Notifications
Clear all
Topic starter
08/06/2026 4:56 pm
TL;DR: Access onboarding and termination policies are meant to enforce least privilege, automate offboarding, and prevent internal misuse, but StrongDM’s guidance shows they still fail when role changes, third-party systems, and manual handoffs are left outside the process. The real issue is that access review cadences assume lifecycle events are captured consistently, which is often untrue.
NHIMG editorial — based on content published by StrongDM: Writing Your Access Onboarding & Termination Policy, Best Practices
By the numbers:
- Employees and other internal users were the cause of 60% of data breaches, both intentional and accidental, in 2016.
Questions worth separating out
Q: How should security teams write an access onboarding and termination policy?
A: Start with the full lifecycle of access, not just account creation.
Q: Why do role changes create access risk in IAM programmes?
A: Role changes often preserve old permissions while adding new ones, which creates privilege creep.
Q: What breaks when offboarding does not cover third-party systems?
A: Access revocation becomes incomplete, even if the central directory is cleaned up.
Practitioner guidance
- Map every onboarding step to a role-specific entitlement baseline Create access checklists by role, then require application owner approval before provisioning any account or external portal access.
- Automate termination across every authentication surface Trigger revocation from HR termination events and suspend access in the central directory, ticketing systems, managed service portals, and any external tools the employee can still reach.
- Tie role changes to entitlement reduction reviews Treat promotions, lateral moves, and reassignment as access reduction events as well as access grants.
What's in the full article
StrongDM's full blog covers the operational detail this post intentionally leaves for the source:
- A practical offboarding checklist for HR and IT handoffs, including what to suspend and when.
- Role-by-role onboarding review steps that show how application owners approve access levels.
- Guidance for terminating access in third-party systems such as support portals and managed service tools.
- SOC 2 policy context for teams writing lifecycle procedures for audit purposes.
👉 Read StrongDM's access onboarding and termination policy guidance →
Access onboarding and termination policies: where lifecycle control breaks?
Explore further
08/06/2026 6:49 pm
Lifecycle control is the real policy boundary, not onboarding alone. The article treats onboarding and termination as paired processes, and that is the correct lens. Access becomes unsafe when organizations manage grants more carefully than revocation, because entitlement drift is created by the gap between event and enforcement. Practitioner conclusion: lifecycle governance has to cover creation, change, and removal as one control chain.
A few things that frame the scale:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- 62% of all secrets are duplicated and stored in multiple locations, creating unnecessary redundancy and increasing the risk of accidental exposure, according to The 2025 State of NHIs and Secrets in Cybersecurity.
A question worth separating out:
Q: What is the difference between onboarding and access review?
A: Onboarding assigns the initial minimum access needed for a role, while access review checks whether the current access still fits the current job. Onboarding is a provisioning control, and review is a lifecycle control that catches drift, inherited privilege, and stale permissions that were not removed when the role changed.
👉 Read our full editorial: Access onboarding and termination policies still fail on lifecycle control
