarding should tie approvals, entitlements, and system provisioning to a defined job function so access is bounded from the start, not expanded later through convenience or omission.
- Termination Workflow: The sequence used to remove access when an employee leaves or a contract ends. A complete workflow reaches every system that can authenticate the identity, including third-party portals and support tools, because partial revocation leaves live access behind and undermines offboarding controls.
- Role Change Review: A reassessment of access when someone moves to a new job or responsibility. The goal is not only to add needed permissions but to remove inherited access that no longer matches the role, which is how organisations limit privilege creep and keep entitlement state current.
- Least Privilege: The principle of giving only the access needed to complete a task. For identity governance, this means provisioning narrowly, removing stale permissions quickly, and revisiting access whenever the role, context, or trust boundary changes so excess privilege does not persist.
Deepen your knowledge
Access onboarding, termination, and role-change governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is trying to extend lifecycle discipline across human and non-human identities, it is worth exploring.
This post draws on content published by StrongDM: Writing Your Access Onboarding & Termination Policy, Best Practices. Read the original.
Published by the NHIMG editorial team on 2025-06-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
