TL;DR: Manual employee lifecycle management still forces IT teams to jump between tabs, raise tickets, and revoke access by hand, increasing errors and delay across onboarding, mid-life changes, and offboarding, according to Zluri. That gap matters because access governance fails when revocation and modification depend on human speed rather than policy-driven lifecycle controls.
NHIMG editorial — based on content published by Zluri: Lifecycle Management Getting Started with Zluri Lifecycle Management Tool
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
Questions worth separating out
Q: How should security teams automate joiner-mover-leaver processes without losing control?
A: Security teams should automate joiner-mover-leaver processes by tying workflows to authoritative identity data, approved entitlement rules, and post-action verification.
Q: Why do manual access changes create so much risk in lifecycle management?
A: Manual access changes create risk because each onboarding, role change, or departure can require multiple steps across many applications.
Q: What breaks when offboarding is treated only as an HR process?
A: When offboarding is treated only as an HR process, access removal can lag behind the departure event.
Practitioner guidance
- Map every joiner-mover-leaver trigger to a control owner Define who approves, who executes, and who verifies each onboarding, role-change, and offboarding event.
- Replace add-only workflows with remove-and-replace lifecycle logic For role changes and department moves, remove old access at the same time you grant new access.
- Verify revocation across integrated applications Check that termination signals reach every connected system, not just the HR record or central directory.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- Workflow setup for onboarding, mid-life changes, and offboarding across SaaS applications
- Use of playbooks, recent-run status, and app integrations to operationalise lifecycle actions
- Employee App Store self-service access requests and approval handling
- Dashboard-based visibility into access permissions and SaaS stack management
👉 Read Zluri's lifecycle management guide for onboarding, mover, and offboarding workflows →
Lifecycle management tools: what IAM teams are missing?
Explore further
Manual lifecycle administration is a governance bottleneck, not a harmless legacy habit. The article shows how spreadsheets, tickets, and tab-switching create delay and error across the user lifecycle. That model can survive only when the environment is small and the application stack is thin. In growing enterprises, it becomes a control weakness because access decisions and access removal no longer keep pace with identity change. The practitioner conclusion is straightforward: lifecycle governance has to be designed as an access control system, not a clerical process.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means lifecycle controls often operate without a complete inventory.
A question worth separating out:
Q: How can organisations tell whether lifecycle management is actually working?
A: Lifecycle management is working when access changes are complete, timely, and verifiable across all connected systems. Look for low manual ticket dependency, consistent entitlement updates after role changes, and confirmed revocation after termination. If users keep access after they should not, the lifecycle process is only partially effective.
👉 Read our full editorial: Lifecycle management tools expose the real access governance gap