Subscribe to the Non-Human & AI Identity Journal
Home FAQ NHI Lifecycle Management How should IAM teams govern offboarding when applications…
NHI Lifecycle Management

How should IAM teams govern offboarding when applications are not fully inventoried?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 1, 2026 Domain: NHI Lifecycle Management

They should treat discovery as part of the control, not a separate audit exercise. Offboarding should start by scanning the user’s real access footprint, then building revocation actions from those findings. That approach is more reliable than relying on a pre-maintained application list because it captures shadow IT, historical access, and role-based leftovers.

Why This Matters for Security Teams

When applications are not fully inventoried, offboarding becomes an access discovery problem, not just a revocation task. IAM teams cannot safely remove what they cannot see, and the risk is highest where shadow IT, inherited service accounts, and stale role assignments sit outside the core CMDB. NIST’s Cybersecurity Framework 2.0 frames this as a governance and asset visibility issue, which is why offboarding has to include discovery as part of the control.

This matters because the strongest failure mode is false confidence. A clean HR termination record does not mean the person’s access footprint is gone, especially when credentials, API keys, and delegated access were issued outside standard provisioning. NHIMG’s NHI Lifecycle Management Guide emphasizes lifecycle visibility as a control requirement, not an administrative nice-to-have, and that principle applies directly to human offboarding in messy environments. In practice, many security teams discover orphaned access only after an incident review, rather than through intentional offboarding design.

How It Works in Practice

The operational model is straightforward: start with the departing user’s real access footprint, then build revocation actions from evidence instead of from an assumed application list. That means querying IAM, SSO, PAM, cloud consoles, secrets managers, collaboration tools, and app-specific admin logs to identify where the user authenticated, what they can still reach, and whether their access was direct, inherited, or shared. The goal is to produce a revocation plan that covers accounts, sessions, tokens, API keys, certificates, delegated consent, group membership, and any embedded service references.

For most organisations, the safest sequence is:

  • Discover all identity edges tied to the person, including shadow apps and stale entitlements.
  • Classify each item by revocation method, such as disable, rotate, reissue, or transfer ownership.
  • Prioritise secrets and tokens that can be used without interactive login.
  • Record evidence of completion so audit and incident teams can verify closure.

This is also where Top 10 NHI Issues is relevant: lifecycle failures often show up first as access sprawl, duplicate credentials, and unmanaged dependencies. NIST’s framework is useful here because it expects organisations to understand assets and manage risk continuously, not only during quarterly reviews. Where the inventory is incomplete, discovery tools, application logs, and credential telemetry become control inputs rather than after-the-fact evidence.

Current guidance suggests treating offboarding as a repeated control loop: discover, revoke, verify, and re-scan. This is more reliable than a one-time checklist because an account may be removed while long-lived tokens, app permissions, or shared secrets remain active. These controls tend to break down when access is federated across multiple business units because ownership is unclear and no single team can confirm who should revoke what.

Common Variations and Edge Cases

Tighter offboarding controls often increase coordination overhead, requiring organisations to balance rapid revocation against the risk of disrupting shared or business-critical systems. That tradeoff becomes visible in environments with mergers, legacy platforms, and high volumes of locally administered SaaS applications. In those settings, best practice is evolving rather than universally standardised, so teams should document what counts as sufficient discovery and what evidence proves closure.

One common edge case is service accounts or shared application identities that were used by the departing person but owned by a team rather than an individual. Another is delegated consent in cloud platforms, where removing the user account does not automatically remove app grants or refresh tokens. A third is contractor offboarding, where access may have been issued through a sponsor, vendor portal, or temporary exception path and never entered the main inventory.

NHIMG’s Ultimate Guide to NHIs — Regulatory and Audit Perspectives reinforces that incomplete lifecycle records create audit gaps even when the revocation itself was technically correct. For teams needing a broader lifecycle lens, the 2025 State of NHIs and Secrets in Cybersecurity report is a useful reminder that lingering credentials are a persistent control failure, not an edge case. The main exception is a fully centralised environment with strong authoritative inventories, where standard deprovisioning may be sufficient, but most enterprises are not operating there yet.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0ID.AM-1Offboarding depends on knowing which apps, accounts, and assets exist.
OWASP Non-Human Identity Top 10NHI-01Lifecycle gaps leave credentials and access paths active after departure.
NIST AI RMFGovernance requires continuous monitoring and traceable controls over access changes.

Use discovery telemetry to maintain an accurate identity and asset inventory before revoking access.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 1, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org