They should test real leaver scenarios from authoritative HR triggers through every target system. A good migration preserves revocation timing, connector behaviour, and audit evidence across SAP and non-SAP applications. If any account remains active after the source identity is closed, the offboarding design is incomplete and the old control assumptions have not been replaced.
Why This Matters for Security Teams
Migration risk is usually judged by whether accounts and integrations still “work,” but offboarding is the harder test. A cutover can preserve sign-on and still fail on revocation timing, connector logic, or evidence that a termination event propagated everywhere it should. The real question is whether the new target state still enforces the same leaver controls, or whether a hidden dependency keeps access alive after the source identity is closed.
That matters because identity sprawl rarely stays visible during a migration. NHIMG’s 2024 Non-Human Identity Security Report found that 91% of former employee tokens remain active after offboarding, which shows how often lifecycle controls drift even before a transformation begins. The same pattern appears in NIST Cybersecurity Framework 2.0 terms: the issue is not only access provisioning, but whether deprovisioning is verifiable across all assets and dependencies.
In practice, many security teams discover broken offboarding only after a leaver account is still active in a downstream system, rather than through intentional migration testing.
How It Works in Practice
The most reliable way to validate a migration is to run real leaver scenarios from the authoritative HR trigger through every target system, then prove that each revocation occurred on time and with the expected side effects. That means testing not just the primary IAM platform, but also joiner-mover-leaver workflows, connector behaviour, API responses, application-specific caches, and audit logs. A successful test should show that the source identity closure actually causes credential revocation, session invalidation, token expiry, and removal from any group- or role-based entitlements.
Practitioners usually define a small set of test cases that reflect how offboarding fails in the real world:
- HR termination event received and processed before end of day.
- Source identity disabled, then downstream SaaS and on-prem accounts checked for residual access.
- API keys, service tokens, and session cookies revoked or expired on schedule.
- Audit evidence collected for every revoke action, not just the final status.
- Exception handling verified for disconnected systems, delayed connectors, and manual approvals.
NHIMG’s NHI Lifecycle Management Guide is useful here because lifecycle governance only works when deactivation is treated as a first-class control, not an afterthought. For teams comparing control expectations, the Top 10 NHI Issues page is a practical reminder that stale access and weak revocation are recurring failure modes, especially where automation is fragmented across multiple systems.
Current guidance suggests validating both the technical path and the evidence path: if the account is gone but the audit trail is incomplete, the migration still fails a security review. These controls tend to break down in hybrid estates with custom connectors and batch-based provisioning because revocation latency and reconciliation gaps are hard to observe in real time.
Common Variations and Edge Cases
Tighter offboarding validation often increases testing and coordination overhead, so organisations have to balance migration speed against the cost of proving deprovisioning end to end. That tradeoff becomes more obvious when SAP and non-SAP applications use different identity models, or when a legacy system can disable an account but cannot immediately revoke cached credentials.
There is no universal standard for every connector pattern yet, so best practice is evolving around compensating checks: confirm the leaver trigger, verify downstream disablement, and inspect whether any token, key, or delegated permission remains valid after cutover. The same is true for admin and service identities, which often do not follow human offboarding workflows and may require separate expiry or rotation logic.
Use the migration to expose control assumptions that no longer hold. If a legacy deprovisioning script depended on a source directory, but the target architecture now uses an event bus or an external workflow engine, the team needs proof that termination events still reach every enforcement point. Where evidence is weak, treat the migration as incomplete until the revocation path is demonstrably reproducible.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Offboarding validation depends on timely revocation of non-human credentials. |
| NIST CSF 2.0 | PR.AC-4 | Access revocation and entitlement removal are core identity lifecycle controls. |
| NIST AI RMF | GOVERN | Migration testing needs accountability for identity lifecycle decisions and outcomes. |
Assign ownership for offboarding assurance and require documented evidence of revocation success.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
