Notifications
Clear all
Topic starter
12/06/2026 9:33 pm
TL;DR: Most organisations manage only onboarding and offboarding, while roughly 30 of the 32-plus access-impacting events in a typical five-year employee journey are handled through tickets and memory, according to Zluri. That gap turns promotions, transfers, temporary elevations, and project work into privilege creep and audit exposure.
NHIMG editorial — based on content published by Zluri: Lifecycle Management User Lifecycle Management: The 30 Events Nobody Manages And How to Automate Them
By the numbers:
- Over a 5-year tenure, an employee experiences 32+ access-impacting events.
- The remaining 30 events represent 94% of the lifecycle and are handled reactively through tickets, Slack messages, and employee complaints.
- The access creep pattern is consistent across organisations: Year 1: 20 apps, Year 5: 62 apps.
Questions worth separating out
Q: How should security teams automate access changes when employees change roles?
A: Security teams should trigger access workflows from authoritative HR changes, then use role-specific playbooks to add, remove, and adjust entitlements.
Q: Why do joiner and leaver processes leave so much access risk behind?
A: Because most access changes happen between those events.
Q: What breaks when temporary access is not automatically revoked?
A: Temporary access becomes standing privilege.
Practitioner guidance
- Instrument every HR field that changes access Trigger lifecycle workflows from department, team, manager, title, location, employment type, status, and contract-date changes.
- Separate access-add, access-remove, and access-adjust logic Design different playbooks for promotions, transfers, leave, and on-call elevation so old entitlements are explicitly removed when the new state is applied.
- Verify that deprovisioning actually worked After each lifecycle change, confirm that old tools, groups, and elevated permissions are no longer usable.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- The five-year employee journey with month-by-month access changes across promotions, team moves, and project work.
- Detailed lifecycle playbooks for promotion, department transfer, leave of absence, temporary elevation, and offboarding.
- The HR-field triggers that should drive automated access changes and the verification checks that follow each change.
- The article's metrics for measuring lifecycle maturity, including time to process, change accuracy, and orphaned access rate.
👉 Read Zluri's analysis of the 30 unmanaged events in user lifecycle management →
User lifecycle management: why the access-change middle gets missed?
Explore further
12/06/2026 11:42 pm
The 30-event middle is the real lifecycle governance gap. The article is right to reframe user lifecycle management away from the joiner and leaver bookends. Most entitlement drift happens during ordinary business change, when organisations are least disciplined about access cleanup. That is why lifecycle governance fails as a process, not as a one-time provisioning task. Practitioners should measure the unmanaged middle, not the number of onboarding checklists.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who should own lifecycle cleanup for access changes?
A: Ownership should sit with the identity governance process that receives the lifecycle event, usually from HR as the source of truth. IAM, IGA, and PAM teams need clear accountability for the remove step, because adding access without removal creates unbounded entitlement growth.
👉 Read our full editorial: User lifecycle management is failing in the 30-event middle
