By tying joiner, mover, and leaver events to every place access can persist, including SSO, app entitlements, device sessions, and licenses. The goal is not just to disable one account, but to close every active path that could still authorize use after employment or role change ends.
Why This Matters for Security Teams
Access that survives a job change or departure is not a cleanup problem, it is an active exposure window. When joiner, mover, and leaver events are only applied to one directory account, the rest of the authorization stack can keep working: app roles, cached sessions, device trust, API tokens, and license-backed entitlements. That gap is exactly why lifecycle control must be treated as a control plane issue, not a one-time HR offboarding task. The NHI Lifecycle Management Guide and the OWASP Non-Human Identity Top 10 both point to the same operational reality: persistence paths are often more dangerous than the original account.
NHIMG research reinforces how common this failure is. In the 2025 State of NHIs and Secrets in Cybersecurity report, Entro Security found that 91% of former employee tokens remain active after offboarding. That is not an edge case. It means many organisations are disabling one access path while leaving others untouched. In practice, many security teams discover this only after a stale token, forgotten license, or lingering session is used long after the person has left, rather than through intentional lifecycle enforcement.
How It Works in Practice
Effective lifecycle control starts by mapping every place access can persist and assigning an owner to each control point. That usually includes SSO, SaaS entitlements, direct app roles, VPN or device sessions, local accounts, API keys, service credentials, and software licenses. The goal is to make offboarding event-driven: when HR or identity governance records a leaver or mover event, downstream systems receive the change immediately and revoke or downgrade access in their own native mechanism.
Current guidance suggests using the joiner, mover, leaver workflow as a trigger, not a report. A clean implementation typically includes:
- Immediate deprovisioning in the identity provider and any connected SSO apps.
- Session invalidation for active browser, device, and privileged sessions.
- Revocation or rotation of API keys, tokens, certificates, and cached secrets.
- Removal of group membership, application entitlements, and delegated admin rights.
- License reclamation so access cannot reappear through reactivation or auto-assignment.
For NHI-heavy environments, the same discipline applies to service accounts and machine credentials. The Ultimate Guide to NHIs -- Lifecycle Processes for Managing NHIs describes lifecycle governance as a continuous process, not a manual ticket. That matters because many entitlements are not centrally visible, and some applications keep local authorization state even after SSO is removed. Best practice is evolving toward continuous reconciliation, where the identity source, app inventory, and credential inventory are checked against each other on a schedule and during every HR event. These controls tend to break down in federated SaaS and legacy applications because revocation is inconsistent across systems and local sessions remain valid after directory access is removed.
Common Variations and Edge Cases
Tighter lifecycle enforcement often increases operational overhead, requiring organisations to balance fast revocation against user continuity and application stability. That tradeoff is real in environments where access is tied to long-lived sessions, offline devices, or shared administrative accounts. There is no universal standard for this yet, so teams should document where immediate revocation is mandatory and where a short grace period is acceptable.
Edge cases often appear in hybrid identity stacks. A user may lose corporate access but still retain access through a partner tenant, a local app account, or a cached refresh token. Shared mailboxes, break-glass accounts, and contractor access also need special handling because their lifecycle does not match a normal employee offboarding path. The Top 10 NHI Issues highlights how missed ownership and poor visibility can leave identities active long after they should have been removed.
Teams should also treat “mover” events as privilege re-scoping, not just title updates. A role change can create excess access just as quickly as a departure creates residual access. That is why current guidance favors automated entitlement review, session expiry, and periodic access reconciliation over annual cleanup alone. In environments with poor application inventory, disconnected SaaS admin planes, or manual exception handling, lifecycle enforcement tends to fail because no one system has full authority to remove access everywhere at once.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers lifecycle and revocation gaps that let access outlive employment. |
| NIST CSF 2.0 | PR.AC-1 | Identity lifecycle control depends on timely removal of valid credentials and access. |
| NIST AI RMF | GOVERN | Lifecycle governance needs ownership, accountability, and policy enforcement across systems. |
Assign lifecycle owners and enforce revocation policy across HR, IAM, and application layers.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
