User lifecycle management still breaks at onboarding and offboarding

At a glance

What this is: This is a lifecycle management article arguing that onboarding, role changes, and offboarding need automated access workflows to reduce errors and security exposure.

Why it matters: It matters because IAM teams managing human, NHI, and agentic programmes face the same lifecycle failure pattern: access changes lag behind reality, creating avoidable risk.

By the numbers:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

👉 Read Zluri's guide to solving user lifecycle management with automated workflows

Context

User lifecycle management is the set of processes that grants, changes, and removes access as people move through joiner, mover, and leaver stages. The problem is not the concept itself but the operational gap between identity events and access changes, which leaves manual teams chasing entitlement drift instead of governing it.

For IAM and IGA teams, the core issue is consistency. Onboarding, promotion, and offboarding need to happen as one lifecycle, not as disconnected tickets, because every delay in revocation or privilege adjustment expands the window for misuse, mistakes, and shadow access.

When lifecycle workflows are tied to role-based provisioning and deprovisioning, they become a control plane for both user experience and security. That is why lifecycle design belongs alongside access governance, not as a back-office HR task.

Key questions

Q: What breaks when user lifecycle management is handled manually?

A: Manual lifecycle management breaks when onboarding, role changes, and offboarding are processed as separate tickets instead of one governed flow. Access gets granted late, removed late, or never reconciled across downstream systems. The result is entitlement drift, stale privileges, and a weak audit trail that makes it hard to prove who should still have access.

Q: Why do lifecycle workflows matter for IAM governance?

A: Lifecycle workflows matter because they tie access to identity state changes rather than to isolated requests. That lets IAM teams grant baseline access, adjust privileges when roles change, and remove access when employment ends. Without that continuity, governance depends on individual memory and manual follow-up, which does not scale.

Q: How can security teams tell whether offboarding is working?

A: Offboarding is working when revocation is complete across applications, SSO, licences, and ownership records, not just when a ticket is closed. Teams should test for orphaned access, unused but still active accounts, and data or workflow ownership that remains with a former user. If any linked system still trusts the leaver, offboarding is incomplete.

Q: How should organisations govern lifecycle management for non-human identities?

A: Organisations should apply the same lifecycle discipline to service accounts, API keys, and agent credentials, but the controls must match the actor type. For non-human identities, the key questions are who owns the credential, when it should be rotated or removed, and which systems inherit trust from it. That prevents machine access from outliving its business purpose.

Technical breakdown

Joiner, mover, leaver workflows in identity governance

Joiner, mover, leaver is the operational model for managing access as a person enters, changes role, or exits the organisation. In practice, the control challenge is not only granting access, but keeping entitlements aligned with role changes and removing them cleanly at departure. The more systems that sit outside a central identity workflow, the more likely access becomes stale, inconsistent, or overbroad. Lifecycle tooling reduces manual effort, but the governance goal is traceability: every entitlement should have a reason, an owner, and an offboarding path.

Practical implication: Map every access event to a lifecycle state so provisioning and revocation are auditable, not ad hoc.

Role-based provisioning and access request automation

Role-based provisioning uses business context such as department, title, or function to assign access at scale, while access request automation lets users ask for additional apps or permissions through a controlled approval path. These two patterns solve different problems. Provisioning handles the expected baseline, while request workflows handle exceptions and mid-lifecycle changes. Without both, organisations either overprovision up front or create slow manual bottlenecks every time responsibilities shift.

Practical implication: Separate standard access from exception access so role changes do not become manual ticket queues.

Offboarding, licence revocation, and access removal

Offboarding is the point where lifecycle failures become security incidents. Effective offboarding removes application access, revokes SSO entitlements, transfers ownership of data or workflows, and closes any linked licences or delegated access. If those steps are incomplete, former users can retain access to SaaS apps, shared workspaces, or connected systems long after departure. The governance issue is not only termination speed, but completeness across every linked system and delegation path.

Practical implication: Verify revocation across apps, SSO, and ownership chains before considering a leaver fully offboarded.

Threat narrative

Attacker objective: The objective is to preserve or exploit access that should have been adjusted or removed, turning lifecycle delay into operational and security exposure.

1. Entry occurs through routine lifecycle weakness rather than exploitation, when onboarding and role-change workflows grant more access than the job requires or leave access requests unreviewed.
2. Escalation happens when privileges remain in place after a role change or departure, allowing standing access to persist across SaaS, SSO, and shared systems.
3. Impact follows when stale access is used for unauthorized activity, data exposure, or continued control of business workflows after the identity owner no longer needs the access.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Lifecycle governance is still treated as an HR process, but the security failure is an identity failure. Onboarding, role changes, and offboarding are the moments when entitlements should be reconciled, yet many organisations still run them as disconnected workflows. That produces stale access, missed removals, and inconsistent ownership across SaaS, SSO, and cloud-linked systems. The practitioner conclusion is that lifecycle management must be governed as an access control discipline, not an administrative queue.

Identity lifecycle drift is the named concept this article exposes. Lifecycle drift is the gap between an employee's real-world status and the entitlements still active in systems of record. The article's core problem is that this drift grows when provisioning, transfer, and revocation are handled separately, which means the organisation cannot reliably state who should have access at any given moment. The implication is that entitlement state becomes less trustworthy the more manual the workflow is.

Offboarding completeness, not just offboarding speed, is the control gap that matters most. This article assumes that revocation happens once a workflow starts, but in practice access often survives in adjacent systems, downstream apps, and delegated ownership records. That breaks the governance premise that leaving an organisation automatically ends access. Practitioners should treat every departure as a cross-system cleanup problem, not a single deprovisioning event.

LIFECYCLE governance now spans humans, service accounts, and autonomous systems. The same joiner, mover, leaver discipline increasingly applies to non-human identities and AI agents, but the control design changes with actor type. Human onboarding is about job-based access, NHI offboarding is about credential and secret removal, and autonomous offboarding may require stopping delegated tool use and session authority. The practitioner conclusion is that one lifecycle model is not enough unless it is explicitly actor-aware.

Access automation only works when ownership and approval logic are explicit. Automated workflows can reduce manual error, but they can also hide weak approval paths if policy ownership is unclear. The article points toward a larger governance truth: speed without entitlement accountability just accelerates bad decisions. Practitioners should treat workflow automation as a governance mechanism that still needs policy owners, revocation checks, and audit evidence.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• The same research shows that 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• That is why teams should pair lifecycle controls with NHI Lifecycle Management Guide and OWASP Non-Human Identity Top 10 guidance when they extend lifecycle governance beyond humans.

What this signals

Identity lifecycle management is becoming a cross-actor governance pattern. The same workflow discipline that removes a departed employee's access now has to extend to service accounts, API keys, and AI agent credentials. The organisation that can prove ownership, revocation, and exception handling across all three will have a far more credible access governance posture than one that treats lifecycle as a human-only process.

Lifecycle drift is the operational signal that should trigger programme redesign. If role changes still depend on manual fulfilment, then entitlement state is already lagging behind business reality. In practice that means access review findings, joiner exceptions, and offboarding gaps will keep reappearing until lifecycle automation is tied to ownership and approval logic, not just workflow convenience.

A useful planning metric is the time between identity change and entitlement correction. When that window stays open, even well-designed controls become reactive, and the organisation keeps paying for cleanup instead of prevention.

For practitioners

• Standardise joiner, mover, leaver states Define a single lifecycle state model across HR, IAM, and app owners so every identity event maps to a consistent provisioning or revocation action.
• Automate baseline provisioning by role Use role and department attributes to assign default SaaS access automatically, then route exceptions through approved requests rather than manual fulfilment.
• Build offboarding checks across all linked systems Require revocation of SSO, application access, licences, and data ownership transfer before a leaver is marked complete.
• Review lifecycle workflows for non-human identities Extend the same governance discipline to service accounts, API keys, and agent access so machine identities are not left behind when ownership changes.
• Assign named owners to every lifecycle rule Make each provisioning and revocation rule traceable to a business owner, an IAM owner, and an approver so exceptions can be audited later.

Key takeaways

• User lifecycle management fails when onboarding, transfer, and offboarding are treated as separate tasks instead of one governed identity flow.
• Manual lifecycle handling creates entitlement drift, which turns ordinary personnel changes into persistent access risk.
• The practical fix is actor-aware automation with explicit ownership, complete revocation, and audit-ready exceptions.

Key terms

• Joiner, Mover, Leaver: A lifecycle model that manages access when a person enters, changes role, or exits an organisation. It turns identity events into controlled provisioning and revocation actions so access follows job state rather than informal requests or manual memory.
• Entitlement Drift: The gap between the access an identity should have and the access it actually retains over time. Drift grows when provisioning, role change, and offboarding are handled inconsistently, creating stale or excessive permissions that are difficult to detect and remove.
• Offboarding Completeness: The extent to which departure handling removes access across every connected system, not just the primary directory or SSO layer. Complete offboarding includes revocation, ownership transfer, licence cleanup, and confirmation that no downstream trust remains active.
• Lifecycle Automation: The use of workflows and policy rules to standardise provisioning, transfer, and removal of access. In identity governance, automation should reduce manual error while still preserving ownership, approvals, and audit evidence for every exception and revocation.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or lifecycle governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: "Lifecycle Management Here's How to Solve User Lifecycle Management Problem in Your Organization." Read the original.