Identity lifecycle automation exposes the limits of manual access control

At a glance

What this is: This is a vendor analysis of identity lifecycle automation, arguing that manual provisioning and offboarding slow IT operations and increase access-risk exposure.

Why it matters: It matters because identity lifecycle controls govern human, NHI, and autonomous access paths, and weak offboarding or approval discipline creates the same governance failure across all three.

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 5.7% of organisations have full visibility into their service accounts.

👉 Read Zluri's analysis of identity lifecycle automation and access revocation

Context

Identity lifecycle management is the process of provisioning, changing, and revoking access as people or systems move through an organisation. The article argues that manual workflows create delay, human error, and incomplete visibility, which becomes a governance problem when access must be granted or removed quickly across applications and directories.

For IAM teams, the real issue is not whether lifecycle tasks can be automated, but whether access state remains accurate enough to trust. The same operating model applies to employee accounts, service accounts, and AI-linked identities: if offboarding or mid-lifecycle change is late, the organisation carries avoidable privilege risk.

Zluri’s framing is typical of SaaS lifecycle tooling commentary, but the underlying problem is broader than one product category. Lifecycle governance fails whenever approval, entitlement tracking, and revocation are treated as manual exceptions instead of a managed control surface.

Key questions

Q: How should organisations automate identity lifecycle management without losing control?

A: Automate the repeatable steps, but keep policy ownership with IAM and security teams. The control objective is not to eliminate judgement, it is to make provisioning and revocation follow defined role and lifecycle events so access stays synchronized with business reality.

Q: Why do manual offboarding processes create security risk?

A: Manual offboarding creates risk because access removal depends on human follow-through across multiple systems. If the source account is disabled but downstream app memberships, groups, or tokens remain active, the identity still has a path to sensitive data.

Q: What breaks when mid-lifecycle access changes are handled through tickets only?

A: Ticket-only access changes slow down entitlement updates and make obsolete permissions linger after a role shift. That creates privilege creep, weakens least privilege, and leaves the organisation unable to prove that access matches current job function.

Q: Who is accountable when a departing user still has access to applications?

A: Accountability sits with the identity governance process owner, not the departing employee. Organisations need a clear offboarding control owner, a complete view of app entitlements, and evidence that revocation reached every downstream system.

Technical breakdown

Provisioning workflows and role-based access assignment

Provisioning is the process of creating accounts and attaching access based on role, department, or function. In practice, lifecycle systems translate HR or directory data into account creation, group membership, and app entitlements. The technical challenge is not just speed. It is maintaining deterministic mapping between identity attributes and access decisions so that onboarding does not drift into overprovisioning or shadow approvals. When provisioning is manual, teams lose traceability and are more likely to grant broad access that never gets revisited.

Practical implication: standardise role-to-access workflows and remove manual entitlement grants from the onboarding path.

Mid-lifecycle change and access recertification

Mid-lifecycle change covers promotion, department shift, location change, or job function change. These events often require access removal as much as access addition. In an identity programme, the hard part is not creating a request form but ensuring the entitlement set reflects the new role immediately and the obsolete access is removed at the same time. If that does not happen, standing access accumulates and least privilege becomes a policy statement rather than an operating state. This is where recertification and approval workflows need to be tied to actual job state.

Practical implication: couple role changes to entitlement removal and recertification, not to separate ticket queues.

Deprovisioning and access revocation at offboarding

Deprovisioning is the final lifecycle step that removes access, disables accounts, and closes down active sessions. The article highlights the common failure mode: organisations know a user has left, but do not have a complete view of where access still exists. That creates zombie accounts, residual app access, and delayed revocation across SaaS and directory systems. Technically, the control needs to reach beyond the primary account into downstream applications, groups, and channels, otherwise offboarding is only partial.

Practical implication: build offboarding to revoke downstream access, not just disable the source account.

Threat narrative

Attacker objective: The objective is to preserve or exploit access after role change or departure, so the identity remains operational when it should have been removed.

1. Entry occurs when a departing employee, contractor, or internal user retains access because offboarding is manual or incomplete.
2. Escalation follows when stale entitlements, leftover app memberships, or unrevoked credentials let the former identity continue reaching business systems.
3. Impact is the continued exposure of sensitive data, delayed containment, and a higher chance of breach, fraud, or reputational damage.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• JetBrains GitHub plugin token exposure — CVE-2024-37051 in JetBrains IntelliJ GitHub plugin exposed GitHub access tokens.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Manual lifecycle control is a governance bottleneck, not just an operations inconvenience. The article treats automation as a productivity fix, but the deeper issue is that manual provisioning and revocation make identity state unreliable. Once access decisions depend on spreadsheets, tickets, and ad hoc follow-up, the organisation cannot prove who should have access at any given moment. The practitioner conclusion is that lifecycle governance has to be treated as a control surface, not clerical work.

Mid-lifecycle change is where least privilege usually fails in practice. Promotion, transfer, and geo-shift are the moments when access should narrow as often as it expands, yet many programmes focus only on onboarding. That creates privilege creep because obsolete entitlements survive the role change. The practitioner conclusion is that access review must be event-driven, not just periodic.

Offboarding without full revocation creates a standing access debt. This is the specific failure mode the article exposes: if the organisation cannot see every app, group, and channel tied to a departing identity, access outlives employment. That is a lifecycle governance gap, not a tooling preference. The practitioner conclusion is that offboarding success should be measured by residual access removed, not accounts disabled.

NHI lifecycle governance should be read through the same lens as human lifecycle governance, but with fewer recovery assumptions. Service accounts and tokens do not raise tickets when they are stale, and they do not naturally exit the environment when a person leaves. That means manual methods that barely scale for human access are even weaker for non-human identities. The practitioner conclusion is that lifecycle discipline must extend across both human and machine identities.

Automation changes the trust model by reducing the lag between identity state and access state. The article’s core value is not speed alone. It is the ability to keep identity records, entitlements, and revocation aligned closely enough that access reflects current business reality. The practitioner conclusion is that the success test is whether access state stays synchronized, not whether a workflow feels efficient.

From our research:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
• Another finding from the Ultimate Guide to NHIs shows that 97% of NHIs carry excessive privileges, which broadens the attack surface when lifecycle controls lag.
• For a practical next step, review the NHI Lifecycle Management Guide to align provisioning, rotation, and offboarding with lifecycle events.

What this signals

Identity lifecycle automation is becoming a prerequisite for credible access governance. Organisations that still depend on spreadsheets and ticket queues will struggle to keep access state aligned with role changes and departures. The practical signal is that lifecycle control needs event-driven orchestration, not just better administration.

Only 5.7% of organisations have full visibility into their service accounts, according to our Ultimate Guide to NHIs, and that same visibility gap is what makes offboarding hard to trust. If you cannot see every downstream entitlement, you cannot prove that access removal was complete. The programme implication is that identity inventory quality now matters as much as workflow speed.

Offboarding debt is now a named operational risk, not a cleanup task. Teams should treat residual access as a measurable lifecycle metric and pair it with review evidence from IAM, PAM, and NHI systems. For a broader baseline, compare current practice against the 52 NHI Breaches Analysis.

For practitioners

• Map every lifecycle event to an entitlement outcome Tie hire, role change, transfer, and departure events to explicit provisioning or revocation actions so access changes are not left to ticket interpretation. Include application, group, and channel removal in the same workflow.
• Measure residual access after offboarding Audit how much access still exists after a user leaves, then use that gap as the lifecycle control metric. A strong process removes downstream app access, not only the source directory account.
• Remove manual approvals from standard onboarding paths Pre-approve common access sets by role and department so normal provisioning does not depend on repeated human review. Reserve manual approval for exceptions, not routine access creation.
• Tie recertification to role changes, not only calendar cycles Trigger access review when a person changes job function, location, or team. That catches permissions that become excessive at the moment the role shifts, instead of months later.

Key takeaways

• Manual lifecycle management fails because it cannot keep identity state and access state synchronized across real organisational change.
• The scale of the problem is visible in poor offboarding discipline, stale entitlements, and delayed revocation across downstream applications.
• Practitioners should measure lifecycle success by residual access removed, not by how quickly a workflow was completed.

Key terms

• Identity lifecycle management: Identity lifecycle management is the process of creating, changing, reviewing, and removing access as a person or system moves through an organisation. It links identity state to current business need so access does not outlive the role, contract, or workload that justified it.
• Deprovisioning: Deprovisioning is the controlled removal of access when an identity no longer needs it, usually because the user left or the account is no longer valid. Effective deprovisioning reaches beyond the primary account to apps, groups, channels, and tokens that still carry access.
• Privilege creep: Privilege creep is the gradual accumulation of access that is no longer justified by the current role. It happens when lifecycle changes add permissions but old ones are not removed, leaving the identity more powerful than the work requires.
• Standing access: Standing access is persistent permission that remains in place until someone removes it. In lifecycle governance, standing access is risky because it creates a long-lived path into systems, especially when offboarding, rotation, or recertification is delayed.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or lifecycle governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: Lifecycle Management How Zluri Automates Identity Lifecycle Management to Reduce IT Friction. Read the original.