Notifications
Clear all
Topic starter
11/06/2026 11:25 pm
TL;DR: User lifecycle management tools often work at onboarding and offboarding but struggle when employees change roles, because access grants, revocations, approvals, and app discovery become error-prone midstream, according to Zluri. The deeper issue is that lifecycle governance breaks when entitlement state changes faster than review and approval workflows can absorb.
NHIMG editorial — based on content published by Zluri: Lifecycle Management Top 3 Reasons Why ULM Tools Fail with Midlife Cycle Changes
By the numbers:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams handle role changes in lifecycle management?
A: Security teams should treat role changes as controlled entitlement transitions.
Q: Why do mover events create more risk than joiner or leaver events?
A: Mover events are harder because the identity already exists, so the problem is not creation or deletion but reclassification.
Q: What do organisations get wrong about midlife cycle access approvals?
A: They often assume approval depth equals governance strength.
Practitioner guidance
- Rebuild mover workflows as entitlement transitions Define a mover runbook that revokes old access, grants new access, updates licensing, and validates the new role in a single governed sequence rather than separate tickets.
- Shorten approval paths for routine access changes Classify standard role-change requests into pre-approved patterns so low-risk mover changes do not wait on the same queue as exceptional access.
- Embed application discovery in the access request flow Present role-relevant and similar applications during the request so users and managers can choose from known options instead of defaulting to shadow IT.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step employee request flow inside the Employee App Store for role-based access changes
- The exact click path for raising an access request and selecting similar applications
- How changelogs and substitution suggestions are presented during the request process
- The product workflow for managing licences, subscription duration, and supporting documents
👉 Read Zluri's analysis of midlife cycle management failures in ULM tools →
Midlife cycle access changes: where ULM tools fail in practice?
Explore further
12/06/2026 8:03 am
Midlife cycle governance fails when access change is treated as an exception instead of a first-class lifecycle state. The article shows that onboarding and offboarding are easier to operationalise than role transitions, because movers demand simultaneous revocation, provisioning, and app selection. That makes the weak point not identity creation but entitlement reclassification. Practitioners should treat mover events as the place where lifecycle programmes reveal their real maturity.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Guide to the Secret Sprawl Challenge.
A question worth separating out:
Q: How do lifecycle tools support shadow IT control during role changes?
A: Lifecycle tools support shadow IT control when they combine access requests with application discovery and usage visibility. That lets teams see what software employees are actually adopting during a role change, then update the approved catalogue and access policy accordingly. Without that feedback loop, lifecycle governance only covers the sanctioned estate.
👉 Read our full editorial: Midlife cycle access changes expose gaps in user lifecycle management
