Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk How do you know if mover provisioning is…
Governance, Ownership & Risk

How do you know if mover provisioning is actually working?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 1, 2026 Domain: Governance, Ownership & Risk

You should see the old role removed, the new role granted at the correct scope, and both actions recorded in one sequence tied to the same HRMS change. If users retain old permissions after a move, or if new access arrives without scope recalculation, the mover process is not governing entitlement drift.

Why This Matters for Security Teams

Mover provisioning is the control that prevents identity drift when a person changes job, team, location, or system scope. If it works, access is recalculated from the new business context instead of inherited from the old one. That matters because stale access is one of the fastest ways a routine HR move turns into an over-privilege problem, especially when entitlements are attached to shared groups, custom app roles, or downstream sync processes.

NHIMG research shows the scale of the problem is not theoretical: Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs notes that 97% of NHIs carry excessive privileges, which is exactly the kind of entitlement drift mover controls are meant to stop. The same lifecycle discipline applies to human movers, even though the evidence often shows up first in access reviews, ticket backlogs, or incident response instead of clean audit metrics. Current guidance from the NIST Cybersecurity Framework 2.0 reinforces that identity governance has to be measurable, not assumed.

In practice, many security teams discover mover failure only after a user keeps access from a prior role long enough to use it inappropriately, rather than through intentional validation of the reassignment workflow.

How It Works in Practice

Healthy mover provisioning is not a single permission change. It is a chained workflow that starts with an authoritative source of truth, usually HRMS or another workforce system, and ends with access being removed, added, and logged in one auditable sequence. The key question is whether the new role triggers policy-driven recalculation of entitlements, not whether a help desk ticket was closed.

At a minimum, practitioners should verify five things: the source event is complete, the identity matches the correct person, old entitlements are removed where they are no longer justified, new entitlements are granted only within the new scope, and all changes are timestamped against the same move event. The NHI Lifecycle Management Guide is useful here because it frames lifecycle transitions as governed state changes, not ad hoc admin actions. That model aligns with NIST Cybersecurity Framework 2.0, where access control, logging, and continuous monitoring have to work together.

  • Confirm the HRMS move event is the triggering source, not manual re-entry.
  • Check that role mapping recalculates scope, including app-level and data-level access.
  • Verify the old role is revoked, not simply shadowed by a new group membership.
  • Look for evidence of the same transaction ID or case ID across provisioning logs.
  • Test a sample of movers for delayed sync between identity governance, directory, and downstream apps.

For teams managing both human and non-human identities, the operational lesson is the same: if entitlement changes do not propagate consistently across systems, the control exists only on paper. These controls tend to break down when downstream applications cache group membership or when custom entitlements bypass the central governance engine because scope recalculation never reaches the target system.

Common Variations and Edge Cases

Tighter mover controls often increase workflow complexity, requiring organisations to balance faster employee transitions against more rigorous entitlement review. That tradeoff becomes visible in hybrid environments where some apps support automated deprovisioning and others still rely on manual approval. Best practice is evolving, but there is no universal standard for handling exceptions such as temporary dual-role assignments, matrix reporting lines, or cross-border transfers.

This is where organizations should distinguish between a valid exception and a failed mover. A temporary project role may justify overlapping access for a defined period, but that overlap should be time-boxed and visible in the record. If the same access survives past the approved date, mover provisioning is no longer working. The Top 10 NHI Issues research is a reminder that excessive privilege and poor lifecycle discipline are recurring patterns, not edge anomalies.

Current guidance suggests treating movers as a verification problem, not just a provisioning problem. The practical test is simple: can the organisation prove that old access was removed, new access was scoped correctly, and both actions were tied to the same business change? If not, the process may be moving accounts, but it is not governing entitlement drift.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01Mover failures often leave excessive access and stale entitlements in place.
NIST CSF 2.0PR.AC-4Mover provisioning is an access control and entitlement governance function.
NIST AI RMFIdentity workflows should be governed, measured, and monitored for reliable operation.

Review identity transitions for residual access and remove permissions that no longer match the current role.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 1, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org