Start with authoritative source data, then define rules for join, move, and leave events that grant, adjust, or revoke entitlements automatically. The goal is not just faster provisioning. It is to keep access aligned with business state and prevent stale permissions from surviving role changes or exit events.
Why This Matters for Security Teams
Joiner-mover-leaver automation is one of the few IAM processes that directly ties access to business reality. When it works, new staff get the right access quickly, transfers lose obsolete entitlements, and exits close privilege gaps before they become incidents. When it fails, stale permissions accumulate quietly, especially in SaaS, cloud, and delegated admin paths where manual review never keeps pace.
That problem is broader than convenience. NIST’s Cybersecurity Framework 2.0 treats identity governance as an operational control, not a paperwork exercise, because access drift is a direct path to misuse and breach. NHIMG research shows the exposure is already material: in The State of Non-Human Identity Security, only 1.5 out of 10 organisations said they were highly confident in securing NHIs, which mirrors how weak lifecycle governance often is in practice.
The common mistake is treating JML as a ticketing workflow instead of an authoritative source driven control. In practice, many security teams encounter stale access only after a mover event has already left excessive permissions in place, rather than through intentional lifecycle review.
How It Works in Practice
Effective JML automation starts with authoritative source data, usually an HR system for employees and a vendor, contractor, or directory source for non-employees. That source should trigger events for join, move, and leave, then feed policy-driven provisioning and deprovisioning. The key is to define rules by business state, not by manual approval chains that can lag behind reality.
For join events, the system should assign baseline access from role, department, location, and employment type. For moves, it should remove entitlements that no longer fit the new state before adding replacement access. For leaves, it should revoke access promptly, disable sessions where possible, and rotate or retire shared secrets, API keys, and certificates tied to that identity. This matters because stale credentials are often more dangerous than the account itself.
Current guidance suggests using least privilege and event-driven automation, but there is no universal standard for exactly how much should be automated versus reviewed. In mature environments, policy-as-code helps translate HR attributes into entitlements, while workflow controls route exceptions for sensitive access. For SaaS and cloud systems, teams often combine directory sync, SCIM-based provisioning, and approval gates for privileged roles.
- Join: create the account, assign only the minimum baseline access, and time-bound elevated access if needed.
- Move: remove old entitlements first, then apply the new access package to prevent privilege overlap.
- Leave: disable the account, revoke tokens and sessions, and confirm downstream app deprovisioning.
- Review: reconcile live entitlements against the source of truth on a fixed cadence.
For identity governance programs that also touch machine access, The 2024 Non-Human Identity Security Report is a useful reminder that 88.5% of organisations say their non-human IAM practices lag human IAM, which is exactly why lifecycle automation needs to cover service accounts and workload identities too. These controls tend to break down when entitlements are granted through local admin consoles, because the authoritative source no longer sees the full access path.
Common Variations and Edge Cases
Tighter JML automation often increases governance overhead at the exceptions layer, requiring organisations to balance speed against control for privileged or regulated access. The hard part is not the standard join or leave event, but the edge cases where business state changes do not map cleanly to a directory attribute.
Contractors, interns, shared mailboxes, break-glass accounts, and service identities usually need separate rules. Best practice is evolving for machine identities, but current guidance suggests they should still be lifecycle-managed like other access paths: created with purpose, bound to ownership, reviewed for continued need, and removed when the workload ends. For privileged accounts, integration with PAM is important so revocation is not limited to the primary directory record.
Move events are often the most overlooked. A promotion, transfer, or team change should trigger entitlement removal before new access is added, especially where RBAC roles are broad and accumulate privilege over time. If the organisation relies on static group membership alone, the result is often role creep that JML automation cannot fully correct without periodic reconciliation. For cloud and key management systems, the Azure Key Vault privilege escalation exposure illustrates how indirect paths can preserve access even after a formal HR event closes.
That guidance breaks down when source data is incomplete or delayed, because automation can only be as accurate as the join, move, and leave event it receives.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | JML automation depends on timely identity lifecycle enforcement and access control. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers credential lifecycle and rotation, critical when access changes or ends. |
| NIST AI RMF | Lifecycle governance should include autonomous workloads whose access changes with task state. |
Tie JML events to revocation and rotation of NHI secrets, tokens, and certificates immediately on state change.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
