User lifecycle management controls are failing at scale in SaaS

At a glance

What this is: This is a comparison of BetterCloud and JumpCloud for user lifecycle management, with the key finding that onboarding, mid-life access changes, and offboarding demand different control strengths.

Why it matters: It matters because lifecycle governance now spans human identity, NHI-adjacent access patterns, and SaaS permissions, so IAM teams need to match tools to control gaps rather than feature lists.

By the numbers:

• BetterCloud can reduce the time required to deprovision an employee from an average of 9 hours to less than 30 minutes.
• 900+ actions for onboarding workflows., onboarding workflows.
• BetterCloud supports 1000+ actions and best practice templates for on-demand workflows.

👉 Read Zluri's comparison of BetterCloud and JumpCloud for user lifecycle management

Context

User lifecycle management is the set of controls that governs onboarding, role transitions, and offboarding across identities and applications. In practice, the hard part is not creating access but ensuring that access changes follow the person, the role, and the system without leaving excess privilege behind. That is why lifecycle tooling sits directly inside IAM, IGA, and SaaS governance.

The article compares two different approaches to that problem: one emphasising workflow automation across SaaS actions, the other emphasising centralised identity and authentication management. For practitioners, the question is not which platform has more features, but which control model best fits the organisation's identity sprawl, approval path, and deprovisioning discipline.

Key questions

Q: How should teams govern user lifecycle management in SaaS environments?

A: Teams should govern lifecycle management by tying onboarding, role changes, and offboarding to authoritative identity data and verified entitlement rules. The goal is not just account creation, but complete access transition control. That means revoking prior access before role changes complete, measuring deprovisioning across every app, and treating exceptions as governance events, not workflow noise.

Q: Why do lifecycle failures create security risk even when onboarding is automated?

A: Automated onboarding reduces manual delay, but it does not guarantee clean revocation or correct entitlement scoping. Risk appears when access is added quickly but removed slowly, inconsistently, or only in the primary directory. That leaves users with residual privileges, which is where misuse, audit failure, and breach exposure typically emerge.

Q: What breaks when offboarding does not reach every application?

A: When offboarding is incomplete, former users can retain active access in SaaS apps, shared groups, and delegated systems after they should be removed. That creates a residual privilege window that attackers, insiders, or simple operational mistakes can exploit. In practice, the organisation has ended employment or role ownership, but not access.

Q: What is the difference between centralised identity management and lifecycle governance?

A: Centralised identity management organises identities in one place, while lifecycle governance ensures those identities gain, change, and lose access at the right time. A central directory can still leave access drift if entitlement removal, app-level revocation, and exception handling are weak. Governance is the control objective; centralisation is only the mechanism.

Technical breakdown

Automated onboarding workflows and entitlement assignment

Automated onboarding works by linking HR or directory changes to predefined actions that create accounts, assign SaaS entitlements, and apply policies when a new user enters the organisation. The technical value is orchestration: one identity event can trigger many downstream tasks without manual ticket handling. The risk is that workflow logic becomes a proxy for governance if role definitions, approval rules, and exception handling are weak. In mature programmes, onboarding should be tied to source-of-truth identity data, not ad hoc request handling.

Practical implication: map onboarding actions to approved role bundles and validate that each trigger is backed by authoritative HR or directory data.

Mid-life access transitions need centralised identity updates

Mid-life transitions are the hardest lifecycle moment because they involve changing access without breaking continuity. A move from one department to another requires removal of old access, assignment of new entitlements, and often a review of shared permissions inherited from groups or app roles. Systems that only create or suspend identities miss this transition layer. Centralised identity management reduces drift by maintaining a single view of the user across directories, SaaS apps, and device contexts, so entitlement changes can be applied consistently.

Practical implication: test whether role change events revoke prior access as reliably as they grant new access.

Offboarding and deprovisioning as the decisive control point

Offboarding is where lifecycle governance becomes a security control rather than an administrative task. The technical problem is revocation latency: once someone leaves, access must be removed across apps, groups, and connected services before residual permissions can be abused. Automation helps, but only if the workflow reaches every relevant system and does not leave shadow entitlements behind. In SaaS-heavy environments, offboarding failures often come from incomplete app inventory, stale group membership, or manual exceptions that were never closed.

Practical implication: measure deprovisioning completion across all connected apps, not just the primary directory.

Threat narrative

Attacker objective: The objective is to preserve usable access after the governance event that should have removed it, creating a residual privilege window for misuse or exposure.

1. Entry occurs when an employee account is created with broad default access or when legacy permissions remain attached after a role change.
2. Escalation happens when inherited SaaS entitlements, stale groups, or manual exceptions allow the account to retain access beyond its current need.
3. Impact appears when departing or moved users can still reach sensitive applications and data because revocation did not complete everywhere.

Breaches seen in the wild

• Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.
• Snowflake breach — Snowflake breach compromised Ticketmaster, Santander and others via cloud credential abuse.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Lifecycle governance is still where identity programmes win or lose the security outcome. The article is not really about two products so much as it is about the control gap between provisioning speed and revocation completeness. When onboarding is fast but offboarding is partial, the programme creates access faster than it can remove it, which is a governance failure rather than a tooling feature gap. Practitioners should treat lifecycle closure as the success condition, not account creation.

Single-identity management becomes the more defensible pattern when role changes are frequent. JumpCloud's emphasis on one identity and one credential set per employee reflects a simpler governance model: fewer identity fragments, fewer handoff points, and fewer places where access can drift. That matters because lifecycle sprawl often appears at the boundaries between HR, directory, SaaS, and device management. The implication is that teams should judge whether their lifecycle architecture reduces identity fragmentation or merely centralises administration.

Automated workflow volume is only useful when the underlying entitlement model is disciplined. BetterCloud's large action set is only meaningful if organisations have already defined which actions belong in an approved lifecycle path and which must be exception-managed. Otherwise automation simply scales inconsistency. In identity governance terms, the real question is whether the workflow engine is enforcing policy or accelerating whatever policy debt already exists.

Offboarding latency is the failure mode that attackers, auditors, and insiders all exploit. The article repeatedly points to revocation after departure, but the deeper issue is that many organisations still treat deprovisioning as an administrative close-out rather than a hard security boundary. That assumption fails when access persists across SaaS apps, groups, and integrated services after the user no longer needs it. Practitioners should read this as a signal to reframe lifecycle closure as a control objective, not a helpdesk task.

NHI lifecycle discipline is the next logical extension of this same problem. Human lifecycle process weaknesses mirror the same failure patterns seen in service accounts, API keys, and tokens: incomplete offboarding, stale entitlement inheritance, and unclear source-of-truth ownership. The governance lesson is that lifecycle controls must be consistent across human and non-human identities if organisations want a real least-privilege boundary. Teams should align human access processes with NHI lifecycle controls rather than running them as separate disciplines.

From our research:

• 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
• For a deeper operational view, NHI Lifecycle Management Guide shows how to structure provisioning, rotation, and offboarding so access does not outlive ownership.

What this signals

Residual access will become the dominant lifecycle signal to watch. As identity stacks span HR, SaaS, and device contexts, the programme risk is no longer just orphaned accounts but incomplete closure across integrated systems. Teams that can prove revocation completion across all apps will outperform those that only measure directory deactivation.

NHI lifecycle discipline and human lifecycle discipline are converging operationally. The same failures that leave former employees with lingering SaaS access also leave service accounts and tokens exposed when ownership changes are not tracked through to revocation. The practical response is a common lifecycle evidence model that spans people, workloads, and delegated access.

Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs, which means most identity teams still cannot see the non-human side of lifecycle drift. That visibility gap is exactly why lifecycle governance should be assessed as an end-to-end control, not as a set of isolated onboarding tasks.

For practitioners

• Validate offboarding completion across every connected app Track deprovisioning from the directory to each SaaS application, group, and delegated integration so removed users do not retain hidden access. Use completion checks, not task closure, as the control outcome.
• Separate onboarding speed from entitlement approval Use automated provisioning for low-risk baseline access, but require explicit approval for privileged SaaS roles, shared workspaces, and sensitive applications. Speed should never bypass entitlement review.
• Test role-change revocation before adding new access When employees move roles, remove prior entitlements first, then grant the new set. This prevents privilege stacking and exposes hidden dependencies in group-based access models.
• Measure lifecycle drift as a governance metric Report on stale accounts, orphaned permissions, and delayed revocation by application class so IAM and IGA teams can see where lifecycle controls are not closing cleanly.

Key takeaways

• Lifecycle governance fails when access creation is automated but access removal is incomplete.
• The article shows that onboarding, role change, and offboarding require different controls, not a single workflow philosophy.
• Practitioners should measure revocation completion across every connected app, because directory closure alone does not equal access closure.

Key terms

• User Lifecycle Management: User lifecycle management is the set of identity controls that govern how access is created, changed, and removed as people move through an organisation. It spans onboarding, role transitions, and offboarding, and it only works when entitlement changes are tied to authoritative identity data and verified revocation steps.
• Offboarding: Offboarding is the controlled removal of access when a user leaves or no longer needs it. In practice, it is a security boundary, not just an HR process, because incomplete revocation leaves residual access that can be abused by insiders, former users, or attackers who inherit stale permissions.
• Entitlement Drift: Entitlement drift is the accumulation of permissions that no longer match a user's current role or ownership. It often appears during role changes, mergers, app sprawl, or manual exceptions, and it becomes dangerous when identity systems create access faster than they remove it.
• Deprovisioning: Deprovisioning is the technical and administrative process of disabling or removing access from an identity across systems and applications. Effective deprovisioning reaches every connected app and group, not only the primary directory, so that access cannot persist after the lifecycle event ends.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or lifecycle governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: Lifecycle Management BetterCloud Vs. JumpCloud: Which ULM Tool To Choose? Read the original.