TL;DR: Most organisations manage only onboarding and offboarding, while roughly 30 of the 32-plus access-impacting events in a typical five-year employee journey are handled through tickets and memory, according to Zluri. That gap turns promotions, transfers, temporary elevations, and project work into privilege creep and audit exposure.
At a glance
What this is: This is an analysis of user lifecycle management showing that most access changes happen between onboarding and offboarding, yet remain unmanaged.
Why it matters: It matters because IAM programmes that stop at joiner and leaver events leave the largest share of access change, and therefore risk, outside governance across human, NHI, and autonomous identity models.
By the numbers:
- Over a 5-year tenure, an employee experiences 32+ access-impacting events.
- The remaining 30 events represent 94% of the lifecycle and are handled reactively through tickets, Slack messages, and employee complaints.
- The access creep pattern is consistent across organisations: Year 1: 20 apps, Year 5: 62 apps.
👉 Read Zluri's analysis of the 30 unmanaged events in user lifecycle management
Context
User lifecycle management is the discipline of keeping access aligned to role changes across the full employee journey, not just at hire and exit. In practice, most programmes still treat access as a binary state: on at start, off at departure. That leaves promotions, team transfers, project assignments, manager changes, leave events, and temporary elevations outside systematic control.
The article argues that this middle period is where privilege creep accumulates. For IAM, IGA, and PAM teams, the operational question is whether HR-driven changes trigger access reconfiguration quickly enough to preserve least privilege as people move across roles, responsibilities, and approval chains.
Key questions
Q: How should security teams automate access changes when employees change roles?
A: Security teams should trigger access workflows from authoritative HR changes, then use role-specific playbooks to add, remove, and adjust entitlements. The key is to base decisions on the delta between old and new states, not on manual tickets. That keeps access aligned to current responsibility instead of historical accumulation.
Q: Why do joiner and leaver processes leave so much access risk behind?
A: Because most access changes happen between those events. Promotions, transfers, temporary elevations, project assignments, and manager changes all alter what access is appropriate, but many organisations treat them as exceptions. The result is accumulated privilege creep and stale access that survives long after the role has changed.
Q: What breaks when temporary access is not automatically revoked?
A: Temporary access becomes standing privilege. If elevation has no hard expiry, the organisation depends on memory and follow-up to clean it up, which usually fails. That means incident access, project access, and on-call access can remain usable months after the original reason has ended.
Q: Who should own lifecycle cleanup for access changes?
A: Ownership should sit with the identity governance process that receives the lifecycle event, usually from HR as the source of truth. IAM, IGA, and PAM teams need clear accountability for the remove step, because adding access without removal creates unbounded entitlement growth.
Technical breakdown
Why joiner and leaver workflows miss most access change
Joiner and leaver workflows are simple because they map to clear external events. The problem is that employee identity is not static between those two points. Promotions, team moves, project assignments, on-call rotations, parental leave, and manager changes all alter the access set a person should hold. When those events are handled as ad hoc tickets, the organisation loses deterministic control over what should be added, removed, or adjusted. That turns lifecycle management into a backlog problem instead of an identity governance process. The deeper failure is that access state is treated as durable when it is actually continuously changing.
Practical implication: Map every access-impacting HR event to an explicit lifecycle rule, not a ticket queue.
How HR-triggered automation should recompose access
The article’s automation model depends on HR as the authoritative source of change. A department transfer or promotion should trigger a comparison between the current record and the new state, then route to a specific playbook that adds, removes, and adjusts permissions. This is not just provisioning at scale. It is conditional entitlement recomposition based on role delta. The technical requirement is a reliable sync, a field-change detector, and playbooks that are complete enough to reverse old access as deliberately as they grant new access. Without that, automation simply speeds up privilege accumulation.
Practical implication: Build lifecycle workflows that subtract stale access as explicitly as they add new access.
Why temporary access becomes standing privilege
Temporary elevation is supposed to expire by design, but the article shows that without a hard auto-revoke mechanism it becomes permanent by default. The technical issue is not the original grant, but the absence of an enforcement point that removes access when the purpose ends. The same pattern appears with OAuth sessions, API keys, and shared credentials, which can outlive SSO deactivation. That means offboarding must evaluate each credential path independently, not assume central sign-out equals full revocation. In identity terms, one control plane does not own the entire access surface.
Practical implication: Treat each credential type as a separate revocation path during offboarding and temporary elevation expiry.
NHI Mgmt Group analysis
The 30-event middle is the real lifecycle governance gap. The article is right to reframe user lifecycle management away from the joiner and leaver bookends. Most entitlement drift happens during ordinary business change, when organisations are least disciplined about access cleanup. That is why lifecycle governance fails as a process, not as a one-time provisioning task. Practitioners should measure the unmanaged middle, not the number of onboarding checklists.
Privilege creep is the operating symptom of unmanaged role change. The access count rising from 20 to 62 apps over five years shows how quickly normal work compounds into standing privilege. This is not an edge case, and it is not limited to one tool class. It is the predictable outcome of role transitions that add access faster than they remove it. The practitioner implication is that entitlement review must be tied to lifecycle state transitions, not annual audit cycles.
Cleanup is the most neglected control in user lifecycle management. The article makes clear that removal logic is weaker than addition logic across promotions, transfers, and temporary access. That creates the hidden risk: access that should have expired remains available because no process owns the subtraction step. This is where governance assumptions fail, because teams assume old access disappears when new access is granted. It does not. Practitioners need to treat cleanup as a first-class lifecycle event.
Identity governance has to become event-driven, not ticket-driven. HR is the authoritative source for role change, but most environments still route access impacts through human memory and Slack threads. That model cannot keep pace with 32-plus lifecycle events per employee. The broader lesson for IAM and IGA teams is that lifecycle governance only works when access decisions are triggered by source-of-truth changes and verified after execution.
Lifecycle drift: access accumulated by business change rather than by formal approval. That is the concept this article sharpens. It describes a programme where access is not intentionally over-granted in one moment, but gradually becomes misaligned through promotions, transfers, project work, and temporary elevations. Practitioners should use that frame when assessing why audits, removals, and least-privilege programmes keep losing ground.
From our research:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- For lifecycle governance depth, review NHI Lifecycle Management Guide for provisioning, rotation, offboarding, and visibility patterns.
What this signals
The biggest programme risk is not missing the start and end of employment. It is allowing access to drift silently through role change, project work, and temporary elevations until least privilege becomes a retrospective exercise rather than an operational control. Teams that still depend on tickets are measuring requests, not governance.
Lifecycle drift: once access changes become informal, the control surface expands faster than the review process can see it. That is why organisations need source-of-truth triggers, verification after change, and lifecycle ownership for removals as well as grants. For a broader baseline on the access problem, the Ultimate Guide to NHIs shows how excessive privilege and poor rotation combine into durable exposure.
For identity leaders, the signal is clear: if access changes are not event-driven, the programme will remain reactive no matter how mature the policy language looks on paper. The same governance discipline that now applies to NHIs and workload identity will increasingly be expected of human lifecycle processes as organisations unify identity control across all actor types.
For practitioners
- Instrument every HR field that changes access Trigger lifecycle workflows from department, team, manager, title, location, employment type, status, and contract-date changes. Do not wait for employees to submit requests when the source system already knows the role delta.
- Separate access-add, access-remove, and access-adjust logic Design different playbooks for promotions, transfers, leave, and on-call elevation so old entitlements are explicitly removed when the new state is applied. A single provisioning flow will not stop privilege creep.
- Verify that deprovisioning actually worked After each lifecycle change, confirm that old tools, groups, and elevated permissions are no longer usable. Record the verification result so failed removals are visible before audit time.
- Treat temporary elevation as an expiring state Set a hard expiry at grant time for emergency or project-based access, then revoke it automatically when the business purpose ends. Temporary access that relies on manual cleanup becomes standing privilege.
Key takeaways
- Most organisations are managing only a small fraction of the access changes that happen during a worker's tenure, which makes privilege creep a built-in outcome rather than an exception.
- The evidence shows that unmanaged role changes, not onboarding, are where access accumulates fastest and where cleanup logic fails most often.
- Identity teams should anchor lifecycle governance to HR-driven events, explicit removal logic, and post-change verification if they want least privilege to survive real business change.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Lifecycle drift and stale access map to rotation and offboarding weaknesses. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions must remain appropriate as roles change over time. |
| NIST Zero Trust (SP 800-207) | Continuous verification supports least privilege across lifecycle events. |
Use role-change triggers and post-change verification to keep access aligned to job function.
Key terms
- User lifecycle management: The process of keeping a person's access aligned to their current role, responsibilities, and employment state from pre-hire through offboarding. In mature programmes, it is event-driven, source-of-truth led, and verified after each change, rather than handled as a pair of joiner and leaver checklists.
- Privilege creep: The gradual accumulation of access beyond what the current role requires. It usually happens in small increments through transfers, projects, temporary elevations, and incomplete cleanup, which makes it easy to miss until audit, incident response, or a role review exposes the excess.
- Temporary elevation: A time-limited increase in access granted for a specific purpose such as incident response, on-call work, or project support. The control only works when the elevation has a hard expiry and a reliable revocation path, otherwise the access becomes standing privilege after the original need ends.
- Source of truth: The authoritative system whose data should trigger identity and access decisions. For user lifecycle management, that is usually HR, because role, department, manager, status, and contract changes originate there and can be used to drive consistent entitlement updates across the stack.
Deepen your knowledge
NHI governance, identity lifecycle management, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or operational governance in your organisation, it is worth exploring.
This post draws on content published by Zluri: Lifecycle Management User Lifecycle Management: The 30 Events Nobody Manages And How to Automate Them. Read the original.
Published by the NHIMG editorial team on 2026-06-12.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
