TL;DR: UK universities are dealing with multi-role identities that move between student, staff, researcher, alumni, and external collaborator states, and manual lifecycle handling is creating delays, duplicate accounts, and lingering access, according to SailPoint. The governance problem is no longer administrative efficiency alone, but whether identity processes can keep pace with constant role change without weakening security or user experience.
NHIMG editorial — based on content published by SailPoint: Managing the academic identity lifecycle in UK universities
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should universities govern identity when people hold multiple academic roles?
A: Universities should treat identity as a lifecycle model with explicit states for each role a person can hold.
Q: Why do role changes create access risk in higher education?
A: Role changes create risk because the new entitlement is often added before the old one is removed.
Q: What breaks when access reviews are not tied to academic lifecycle events?
A: Access reviews become stale if they are run on a schedule that ignores enrolment changes, staff movements, and project transitions.
Practitioner guidance
- Map all academic identity states Define the full state model for students, staff, researchers, alumni, and affiliates, then connect each state to explicit provisioning and revocation triggers.
- Automate role-change entitlement diffs Require each promotion, transfer, enrolment change, or project move to generate an entitlement comparison so new access is approved and old access is removed.
- Reconcile duplicate accounts quarterly Identify users with more than one active institutional account and consolidate or retire duplicates before they become permanent exceptions.
What's in the full article
SailPoint's full blog covers the operational detail this post intentionally leaves for the source:
- How SailPoint frames academic identity as a lifecycle problem across students, staff, researchers, alumni, and external collaborators.
- The operational rationale for automating access changes during enrolment, role shifts, and departures.
- The product-oriented explanation of how lifecycle-based access management is positioned for UK higher education environments.
👉 Read SailPoint's blog on managing the academic identity lifecycle in UK universities →
UK university identity lifecycle: where do access reviews break down?
Explore further
Academic identity lifecycle governance is a human IAM problem with NHI-style drift characteristics. Universities are not simply issuing accounts. They are managing a population whose roles overlap, change, and persist over time, which creates the same kind of entitlement drift that identity teams see with non-human identities. The governance lesson is that lifecycle failure is structural when access is treated as static. Practitioners should recognise that academic identity programmes need the same discipline around visibility, recertification, and revocation that mature IAM teams apply elsewhere.
A few things that frame the scale:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface. That figure comes from the Ultimate Guide to NHIs and shows how quickly unmanaged access becomes systemic.
A question worth separating out:
Q: Who should own identity lifecycle governance in a university?
A: Identity lifecycle governance should sit with the IAM or IGA function, but it must be coordinated with HR, student records, and research administration. The accountable team needs authority over provisioning rules, revocation rules, and exception handling. Without that ownership, lifecycle processes fragment into disconnected administrative tasks that are hard to enforce.
👉 Read our full editorial: Academic identity lifecycle governance in UK universities