JML identity lifecycle management is still the backbone of IAM

At a glance

What this is: This is a lifecycle-governance article arguing that joiner, mover, and leaver management is the core mechanism for keeping identity access aligned to role, risk, and business need.

Why it matters: It matters because weak lifecycle control creates overprovisioning, orphaned access, and audit exposure across human, NHI, and delegated access programmes.

By the numbers:

• 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches.

👉 Read Delinea's blog on managing the Joiner, Mover, Leaver identity lifecycle

Context

Joiner, mover, and leaver management is the practical backbone of identity governance because access is not static. As roles change, projects end, and relationships close, provisioning and deprovisioning have to track the identity lifecycle rather than the original approval moment. For teams responsible for IAM, IGA, PAM, and NHI governance, the real question is whether access still matches the current business need.

The article’s core point is that lifecycle failures create privilege drift, orphaned accounts, and delayed revocation across people, contractors, and machine identities. That is why lifecycle management matters across human identity, Non-Human Identity, and delegated access flows. The NHI Lifecycle Management Guide is the right companion resource when the discussion shifts from principle to operational control.

Key questions

Q: How should organisations implement JML workflows for human and machine identities?

A: They should use the same governance model for both, but not the same technical mechanics. Human identities usually start with HR-driven joiner events and manager-led mover reviews, while machine identities need ownership, expiry, and automated revocation tied to workload or service context. The key is to make access change with identity state, not with ticket closure.

Q: Why do mover events create so much identity risk?

A: Mover events are high risk because they change what access an identity should have without necessarily removing what it already has. If old permissions remain in place, the organisation accumulates privilege drift and access creep. That creates unnecessary exposure, weakens least privilege, and makes audit outcomes depend on manual cleanup.

Q: What breaks when offboarding does not remove all access?

A: Residual access continues to exist after the relationship ends, which means the organisation still trusts an identity that no longer has an owner or business need. That creates orphaned accounts, insider-risk exposure, and compliance failure. The failure is not the exit event itself. The failure is incomplete deprovisioning across all systems.

Q: Who should own joiner, mover, and leaver governance?

A: Ownership usually sits with identity, IT security, or IGA teams, but it must be coordinated with HR, managers, and application owners. HR supplies authoritative lifecycle triggers, managers validate business need, and identity teams enforce provisioning and revocation. Without that shared ownership, lifecycle controls become inconsistent and easy to bypass.

Technical breakdown

Joiner provisioning and birthright access

Joiner processing is the first control point in the lifecycle because it determines whether a new identity starts with appropriate baseline access or inherits excess permissions. In practice, that means translating HR or source-system attributes into policy-driven access decisions, often through RBAC, ABAC, or birthright access rules. Manual ticket-based provisioning introduces error, delay, and copy-forward risk, especially when teams guess access from similar users instead of role requirements. The technical issue is not speed alone. It is whether the provisioning workflow can consistently create identities with least privilege from day one.

Practical implication: connect HR-triggered onboarding to policy-based access assignment so birthright access is granted once and governed consistently.

Mover changes and privilege drift

Mover events are where lifecycle governance usually breaks down because access change is easier to request than to fully reconcile. A promotion, transfer, or temporary project assignment can leave old permissions in place unless the system is designed to remove them as aggressively as it adds new ones. That is how privilege drift and access creep accumulate. The architecture problem is multi-system consistency: directory updates, SaaS entitlements, and application-specific permissions do not always change together. If role changes are only partially propagated, the identity keeps historical access that no longer reflects job function.

Practical implication: make role-change workflows remove obsolete entitlements as explicitly as they grant new ones.

Leaver offboarding and orphaned accounts

Leaver handling is the most security-sensitive lifecycle stage because expired or forgotten access becomes residual authority. Proper offboarding must cascade across directory accounts, SSO, direct SaaS logins, and application-specific access so that the identity cannot continue to authenticate anywhere it should not. The technical failure mode is inconsistent deprovisioning, which creates orphaned or zombie accounts. Those accounts often persist because the workflow depends on manual handoffs or because teams assume dormant access is harmless. In identity systems, unused access is still active trust, and active trust is still attack surface.

Practical implication: automate deprovisioning across all connected systems so leaver access is removed everywhere, not just in the directory.

NHI Mgmt Group analysis

JML is not an HR workflow. It is an access-control control plane. The article correctly frames identity lifecycle as the backbone of identity security because joiner, mover, and leaver events are the moments when access should be created, changed, or removed. When those events are handled manually, the control plane fragments across HR, IT, and application owners. The result is not just inefficiency. It is persistent mismatch between identity state and entitlement state, which is a governance failure before it becomes a security incident.

Privilege drift is the named failure mode this article exposes. The mover stage is where organisations quietly accumulate excess access because old entitlements are rarely revoked with the same discipline used to grant new ones. That pattern applies across human users, contractors, and service identities. For NHI governance, the lesson is that lifecycle drift is not an edge case. It is the default outcome when removal is less automated than provisioning.

Orphaned access outlives accountability when leavers are treated as exceptions. The article’s leaver discussion shows why offboarding has to be complete across all connected systems, not just the primary directory. Once an account or token survives the employment or vendor relationship, the organisation inherits a standing trust object with no active owner. That is a governance breakdown that shows up in audit findings, insider-risk exposure, and breach persistence.

Identity lifecycle governance must cover human and machine subjects with the same discipline, but not the same mechanics. The article explicitly includes human or machine joiners, which is the right framing because lifecycle control is universal while identity execution differs by actor type. Human joiners need role-based onboarding, while machine identities need tighter expiry, ownership, and revocation logic. The implication is that lifecycle policy should be unified, but implementation should reflect whether the subject is a person, a service identity, or an automated workload.

Birthright access only works when role data is trustworthy. The article assumes HR records, departmental data, and manager requests can drive correct access decisions. That assumption fails when source attributes are stale, incomplete, or ambiguous, because provisioning becomes a guess rather than a governed entitlement decision. Practitioners should treat source-of-truth quality as a lifecycle control, not just a data issue.

From our research:

• 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
• 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure.
• For a broader lifecycle lens, review NHI Lifecycle Management Guide and map offboarding gaps to the systems that still trust stale identities.

What this signals

Identity lifecycle discipline is becoming the difference between governed access and inherited risk. As organisations add more contractors, workload identities, and AI-adjacent service accounts, the number of places where joiner, mover, and leaver decisions must be enforced keeps expanding. The practical signal is that IAM programmes need lifecycle logic that reaches beyond the core directory and into every system that can still accept an old credential. For teams looking to tighten the model, the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs is the clearest companion resource.

Privilege creep is no longer a slow-burn issue once identities span people and machines. A lifecycle model that works for employees but not for service accounts leaves a gap where access outlives ownership. That is why the control question is shifting from whether access was approved to whether it was removed everywhere it mattered. The NIST Cybersecurity Framework 2.0 is useful here because it ties identity governance to protect, detect, and respond outcomes rather than treating it as a standalone admin task.

For practitioners

• Automate joiner provisioning from source-system triggers Link HR or authoritative identity records to policy-based provisioning so new identities receive only the access that matches role, department, and identity type. Replace copy-from-peer onboarding with deterministic rules that can be reviewed and audited.
• Make mover workflows remove access as explicitly as they add it Design role-change workflows to revoke obsolete entitlements at the same time new ones are granted. Prioritise SaaS, directory, and application permissions that commonly survive transfers, promotions, and temporary project assignments.
• Automate leaver deprovisioning across every connected system Ensure offboarding cascades through SSO, directory accounts, direct SaaS logins, and application-level permissions. Do not rely on a single disablement event if other systems still accept the identity’s credentials or tokens.
• Treat contractor expiry as a lifecycle control, not a calendar reminder Use time-bound access policies with explicit end dates and automated revocation so third-party access expires with the business relationship. Include vendors and consultants in the same governance workflow as employees.

Key takeaways

• Joiner, mover, and leaver governance is the mechanism that keeps access aligned to current business need.
• Manual handoffs create privilege drift, orphaned access, and inconsistent deprovisioning across systems.
• Lifecycle automation matters because an identity that is no longer owned is still a live trust object until every credential is revoked.

Key terms

• Joiner: A joiner is an identity that has just entered the organisation or system and needs initial access provisioned. In lifecycle governance, the joiner stage is where birthright access, policy checks, and role-based assignment establish the baseline for least privilege before work begins.
• Mover: A mover is an identity whose role, responsibilities, or context has changed enough that its access should change too. The mover stage is where privilege drift starts if old permissions are not removed as carefully as new ones are added, creating excess access over time.
• Leaver: A leaver is an identity that has exited the organisation, project, or vendor relationship and should no longer retain active access. In identity governance, leaver handling must revoke credentials, sessions, and entitlements across all connected systems or the organisation keeps trusting a relationship that no longer exists.
• Birthright Access: Birthright access is the minimum baseline access granted automatically when an identity is created. It is useful only when the baseline is tightly tied to role, identity type, and policy, because any over-assignment at this stage becomes the first layer of privilege creep.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.

This post draws on content published by Delinea: Managing the identity lifecycle of Joiners, Movers, and Leavers (JML) is the backbone to strong identity security. Read the original.