By NHI Mgmt Group Editorial TeamPublished 2025-12-10Domain: Governance & RiskSource: OpenIAM

TL;DR: Mid-sized companies often struggle with manual Joiner-Mover-Leaver processes that delay onboarding, accumulate excess access, and leave orphan accounts behind, according to OpenIAM. The operational problem is less about headcount than about lifecycle governance that cannot keep pace with role changes, SaaS sprawl, and offboarding.


At a glance

What this is: This article argues that manual identity lifecycle management creates avoidable risk and productivity drag in mid-sized companies, with Joiner-Mover-Leaver automation as the remedy.

Why it matters: It matters because lifecycle failures affect human access governance today and set the baseline for how organisations later manage NHI, workload, and autonomous identity lifecycles.

👉 Read OpenIAM's guide to Joiner-Mover-Leaver identity lifecycle management


Context

Identity lifecycle management is the discipline of creating, updating, and removing access as people move through an organisation. In mid-sized companies, that process often breaks because HR, IT, and app owners rely on tickets, ad hoc approvals, and incomplete visibility instead of a controlled identity source of truth.

The result is familiar IAM debt: new hires wait for access, movers keep privileges they no longer need, and leavers retain accounts in systems that were never fully deprovisioned. For practitioners, the issue is not just onboarding speed but whether lifecycle governance can remain auditable as the environment grows.


Key questions

Q: How should organisations automate joiner, mover, and leaver access changes?

A: Use the HR system or another authoritative source as the trigger for provisioning, entitlement updates, and deprovisioning. Joiners should receive a defined birthright access set, movers should have old access removed as part of the change event, and leavers should be fully revoked across all connected systems.

Q: Why does manual identity lifecycle management create so much access creep?

A: Manual lifecycle management creates access creep because people keep adding new permissions while removals are delayed, forgotten, or never requested. Over time, users accumulate privileges from prior roles, projects, and exceptions, which expands the attack surface and makes audits harder to defend.

Q: What breaks when leaver offboarding only disables the primary directory account?

A: Downstream access remains active in SaaS apps, VPNs, privileged tools, shared accounts, and databases. That leaves orphan accounts and session artefacts behind, which means the person may be gone but their access still exists in places that matter operationally and for audit evidence.

Q: Who is accountable when lifecycle access removals fail?

A: Accountability usually sits across HR, IAM, IT operations, and application owners because lifecycle control depends on both authoritative events and downstream enforcement. Frameworks such as the NIST Cybersecurity Framework 2.0 reinforce that access governance must be owned, monitored, and auditable across the whole environment.


Technical breakdown

Joiner lifecycle provisioning and birthright access

Joiner provisioning is the first lifecycle control point, where an identity is created and baseline access is assigned. Birthright access uses role, department, location, and employment type to provision predictable permissions automatically from an authoritative source, usually HR. Without that linkage, organisations fall back to manual tickets and manager requests, which creates inconsistent entitlements and encourages over-granting just to get work started. The technical issue is not account creation itself but whether the entitlement model is tied to business attributes that can be enforced consistently across systems.

Practical implication: define role-based birthright access from the HR source of truth and automate provisioning before users start work.

Mover access updates and permission recalculation

Mover events are where lifecycle programmes usually leak. When a role changes, the system must recalculate entitlements so new access is added and obsolete access is removed at the same time. If applications each maintain separate admin consoles and managers only request additions, access creep builds quietly across SaaS and internal systems. Attribute-based updates solve this by using authoritative identity changes to trigger entitlement recalculation. The control objective is not simply approving new access faster, but ensuring old access is withdrawn as soon as the business context changes.

Practical implication: connect role-change events to entitlement recalculation so movers do not retain permissions from their previous position.

Leaver offboarding, token revocation, and orphan accounts

Leaver handling is the highest-risk stage because access must be removed everywhere the identity exists, not just in the primary directory. Mature offboarding disables accounts, revokes sessions and tokens, and deprovisions SaaS, VPN, privileged tools, databases, and shared access paths with an audit trail. When any of those steps is missed, orphan accounts remain active after employment ends. The technical failure is usually fragmentation: one identity is removed in one system, while downstream entitlements persist in others. That is why termination is a lifecycle event, not a single account action.

Practical implication: automate full deprovisioning and session revocation across all connected systems when a leaver event occurs.


NHI Mgmt Group analysis

Manual identity lifecycle is a governance debt problem, not an efficiency problem. The article correctly shows that lean IT teams do not fail because they lack competence, but because tickets, Slack requests, and fragmented app administration cannot sustain accurate JML control at scale. That pattern is visible wherever access changes faster than humans can reconcile them, which is why lifecycle governance is now a security control, not just an HR workflow. Practitioners should treat lifecycle maturity as a baseline requirement, not a back-office optimisation.

Birthright access is the named concept that separates controlled onboarding from improvisation. When access is defined from role and employment attributes, the organisation can standardise the first privilege set instead of negotiating it manually for every new hire. That matters because onboarding shortcuts become future risk when broad access is granted to speed productivity. The practitioner lesson is to make baseline access deterministic before asking how to improve speed.

Attribute-based lifecycle automation is the control model that stops permission sprawl from becoming normal. The mover problem in the article is not simply that people change jobs, but that old privileges survive the change. Recalculation based on authoritative attributes aligns access with current business need and exposes where application-level exceptions are being accumulated. Practitioners should read mover events as a test of whether governance can remove access, not just add it.

Leaver offboarding fails when organisations treat identity removal as a directory task instead of a full entitlement shutdown. The article highlights the common gap between disabling a primary account and revoking access in downstream SaaS, privileged tools, VPNs, and internal systems. That gap produces orphan accounts and audit exposure because accountability ends before technical access does. The implication is clear: lifecycle governance must follow the identity across every connected control plane.

From our research:

  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
  • For lifecycle programmes that need a deeper control model, see NHI Lifecycle Management Guide.

What this signals

Birthright access is the easiest place to reduce lifecycle variance, but it only works when HR data is authoritative and consistently fed into IAM. Mid-sized programmes that keep joiner access manual tend to absorb exceptions instead of eliminating them, which makes later mover and leaver events harder to govern. For a broader control lens, the NIST Cybersecurity Framework 2.0 remains a useful way to tie lifecycle processes to protect and recover outcomes.

Access review cadence should be treated as a lagging indicator, not a substitute for lifecycle automation. If movers and leavers are corrected only during recertification, the organisation is already carrying preventable exposure. Teams that want to reduce administrative debt should align lifecycle events with enforcement logic, then use review cycles to validate exceptions rather than create them.


For practitioners

  • Define role-based birthright access Map core job families to baseline permissions from the HR source of truth, then provision those entitlements automatically when a joiner event occurs. Keep the default set small enough to audit without manual exception handling.
  • Recalculate entitlements on mover events Trigger access review and entitlement recalculation whenever role, department, manager, or location changes. Remove obsolete privileges as part of the change event rather than waiting for periodic recertification.
  • Automate full leaver deprovisioning Use one termination event to disable accounts, revoke sessions and tokens, and remove access from SaaS, VPN, privileged tools, databases, and shared resources. Verify that downstream systems are included, not just the primary directory.
  • Establish a single identity source of truth Synchronise HR and IAM records so joiner, mover, and leaver events originate from one authoritative record. That reduces manual rework, makes audit trails consistent, and prevents lifecycle decisions from being made in isolated app consoles.

Key takeaways

  • Manual Joiner-Mover-Leaver handling creates avoidable risk because access changes outpace human administration in mid-sized environments.
  • The article shows that onboarding delays, permission creep, and orphan accounts are symptoms of fragmented lifecycle governance rather than isolated process mistakes.
  • Practitioners should automate entitlement changes from authoritative identity events so access is added, adjusted, and removed as the business context changes.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Lifecycle provisioning depends on controlled identity enrolment and access assignment.
NIST CSF 2.0PR.AC-4Mover events require access changes to stay aligned with current roles and responsibilities.
NIST CSF 2.0PR.AC-5Offboarding must remove access across all systems, not only the primary directory.

Revoke outdated access when roles change and keep entitlements aligned to current business need.


Key terms

  • Joiner-Mover-Leaver: A lifecycle model for managing access as people join, change roles, and leave an organisation. It is used to keep permissions aligned to current business need by linking provisioning, updates, and revocation to identity events rather than manual tickets.
  • Birthright Access: The standard baseline access granted to a new user based on role, department, location, or employment type. It reduces onboarding variance by making first-day permissions predictable, auditable, and tied to authoritative identity data instead of individual manager requests.
  • Orphan Account: An account that remains active after its owner has left or no longer needs it. Orphan accounts are dangerous because they often retain permissions, sessions, or tokens that no longer have a current business owner, creating audit and security exposure.
  • Entitlement Recalculation: The process of re-evaluating access when a user’s role or attributes change so outdated permissions can be removed and new ones assigned. In mature IAM programmes, recalculation prevents access creep by making lifecycle changes enforceable instead of advisory.

What's in the full article

OpenIAM's full article covers the operational detail this post intentionally leaves for the source:

  • Step-by-step JML workflow examples for joiner, mover, and leaver events in a mid-sized environment
  • Practical onboarding and offboarding flow patterns that connect HR updates to downstream application actions
  • Implementation detail on birthright access, attribute-based updates, and deprovisioning across connected systems
  • OpenIAM's own product framing for automating lifecycle events without manual ticket handling

👉 OpenIAM's full article expands the onboarding, mover, and offboarding workflow details.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or lifecycle governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-12-10.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org