Mid-lifecycle access changes: what IAM teams are missing

TL;DR: Mid-lifecycle moves expose a governance gap that onboarding and offboarding workflows often miss, because role changes can alter application access, approval chains, and data exposure without a full lifecycle reset, according to Zluri. The control problem is not just automation debt but access drift across human identity and SaaS entitlements.

NHIMG editorial — based on content published by Zluri: Lifecycle Management Top 3 Challenges of Mid-Lifecycle Change Management Team

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.

Questions worth separating out

Q: How should organisations handle access when an employee changes roles or departments?

A: Treat the move as a governance event, not an admin update.

Q: Why do mid-lifecycle changes create more risk than onboarding in many IAM programmes?

A: Onboarding is usually structured and visible, while mover events are scattered across HR, IT, and application owners.

Q: How can security teams tell whether mover workflows are actually working?

A: Look for evidence that access is removed as often as it is added, that app owners can approve changes quickly, and that periodic reviews catch stale entitlements.

Practitioner guidance

• Trigger access revalidation on every mover event Re-evaluate application, file, and admin entitlements whenever a person changes role, department, or location.
• Map mid-lifecycle changes to role-based policies Translate common movement scenarios into policy rules so access can be adjusted consistently across SaaS, directory groups, and shared drives.
• Add discovery for shadow IT and unsanctioned app use Track applications that appear outside the approved software catalogue, then reconcile them against mover workflows and access reviews.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step workflow examples for handling role changes across applications and approvals
• Detailed guidance on employee app store request flows and how users submit access changes
• Operational handling of shadow IT discovery and SaaS buying integration in the same workflow
• Interface-level instructions for checking changelogs and request updates inside the platform

👉 Read Zluri's article on mid-lifecycle change management and access control →

Mid-lifecycle access changes: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →