TL;DR: A trigger-condition-action workflow model for onboarding, offboarding, access reviews, and license management across SaaS apps is described by Josys, and a study found that 89% of former employees still retained access to at least one application from a previous employer. The governance gap is not the lack of automation, but the lack of reliable lifecycle closure across dozens of disconnected systems.
At a glance
What this is: This is a workflow-based access management article that argues repeatable triggers, app selection, conditions, and actions can reduce manual SaaS lifecycle work while closing common onboarding and offboarding gaps.
Why it matters: It matters because IAM teams still struggle to revoke access cleanly across sprawling app stacks, and the same lifecycle discipline now needs to cover human users, service accounts, and agent-operated systems.
By the numbers:
- 89% of former employees still retain access to at least one application from their previous employer.
👉 Read Josys' blog post on end-to-end access management workflows
Context
Access governance breaks down when joiner, mover, and leaver events have to be repeated by hand across many SaaS applications. In practice, that creates delayed provisioning, missed deprovisioning, and inconsistent approvals that leave accounts open longer than the business expects.
The article centres on human access lifecycle management, not autonomous decision-making or NHI secret governance. Its main point is that a workflow layer can standardise access changes across apps, but the real problem remains the same: lifecycle controls only work when the downstream systems and triggers are complete enough to keep pace with role change and departure.
Key questions
Q: How should security teams automate SaaS onboarding and offboarding without losing control?
A: Security teams should anchor automation to authoritative lifecycle events, then require each workflow to prove that access changed in every downstream application. The control is not the workflow itself, but the verified result. If revocation, licensing, and account ownership are split across systems, the process needs explicit exception handling and post-action checks.
Q: Why do former employees still keep access after offboarding in many organisations?
A: Former employees keep access because offboarding is often treated as a task list instead of a closed lifecycle control. One system may disable a directory account while another SaaS app still trusts a local entitlement or token. The result is residual access that survives the employment event and creates avoidable exposure.
Q: How do organisations know whether access review processes are actually working?
A: Access reviews are working only if reviewer decisions reliably produce downstream entitlement changes. If the process generates attestations but leaves access in place, the organisation has governance theatre, not governance control. The best signal is a measurable reduction in orphaned accounts, stale permissions, and unresolved exceptions after each review cycle.
Q: Who is accountable when a leaver still has SaaS access after offboarding?
A: Accountability sits with the organisation that owns the lifecycle process, not with the departing employee. In practice, that means HR, IAM, IT operations, and application owners must each own a defined part of revocation and confirmation. If no one owns the final closure check, residual access becomes a predictable outcome.
Technical breakdown
Trigger, app, condition, action in SaaS access workflows
A workflow in this context is a structured automation chain: an event trigger starts the process, applications define where the change applies, conditions narrow the target set, and actions carry out the access change. That pattern is useful because it converts ad hoc admin work into a repeatable control. It also creates a single orchestration layer across HR, ITSM, directory, and SaaS systems, which is where many lifecycle failures begin. Practical implication: map each access event to an explicit trigger and a defined downstream action before you automate it.
Practical implication: map each access event to an explicit trigger and a defined downstream action before you automate it.
Onboarding, offboarding, and access review as lifecycle controls
Onboarding and offboarding are not just administrative tasks. They are lifecycle controls that should determine when access starts, changes, and ends. Access reviews add another control point by testing whether existing entitlements still match the current role or business need. In a SaaS-heavy environment, the hard part is not designing the policy, but keeping the same policy consistent across multiple apps with different permissions models and different response times. Practical implication: treat lifecycle controls as one governance chain, not separate tickets for separate tools.
Practical implication: treat lifecycle controls as one governance chain, not separate tickets for separate tools.
Shadow users and license optimisation as governance signals
Shadow user management is the discovery of accounts and apps that exist outside IT's control, while license optimisation focuses on reclaiming unused seats. Both are useful because they expose where lifecycle governance has drifted away from policy. The presence of dormant accounts, orphaned licenses, or unmanaged app connections usually means access decisions are being made in too many places. Practical implication: use shadow account discovery and license usage data as indicators that lifecycle offboarding and review are incomplete.
Practical implication: use shadow account discovery and license usage data as indicators that lifecycle offboarding and review are incomplete.
Breaches seen in the wild
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
- BeyondTrust API key breach — compromised BeyondTrust API key led to unauthorized SaaS access.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Workflow automation is not lifecycle governance unless every identity event closes cleanly. The article describes automation for joiner, mover, and leaver tasks, but the governance question is whether access truly ends when the workflow says it should. In SaaS environments, the same entitlement can exist in directories, app consoles, and manual exceptions, so incomplete closure is the real failure mode. Practitioners should judge the control by whether it removes residual access, not by whether it reduces ticket volume.
Access review without lifecycle enforcement is a weak signal, not a control. Reviews can tell you whether access should continue, but they do not guarantee revocation across downstream apps. That gap is familiar in IAM programmes: approval and removal are often separated by different owners, different systems, and different timelines. The practical conclusion is that review outcomes must be wired to action, or the review becomes a report instead of a governance mechanism.
Shadow user management exposes the hidden perimeter of SaaS identity governance. When accounts and apps sit outside IT's visible control, the organisation has already lost part of the lifecycle record. This is the same governance problem that shows up in orphaned entitlements, stale licences, and untracked manual provisioning. The field-level takeaway is that visibility is not a dashboard feature, it is the prerequisite for enforcing any lifecycle policy at scale.
Lifecycle automation now has to span human identities, service accounts, and agent-operated processes. The underlying discipline is the same, but the actor type changes what must be tracked, approved, and revoked. Human onboarding and offboarding remain the article's focus, yet the same orchestration logic will increasingly be asked to govern non-human actors in adjacent systems. Practitioners should prepare for one lifecycle model with multiple actor-specific execution paths.
Access lifecycle failure is a standing privilege problem in disguise. The cited 89% retention figure shows that the issue is not just delayed deprovisioning, but access that outlives the employment event that justified it. That is a governance failure across identity, application, and process boundaries. The implication is that lifecycle ownership must be explicit enough to prevent access from surviving its business purpose.
From our research:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- For a lifecycle view that extends beyond SaaS users, see NHI Lifecycle Management Guide.
What this signals
Lifecycle automation will increasingly be judged by closure quality, not workflow volume. The next programme gap is not whether teams can create more automations, but whether each automation leaves behind a provable access state. For reader teams, that means measuring residual access, unresolved exceptions, and stale entitlements as operational outcomes, not just ticket throughput.
The broader signal is that SaaS lifecycle governance is converging with wider identity lifecycle thinking across human and non-human actors. That pushes practitioners toward a single control model with actor-specific execution paths, supported by standards such as the NIST Cybersecurity Framework 2.0 and lifecycle guidance in the Ultimate Guide to NHIs.
Residual access debt: access that remains valid after a role change or departure because downstream systems were not fully closed. When this debt accumulates, lifecycle programmes appear automated while leaving the actual exposure unchanged, which is why account closure evidence matters more than workflow completion.
For practitioners
- Bind workflow triggers to authoritative lifecycle events Use HR, directory, and ITSM events as the only approved triggers for onboarding, mover, and leaver workflows, and document which source of truth owns each decision. This prevents manual or duplicate access changes from drifting outside the control chain.
- Wire offboarding to confirmed revocation outcomes Do not treat a completed workflow as proof of deprovisioning. Confirm that access was removed in each downstream SaaS application, especially where the article's trigger-condition-action pattern must span apps, tickets, and API requests.
- Use shadow account discovery as a lifecycle exception queue Treat unmanaged accounts and apps as unresolved lifecycle cases, not just hygiene findings. Route them into review, ownership assignment, and revocation workflows so they can be closed rather than merely reported.
- Connect access reviews to revocation, not just attestation Make sure reviewer decisions create an enforceable downstream action, because attestation alone does not reduce entitlement risk. This matters most for shared SaaS roles, exceptions, and dormant accounts that persist after a role change.
- Measure residual access after mover and leaver events Track how many accounts still retain access 24, 48, and 72 hours after a change event, then investigate the systems that fail to close on time. Residual access is the clearest indicator that lifecycle automation is incomplete.
Key takeaways
- The core risk is residual SaaS access after joiner, mover, and leaver events, not the absence of automation.
- The cited 89% figure shows that offboarding failure is still common enough to be a structural IAM problem, not an edge case.
- Practitioners should prove downstream revocation, not just workflow completion, if they want lifecycle controls to reduce exposure.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers lifecycle rotation and revocation failures that leave access open. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions should be managed and reviewed as part of lifecycle control. |
| NIST Zero Trust (SP 800-207) | AC-4 | Zero trust requires continuous enforcement, not one-time approval in SaaS workflows. |
Use continuous authorization checks to confirm that revoked access is no longer effective.
Key terms
- Access Lifecycle: The access lifecycle is the full path of an identity from creation through change and removal. In IAM practice, it covers provisioning, modification, review, and deprovisioning, with the key test being whether access ends as reliably as it begins.
- Residual Access: Residual access is entitlement that remains active after the business event that justified it has passed. It usually appears when offboarding, role changes, or application-level revocation fail to close every downstream path, leaving exposure behind even though the primary workflow appears complete.
- Shadow User: A shadow user is an account that exists outside the organisation's normal IT or IAM control plane. These accounts often surface after mergers, app sprawl, manual provisioning, or delegated admin use, and they matter because they can bypass standard lifecycle review and revocation processes.
Deepen your knowledge
SaaS lifecycle automation and offboarding control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building governance around repeatable access change processes, it is worth exploring.
This post draws on content published by Josys: End-to-End Access Management Using Josys Workflows. Read the original.
Published by the NHIMG editorial team on 2026-02-11.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
