TL;DR: Traditional IAM tools can support onboarding and offboarding, but they do not continuously govern the full identity lifecycle across humans, service accounts, and AI agents, according to Opal Security. Lifecycle drift, orphaned access, and brittle policy logic are now core governance problems, not edge cases.
NHIMG editorial — based on content published by Opal Security: How Opal Streamlines Identity Lifecycle Management
Questions worth separating out
Q: How should security teams govern identity lifecycle across humans and non-human identities?
A: Security teams should govern lifecycle with one model and different triggers.
Q: Why do orphaned accounts remain a major IAM risk?
A: Orphaned accounts remain risky because access often outlives the business reason for it.
Q: What do organisations get wrong about access reviews?
A: They often treat access reviews as a substitute for lifecycle control.
Practitioner guidance
- Inventory every identity subject by lifecycle owner Build a register that separates humans, service accounts, contractors, and AI agents, then assign an accountable owner to each subject and its downstream accounts.
- Tie entitlement changes to authoritative events Trigger provisioning, updates, and revocation from authoritative lifecycle events such as HR status changes, approved requests, application decommissioning, or agent retirement.
- Add review thresholds for high-impact access changes Pause or require approval for broad entitlement changes, especially where a single policy update can affect many users or many connected systems.
What's in the full article
Opal Security's full post covers the operational detail this post intentionally leaves for the source:
- Step-by-step examples of joiner, mover, and leaver workflows across connected applications.
- Specific guardrail logic for pausing high-impact entitlement changes before they cascade.
- Operational details on how account provisioning and deprovisioning are tied to lifecycle events.
- Inventory and risk center behaviours for surfacing overlapping policies and stale access.
👉 Read Opal Security's analysis of identity lifecycle management across human and machine identities →
Identity lifecycle management: what IAM teams are missing today?
Explore further
Identity lifecycle governance fails when access is treated as a one-time event. Traditional IAM and IGA models were built around provisioning and periodic review, not continuous entitlement state. Once a person changes role, a service account drifts, or an AI agent inherits new permissions, the original approval no longer describes actual access. Practitioners should treat lifecycle as a live control plane, not an administrative afterthought.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: Who is accountable when a service account or AI agent keeps access after offboarding?
A: Accountability should sit with the system owner and the identity governance owner, not just the team that requested the access. If a service account or AI agent keeps access after offboarding, that usually means the lifecycle trigger, downstream revocation, or ownership mapping was incomplete. The control failure is organisational, not just technical.
👉 Read our full editorial: Identity lifecycle management needs continuous governance across all identities