Identity lifecycle management for Active Directory users is still brittle

At a glance

What this is: This is an identity lifecycle management article focused on Active Directory users, showing how manual provisioning, access reviews, and offboarding create lingering access and audit risk.

Why it matters: It matters because the same lifecycle failures that affect human accounts also shape how teams should govern service accounts, API keys, and other non-human identities with greater consistency.

By the numbers:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• Only 5.7% of organisations have full visibility into their service accounts.

👉 Read SecurEnds' guide to automating identity lifecycle management in Active Directory

Context

Identity lifecycle management is the discipline of provisioning, changing, reviewing, and revoking access as people move through an organisation. In the Active Directory context, the problem is rarely account creation itself, but the accumulated drift that follows role changes, contractor churn, and delayed offboarding.

Manual reviews turn into evidence-chasing when access is tracked in emails and spreadsheets instead of a governed system. That creates a human IAM control failure, but the same lifecycle pattern also applies to NHI governance, where service accounts and API keys often outlive the business need that created them.

Key questions

Q: What breaks when identity lifecycle management is manual in Active Directory?

A: Manual lifecycle management breaks when account creation, group changes, and offboarding rely on tickets, spreadsheets, and memory. Access becomes stale, reviews become incomplete, and departed users can retain valid permissions far longer than intended. The result is privilege creep, poor audit evidence, and unnecessary exposure across critical systems.

Q: Why do identity lifecycle failures matter beyond human accounts?

A: Lifecycle failures matter beyond human accounts because service accounts, API keys, and certificates suffer the same drift when ownership, review, and revocation are inconsistent. A weak lifecycle process leaves non-human access active after the business need ends, which turns identity governance into a security issue rather than an admin task.

Q: How do security teams know if access reviews are actually working?

A: Access reviews are working only when reviewers can see current entitlements, clear ownership, and a complete decision trail. If the process depends on exports, blank spreadsheets, or stale lists, it measures attendance, not assurance. A working review process produces timely removals and defensible evidence, not just completed forms.

Q: Who is accountable when stale access remains after offboarding?

A: Accountability sits with the identity and business owners who approve access, the process owners who govern offboarding, and the control owners who failed to enforce revocation. In regulated environments, that failure also becomes an audit issue because access should end when the employment or contract relationship ends.

Technical breakdown

Why manual provisioning creates access drift in Active Directory

Manual provisioning in Active Directory usually starts with a job role and ends with exceptions. When access is assembled from tickets and group additions, the identity becomes a patchwork of inherited permissions that is difficult to explain later. Role-based access control works only when role definitions are current and cleanup follows each move or departure. Without that, old entitlements remain attached to the account long after the user’s actual duties changed. That is not just operational clutter. It is how privilege creep becomes normalised across the directory.

Practical implication: tie provisioning to authoritative HR data and remove entitlements when the role changes, not only at offboarding.

How access reviews fail when evidence lives in spreadsheets

User access review is supposed to confirm that access still matches business need, but spreadsheet-driven reviews often verify nothing. Blank cells, stale names, and inconsistent ownership reduce certification to a checkbox exercise. In governance terms, the failure is not the review cadence itself, but the evidence quality behind it. If managers cannot see current access, they cannot make current decisions. For Active Directory users, that weakens auditability and makes certification campaigns late, partial, or unverifiable.

Practical implication: centralise access evidence in a system of record so reviewers see real entitlements, not exported guesses.

Why offboarding is the control that actually stops lingering privilege

Offboarding is the only stage that can close the lifecycle cleanly, but many organisations treat it as an HR event rather than an access control. If the account remains active after departure, the identity still exists as an entry point even when employment has ended. In NHI programmes the same pattern appears with API keys and service accounts that are never revoked. The shared lesson is that lifecycle closure must be enforced, not requested. Otherwise access continues by default and assurance arrives too late.

Practical implication: automate deprovisioning and revoke access at the source of truth as soon as the lifecycle ends.

Threat narrative

Attacker objective: The attacker objective is to use still-valid identity access to move through business systems without triggering immediate suspicion or access controls.

1. Entry occurs when a leaver or contractor account remains active after the business relationship changes, preserving a valid login path.
2. Escalation happens when the account retains inherited group memberships or excessive permissions that were never removed during role changes.
3. Impact follows when stale access is used to reach systems that should have been offboarded, audited, or re-certified out of scope.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Manual identity lifecycle management is a control failure, not a process preference. The article shows that once provisioning, review, and revocation are handled through email and spreadsheets, the organisation loses authoritative control over who should have access. That is true for human identities in Active Directory and just as true for NHI credentials that follow the same unmanaged lifecycle pattern. The practitioner conclusion is straightforward: if the lifecycle is not governed centrally, it is not governed at all.

Identity lifecycle governance is the shared operating model across humans and non-humans. This is not a separate human IAM problem on one side and an NHI issue on the other. The same lifecycle logic applies to employees, contractors, service accounts, and API keys, which is why lifecycle governance belongs in the core identity programme rather than in isolated admin workflows. The field should treat lifecycle discipline as a universal control plane for identity risk.

Privilege creep is the named failure mode this article exposes. The article’s examples show access accumulating through role changes, delayed cleanup, and incomplete certifications until the account no longer reflects the user’s actual job. That failure mode is central to NIST CSF access governance and to NHI control models that assume entitlements remain accurate without continuous review. The practitioner conclusion is that lifecycle drift must be treated as an active security condition, not an administrative nuisance.

Access review quality matters more than review frequency. Quarterly certification is only useful when the underlying access inventory is current, complete, and tied to real ownership. Spreadsheet reviews can create the appearance of oversight while leaving dormant or excessive access untouched. For identity governance teams, the lesson is that assurance depends on evidence quality, not on how many review cycles are scheduled.

Operational identity debt accumulates whenever removal is slower than creation. The article’s strongest signal is that onboarding is easy to automate while offboarding is often neglected. That asymmetry produces a growing backlog of stale entitlements and lingering accounts, especially in hybrid environments where directory data, cloud access, and third-party systems do not reconcile cleanly. Practitioners should read this as a lifecycle debt problem that compounds until it is forced into audit or incident response.

From our research:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• For broader lifecycle control patterns, see NHI Lifecycle Management Guide for the operational model that closes these gaps.

What this signals

Identity lifecycle debt: Organisations that still run access changes through tickets and spreadsheets should expect the same control erosion to show up in NHI governance. When offboarding is weak, stale credentials and inactive accounts remain as usable attack paths, so lifecycle cleanup becomes a security operation rather than an administrative one.

The practical signal for IAM leaders is that lifecycle maturity now has to be measured across humans and non-humans together. A programme can look healthy on onboarding speed while still failing on revocation, and that imbalance is where audit findings and real exposure usually begin.

The strongest next step is to connect directory governance to Ultimate Guide to NHIs and the OWASP Non-Human Identity Top 10, because lifecycle discipline is now a cross-identity control problem, not a human-only admin workflow.

For practitioners

• Bind provisioning to a source of truth Connect joiner and mover events to HR or contractor records so role changes update group membership automatically instead of waiting for manual tickets.
• Replace spreadsheet certifications with governed review workflows Use a system that shows current entitlements, named owners, and prior decisions so managers can certify or revoke access with evidence that auditors can trace.
• Automate offboarding as a hard control Trigger account disablement, group removal, and token revocation at the point the source record changes to inactive so access does not linger after departure.
• Apply the same lifecycle model to NHI credentials Inventory service accounts, API keys, and certificates alongside human accounts so lifecycle ownership and revocation are managed consistently across identity types.

Key takeaways

• Manual identity lifecycle handling in Active Directory creates stale access, privilege creep, and weak audit evidence.
• The same lifecycle failure pattern affects human accounts and NHI credentials when revocation and review are not enforced centrally.
• The control that changes outcomes is automated provisioning, review, and offboarding tied to authoritative identity data.

Key terms

• Identity Lifecycle Management: Identity lifecycle management is the process of creating, changing, reviewing, and removing access as people or systems move through their authorised lifecycle. In practice, it ties access to a current business need and removes it when that need ends, reducing stale accounts and privilege drift.
• Access Review: An access review is a formal check to confirm that an identity still needs its assigned permissions. It depends on accurate entitlement data, named ownership, and a clear decision trail. Without those inputs, the review becomes a compliance exercise rather than a meaningful control.
• Privilege Creep: Privilege creep is the gradual accumulation of access rights that no longer match the identity’s real duties. It often appears after role changes, temporary projects, or poor offboarding. Over time, it expands the attack surface and makes least privilege harder to restore.
• Offboarding: Offboarding is the controlled removal of access when an employment, contractor, or machine relationship ends. For human identities it includes account disablement and entitlement cleanup. For non-human identities it must also include token revocation, secret rotation, and ownership reassignment.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by SecurEnds: Identity lifecycle management for Active Directory users and access reviews. Read the original.