By NHI Mgmt Group Editorial TeamPublished 2026-06-28Domain: Governance & RiskSource: Zluri

TL;DR: Lifecycle management platforms can automate joiner, mover, and leaver workflows through event-driven playbooks, permission-level provisioning, and discovery-first offboarding, according to Zluri. The real issue is not automation itself, but whether lifecycle control is precise enough to keep access aligned to current entitlement and accountability.


At a glance

What this is: This is Zluri’s explanation of full joiner, mover, and leaver automation, with a focus on discovery-first offboarding and permission-level provisioning.

Why it matters: It matters because IAM teams need lifecycle controls that remove stale access, handle role changes cleanly, and keep NHI, autonomous, and human identity governance aligned to actual entitlement states.

By the numbers:

👉 Read Zluri’s blog post on lifecycle automation and JML governance


Context

User lifecycle management is the set of controls that provisions, adjusts, and removes access as people change roles or leave. In this article, Zluri argues that lifecycle governance fails when it starts from tickets or static inventories instead of the identity’s current access footprint.

For IAM and IGA teams, the relevant question is whether joiner, mover, and leaver controls actually track the state of access at execution time. The post is strongest when it shows how discovery, automation rules, and permission-level scoping change that answer for SaaS-heavy environments.


Key questions

Q: How should IAM teams govern offboarding when applications are not fully inventoried?

A: They should treat discovery as part of the control, not a separate audit exercise. Offboarding should start by scanning the user’s real access footprint, then building revocation actions from those findings. That approach is more reliable than relying on a pre-maintained application list because it captures shadow IT, historical access, and role-based leftovers.

Q: When does lifecycle automation fail to stop access creep?

A: It fails when removal and provisioning are split across different rules or separate approvals, because the identity can remain in a transitional state long enough for overlap to persist. Lifecycle automation works best when role changes are governed as a single event with a clear order, a bounded delay if needed, and one audit trail.

Q: What do security teams get wrong about access requests?

A: They often treat access requests as a simple approval queue instead of a governance mechanism for exceptions. Access requests need expiration dates, role-appropriate approvers, and visibility into whether the requested app already exists in the approved stack. Without those controls, exception access becomes a path to shadow IT and lingering privilege.

Q: How do you know if mover provisioning is actually working?

A: You should see the old role removed, the new role granted at the correct scope, and both actions recorded in one sequence tied to the same HRMS change. If users retain old permissions after a move, or if new access arrives without scope recalculation, the mover process is not governing entitlement drift.


Technical breakdown

Discovery-first offboarding and shadow IT coverage

Zluri’s offboarding model begins by scanning the departing employee’s full access footprint before building the deprovisioning workflow. That matters because inventory-based offboarding only covers what IT already knows about, while identity sprawl often lives in department-managed apps, one-off SaaS tools, and historical role residue. Discovery-first offboarding is a control pattern, not just a workflow convenience: it moves the authoritative source of revocation from pre-maintained lists to live access evidence. In governance terms, that reduces the gap between what the organisation thinks the user can reach and what the user can still actually access.

Practical implication: build offboarding around discovered access, not inventory assumptions.

Permission-level provisioning and Apply Condition logic

The article distinguishes application-level access from permission-level access. Zluri’s Apply Condition model provisions the correct scope within an application based on the user’s current designation at execution time, so a role change can re-evaluate access instead of inheriting the old role’s permissions. This is the difference between giving someone the app and governing what they can do inside it. For SaaS environments, that distinction matters because overbroad entitlements often persist even after a role transition looks complete on paper.

Practical implication: verify that provisioning evaluates scope, not just application membership.

Single-rule mover transitions and timing control

A mover workflow is operationally fragile when removal and re-provisioning are split across separate rules. Zluri’s single Automation Rule runs deprovisioning for the old role and then triggers onboarding for the new role, with an optional Wait For delay between the two steps. That design reduces the chance of one side firing without the other, and it creates a bounded handoff window instead of an open-ended access overlap. In lifecycle governance, the control objective is to avoid both access loss and access overlap during role changes.

Practical implication: consolidate mover logic so access transitions are governed by one event and one audit trail.



NHI Mgmt Group analysis

Discovery-first lifecycle control is the right answer to incomplete visibility, not to lifecycle complexity. The article makes the strongest case when it shows that offboarding based on known inventory is structurally incomplete in SaaS-heavy environments. That is the governance gap: access continues wherever discovery never happened. The implication is that lifecycle programmes must treat live access state as the governing record, not the spreadsheet of managed apps.

Permission-level provisioning exposes the difference between access assignment and entitlement governance. Many lifecycle tools can add or remove application access, but far fewer govern scope inside the application at the point of provisioning. Zluri’s description of Apply Condition shows why this matters for role changes, where the user may need the same app but not the same permissions. Practitioners should read this as a reminder that entitlement precision is where lifecycle controls either hold or drift.

Single-rule mover handling reduces access drift by collapsing two lifecycle decisions into one governed event. When old-role removal and new-role provisioning are separated, the identity can sit in an ambiguous state long enough for unwanted access overlap or accidental denial. Zluri’s model is valuable because it ties both actions to the same HRMS trigger and the same audit sequence. The practitioner takeaway is that mover governance should be designed as a state transition, not a pair of unrelated tasks.

Access requests remain the pressure valve for everything lifecycle automation cannot infer. The article is clear that project access, temporary elevated permissions, and external users still need explicit governance even when core JML flows are automated. That is where lifecycle discipline meets exception handling. The implication is that IAM teams must separate standardised lifecycle controls from approval-based exception workflows, or they will recreate shadow IT through policy gaps.

Lifecycle governance is now a SaaS control-plane problem, not just an HR-to-IT workflow problem. The article points to a broader shift in identity governance: the quality of lifecycle control now depends on how well systems observe live entitlements, sequence changes, and maintain auditability across fragmented application estates. That is a stronger operating model than ticket closure. Practitioners should treat lifecycle as continuous access state management, not one-time provisioning.

From our research:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
  • For a deeper view of lifecycle risk, compare that fragmentation with NHI Lifecycle Management Guide, which shows why lifecycle controls must track live access, not static inventory.

What this signals

Discovery-led lifecycle control is becoming the baseline for SaaS-heavy IAM programmes. As application estates fragment, the practical question is no longer whether onboarding can be automated, but whether offboarding can still find the full access footprint before access lingers. Teams that still start from inventory will keep missing exceptions, historical permissions, and tool sprawl.

Permission precision now matters as much as provisioning speed. If your lifecycle workflow cannot apply the correct scope inside an app, you are only solving half the governance problem. That gap becomes visible when role changes, temporary access, or manager-level privileges are handled as app membership instead of entitlement state.

With 6 distinct secrets manager instances on average, fragmentation already undermines centralised control in many organisations, according to The State of Secrets in AppSec. The same pattern shows up in lifecycle governance when different teams manage access through different workflows, which is why a governed handoff model matters more than isolated automation wins.


For practitioners

  • Map lifecycle controls to live access evidence Use discovered entitlements as the starting point for offboarding and recertification, especially where shadow IT and team-managed tools sit outside your central inventory. Tie the workflow to actual access footprint scans rather than application lists.
  • Separate application access from permission scope Review whether your provisioning logic can set the correct permission level inside an application at execution time. If it only assigns app membership, add a control to evaluate role-based scope before access is granted.
  • Collapse mover transitions into one governed sequence Configure role changes so deprovisioning and provisioning are triggered by the same HRMS event and logged together. This reduces overlap, prevents orphaned access, and makes the transition auditable as one state change.
  • Put time bounds on exception access Require expiration dates for approvals that fall outside standard lifecycle flows, including contractors, project access, and temporary elevated permissions. Time-bounded grants reduce the chance that exception access becomes permanent by default.

Key takeaways

  • The article’s core message is that lifecycle governance is only effective when it follows live access state, not static application inventory.
  • The strongest operational insight is that mover transitions need one governed sequence so old access does not linger while new access is added.
  • For practitioners, the control question is whether provisioning, offboarding, and exception access all enforce entitlement scope and expiry at execution time.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Lifecycle automation must still prevent stale non-human access patterns.
NIST CSF 2.0PR.AC-4Role changes and offboarding are access management controls under CSF.
NIST Zero Trust (SP 800-207)PR.AC-4Zero Trust requires continuous access validation during lifecycle transitions.

Use live discovery to revoke unused access and verify lifecycle steps complete for every identity state change.


Key terms

  • Joiner, Mover, Leaver Lifecycle: The joiner, mover, leaver lifecycle is the set of identity controls that grant, change, and remove access as a person enters, shifts role, or exits an organisation. In practice, it is where entitlement accuracy, auditability, and offboarding discipline either work together or fail separately.
  • Discovery-first Offboarding: Discovery-first offboarding means building the removal workflow from the user’s actual access footprint rather than from a preapproved application list. It is more resilient because it can capture shadow IT, historical access, and tool-specific permissions that inventories routinely miss.
  • Permission-level Provisioning: Permission-level provisioning assigns the correct scope inside an application, not just the application itself. This is the difference between giving someone access and giving them the right entitlement for their current role, which matters whenever role changes alter what the user should be allowed to do.
  • Lifecycle Automation Rule: A lifecycle automation rule is an event-driven control that triggers provisioning or deprovisioning steps when identity data changes. In mature programmes, it ties identity state changes to logged, deterministic actions so access transitions are controlled rather than manually interpreted.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: How Zluri Automates User Lifecycle Management and the 9 capabilities it highlights. Read the original.

NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-28.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org