By NHI Mgmt Group Editorial TeamPublished 2025-08-21Domain: Governance & RiskSource: Lumos

TL;DR: Slow onboarding and incomplete offboarding still create productivity drag, security exposure, and audit pain because many teams rely on tickets, siloed systems, and manual approvals, according to Lumos. Fast lifecycle management is no longer just an IT convenience; it is a control point for least privilege, revocation, and compliance.


At a glance

What this is: This is a vendor analysis of how automated onboarding and offboarding can reduce lifecycle friction while tightening access control and auditability.

Why it matters: For IAM and security teams, it shows why lifecycle governance must connect HR events, access provisioning, and revocation across human, NHI, and autonomous programmes.

By the numbers:

👉 Read Lumos's blog on accelerating onboarding and offboarding


Context

Identity lifecycle management is the discipline of joining, moving, and leaving access in a way that matches how work actually changes. In practice, the problem is not authentication alone, but the gap between HR events, app ownership, and revocation across human users and non-human identities.

This article focuses on a familiar governance failure: access is still being provisioned and removed through tickets, email chains, and disconnected systems. That model struggles because it cannot reliably prove who should get access, who owns the app, or when revocation has actually completed.


Key questions

Q: How should teams reduce onboarding delays without weakening access control?

A: Teams should use event-driven onboarding tied to HR and identity sources, then separate birthright access from exception-based requests. That lets routine access move automatically while app owners handle higher-risk entitlements through explicit policy. The goal is faster access with clearer accountability, not fewer controls.

Q: Why do offboarding failures create such persistent security risk?

A: Offboarding failures persist because revocation is often partial. If access is removed in the directory but not in connected apps, licenses, tokens, or delegated entitlements, the leaver still retains usable access. The risk is strongest when no one can prove that completion happened everywhere it needed to happen.

Q: What do security teams get wrong about self-service access requests?

A: They often treat self-service as a UX feature instead of a governance control. Self-service only works when roles, approvers, and pre-approved policies are clearly defined. Without those boundaries, the process just moves request volume away from IT and into a less visible approval chain.

Q: How should organisations apply lifecycle governance to service accounts and AI agents?

A: They should apply the same joiner-mover-leaver discipline used for employees, but with actor-specific controls for creation, ownership, rotation, delegation, and revocation. Service accounts and AI agents do not leave through resignation, so offboarding must be event-based, explicit, and traceable across the systems they can access.


Technical breakdown

Why manual joiner-mover-leaver workflows break at scale

Manual onboarding and offboarding depend on people interpreting requests, routing approvals, and chasing completion across multiple systems. That creates delay, weak accountability, and inconsistent enforcement of least privilege. The real failure is not just inefficiency. It is that lifecycle decisions become detached from authoritative identity signals such as HR status, app ownership, and access history. When those signals sit in separate tools, every joiner and leaver becomes a handoff problem instead of a governed event. Practical implication: replace ticket-centric lifecycle handling with event-driven workflows tied to HR and identity sources.

Practical implication: replace ticket-centric lifecycle handling with event-driven workflows tied to HR and identity sources.

How app ownership and self-service change provisioning control

Self-service access requests can reduce IT bottlenecks, but only if approval paths and policy boundaries are explicit. The architectural shift is from IT as universal gatekeeper to app owners and policy engines deciding what is birthright access, what needs approval, and what can be granted instantly. AI-driven role recommendations add another layer by suggesting bundles from usage and historical patterns, but they still require governance over role design and exception handling. Practical implication: define ownership, pre-approval policy, and exception review before scaling self-service access.

Practical implication: define ownership, pre-approval policy, and exception review before scaling self-service access.

Why revocation evidence matters more than revocation intent

Offboarding is only complete when access has been removed from the directory, connected applications, and any lingering entitlements or licenses. A checklist is not enough unless it produces evidence of completion, including timestamps, task closure, and revocation confirmation. This matters because orphaned accounts and stale access are often created by partial deprovisioning, not by a single missed action. Auditability therefore depends on traceable completion data, not policy language. Practical implication: require revocation logs and closure evidence for every leaver workflow.

Practical implication: require revocation logs and closure evidence for every leaver workflow.


NHI Mgmt Group analysis

Identity lifecycle remains a control problem, not a workflow problem. The article correctly shows that onboarding and offboarding fail when organisations treat them as ticket queues rather than governance events. The deeper issue is that access authority, app ownership, and HR status are often not bound tightly enough to produce reliable joiner and leaver decisions. Practitioners should treat lifecycle as an access-control boundary, not an administrative convenience.

Lifecycle governance is the same discipline for humans, NHIs, and autonomous actors, but the failure modes differ. Human onboarding uses approvals and HR triggers, while service accounts and AI agents require equivalent lifecycle logic for creation, delegation, rotation, and revocation. The article is strongest where it implies that access should begin and end with a governed event, because that is exactly where NHIs and agents most often drift into unmanaged standing privilege. Practitioners should align lifecycle controls to actor type instead of assuming one process fits all.

Standing access is the hidden assumption this model breaks. Access review processes were designed for identities whose privileges persist long enough to be observed and certified. That assumption fails when lifecycle handling is fragmented, because stale access can outlive employment changes, ownership changes, or even the need for the account itself. The implication is that governance must stop assuming access will still be visible when the review cycle arrives.

Role recommendations create a new governance obligation, not just a usability improvement. When access is suggested automatically from team, usage, or historical patterns, the programme is no longer only provisioning access. It is also encoding policy about what similar users are allowed to receive. That makes role design, exception review, and overprovisioning control part of the same governance chain. Practitioners should treat recommendation logic as a policy surface, not a convenience feature.

Lifecycle opacity: The real risk is not a missing workflow step, but the inability to prove that revocation completed across all connected systems. The article points to audit trails and task closure as evidence, which is where mature identity governance actually lives. When completion is not visible, neither compliance nor security can distinguish a delayed task from a revoked entitlement. Practitioners should prioritise evidence of completion over the existence of a checklist.

From our research:

  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
  • 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
  • For a deeper control lens, see NHI Lifecycle Management Guide for provisioning, rotation, and offboarding patterns.

What this signals

Lifecycle governance is expanding from human employees to every credential-bearing actor. As organisations automate more access decisions, the same joiner-mover-leaver logic now has to cover service accounts, workload identities, and AI agents. That shift makes lifecycle evidence a programme-level requirement, not an HR operations detail. Teams that cannot prove revocation completion will struggle to demonstrate control maturity across identity domains.

The next maturity step is not more request volume handling, but better lifecycle segmentation. Birthright access, app-owner exceptions, and high-risk entitlements should be managed as separate paths with separate evidence requirements, and the strongest programmes will tie those paths back to the NIST Cybersecurity Framework 2.0 functions for governance, protection, and recovery.


For practitioners

  • Connect lifecycle events to authoritative identity sources Trigger joiner and leaver actions from HRIS and identity provider events so provisioning and deprovisioning start from one governed record.
  • Separate birthright access from exception access Define which apps are provisioned automatically, which require app-owner approval, and which need policy exceptions with documented review.
  • Require closure evidence for every leaver Capture task completion timestamps, revocation confirmations, and app-owner responses so offboarding is auditable across directory and application layers.
  • Review lifecycle coverage for non-human accounts Apply the same joiner-mover-leaver discipline to service accounts, API keys, and AI agents that you apply to employees, with explicit ownership and revocation paths.

Key takeaways

  • Onboarding and offboarding become security controls when they are tied to authoritative identity events rather than manual tickets.
  • Incomplete revocation is the dominant lifecycle failure mode because access often remains active in connected applications after directory changes.
  • Lifecycle governance should cover humans, NHIs, and AI agents with actor-specific ownership, approval, and evidence requirements.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Relevant to lifecycle handling for non-human credentials and revocation gaps.
NIST CSF 2.0PR.AC-1Identity and access control coverage is central to lifecycle governance.
NIST Zero Trust (SP 800-207)PR.AC-4Least privilege and continuous access validation align with lifecycle enforcement.

Map NHI creation and revocation to NHI-03 and remove standing credentials from leaver workflows.


Key terms

  • Identity Lifecycle Management: Identity lifecycle management is the process of creating, changing, reviewing, and removing access as people or systems join, move, or leave an organisation. It becomes a governance control when those events are tied to authoritative sources, complete revocation evidence, and clear ownership across all identity types.
  • Birthright Access: Birthright access is the baseline set of permissions granted automatically when an identity is created or joined. In a mature programme, it is tightly scoped, policy-driven, and limited to what is required for the initial role, with higher-risk access handled through separate approval paths.
  • Orphaned Account: An orphaned account is an identity or entitlement that remains active after its owner has left, changed roles, or lost business need. It is a lifecycle failure because the account still exists without current accountability, creating exposure in applications, directories, and connected services.
  • Revocation Evidence: Revocation evidence is the record that access removal actually completed across the systems where the identity was active. It includes timestamps, task closure, and confirmation from connected applications, and it is what lets security and compliance prove that offboarding was more than an intent.

What's in the full article

Lumos's full blog covers the operational detail this post intentionally leaves for the source:

  • Step-by-step workflow logic for provisioning and deprovisioning across HRIS, IdP, and SaaS integrations
  • Examples of self-service request routing and app-owner approval paths in the platform
  • Operational detail on AI-driven role recommendations and how the vendor positions access bundles
  • Audit trail handling for offboarding tasks, task reminders, and revocation confirmation

👉 The full Lumos post covers workflow automation, self-service access, and offboarding evidence handling.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-08-21.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org