TL;DR: Device lifecycle management is presented as the way enterprises plan, provision, maintain, and retire diverse endpoints across mobile and IoT estates, but the article also exposes how device history, access control, and decommissioning now intersect with broader identity governance, according to Zluri. The real issue is that lifecycle discipline only works when ownership, entitlement, and disposal are treated as one control plane, not separate IT chores.
NHIMG editorial — based on content published by Zluri: Lifecycle Management Device Lifecycle Management - A Guide for 2026
By the numbers:
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: What breaks when device lifecycle management is not tied to identity governance?
A: When device lifecycle management is isolated from identity governance, organisations lose the ability to prove who used the device, what access it carried, and whether retirement actually removed trust.
Q: Why do device retirement and identity offboarding need to happen together?
A: They need to happen together because a retired device can still hold data, tokens, or local access paths that remain usable after IT thinks the asset is gone.
Q: How do organisations know whether device provisioning is actually enforcing least privilege?
A: They know it is working when the device image, installed applications, local privileges, and assigned access match the user’s role and are reviewed as part of governance.
Practitioner guidance
- Link device records to access records Connect asset inventory, user assignment, and entitlement data so provisioning and retirement are visible in the same governance workflow.
- Make decommissioning a controlled exit gate Require evidence of data wiping, account removal, and trust revocation before a device is marked retired or reassigned.
- Audit IoT devices separately from laptops and phones Classify IoT assets as a distinct lifecycle population because their firmware, connectivity, and retirement risks do not match standard endpoint handling.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- The five-stage device lifecycle model with practical examples for planning, procurement, provisioning, maintenance, and decommissioning.
- The mobile device lifecycle section covering remote work, mobility constraints, and security controls for smartphones and tablets.
- The IoT lifecycle discussion showing how connected devices create different monitoring and firmware risks than standard endpoints.
- The Jamf integration walkthrough and setup steps for organisations using Zluri in device operations.
👉 Read Zluri's guide to device lifecycle management for 2026 →
Device lifecycle management: what it means for IAM teams?
Explore further
Device lifecycle management is becoming an identity governance problem, not just an asset management problem. The article shows that planning, provisioning, maintenance, and disposal all affect who or what can still use the device after the IT team thinks it is done. That makes lifecycle records part of the access control evidence chain, especially when endpoints carry cached credentials, local tokens, or app entitlements. Practitioners should treat device lifecycle and identity lifecycle as linked control planes, not adjacent processes.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
- Another finding from the same research shows that 79% of organisations have experienced secrets leaks, and 77% of those incidents resulted in tangible damage.
A question worth separating out:
Q: What should security teams do when IoT devices reach end of life?
A: Security teams should require a formal retirement process that disables access, wipes data, removes credentials, and confirms the device is no longer trusted by the network. IoT devices often persist longer than expected because they sit inside business processes, so end of life has to be treated as an access event as well as an asset event.
👉 Read our full editorial: Device lifecycle management in 2026 exposes the identity gap