TL;DR: Access provisioning is meant to grant, modify, and revoke rights cleanly across users, systems, and SaaS apps, but the article shows how automation, approvals, and monitoring still leave room for over-privilege, delayed revocation, and operational drift, according to Zluri. The governance problem is not provisioning speed alone, but whether access decisions stay aligned with role change, offboarding, and auditability.
NHIMG editorial — based on content published by Zluri: Access Management Access Provisioning: A Complete Guide
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: What breaks when access provisioning is not tied to lifecycle events?
A: When provisioning is not tied to joiner-mover-leaver events, access lingers after the business need changes.
Q: Why do over-provisioned accounts increase security risk?
A: Over-provisioned accounts increase risk because they expand the set of systems and data reachable from a single identity.
Q: How do organisations know whether provisioning controls are working?
A: They know provisioning controls are working when access grants are traceable, approvals match role need, and revocation happens quickly when the business event changes.
Practitioner guidance
- Bind provisioning to joiner-mover-leaver events Connect account creation, role changes, and offboarding to a single lifecycle workflow so access is modified or removed when the business event changes, not after manual follow-up.
- Separate low-risk self-service from privileged access Allow self-service only for low-risk requests such as standard application access, and route elevated permissions through explicit approval and review.
- Track access decay as a governance metric Measure how long access persists after a mover or leaver event, then compare that delay against policy.
What's in the full article
Zluri's full guide covers the operational detail this post intentionally leaves for the source:
- A walkthrough of the four provisioning types and how they map to common operational environments.
- Detailed feature criteria for selecting a provisioning tool, including automation, reporting, and compliance support.
- Examples of onboarding and deprovisioning workflows that show how access changes move through approval paths.
- Practical guidance on using provisioning platforms to manage role changes and temporary access requests.
👉 Read Zluri's full guide on access provisioning and lifecycle control →
Access provisioning: where lifecycle control is breaking down?
Explore further
Access provisioning fails when lifecycle control is treated as a downstream cleanup task. The article presents provisioning as a sequence of request, approval, grant, and monitoring steps, but the governance failure appears when revocation is not designed into the same control path. That is how access creep becomes normal rather than exceptional. Practitioners should treat provisioning and offboarding as one control surface, not two separate workflows.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: Who is accountable when access remains active after a role change?
A: Accountability usually sits across identity operations, application owners, and the business manager who approved the access. If the organisation uses formal reviews, the control owner must be able to explain why the access still exists and when it should have been removed. Frameworks such as the NIST Cybersecurity Framework 2.0 help assign that responsibility clearly.
👉 Read our full editorial: Access provisioning still fails on lifecycle control and over-privilege