Access can remain active after employment ends, which means the control exists in policy but not in practice. That creates audit findings, weakens accountability, and leaves sensitive systems open to stale privileges. The fix is not just recertification. It is continuous reconciliation between HR events, entitlement data, and privileged access records.
Why This Matters for Security Teams
ITGC access controls only work when they are tied to the same lifecycle events that create, change, and remove access. If onboarding, transfers, role changes, contractor expiration, or termination are not continuously reflected in entitlement records, the control becomes a paper assurance instead of an operational one. That gap is especially dangerous for privileged and shared accounts, where stale access can persist long after the business need has ended. NHI Management Group’s Ultimate Guide to NHIs notes that only 20% of organisations have formal processes for offboarding and revoking API keys, while 97% of NHIs carry excessive privileges.
The security issue is not just access persistence. Broken lifecycle linkage also undermines evidence quality for audits, because recertification results no longer match the actual state of HR, IAM, PAM, and application entitlements. That creates a control that can pass review while still leaving dormant access in production systems. Current guidance from the NIST Cybersecurity Framework 2.0 and OWASP Non-Human Identity Top 10 both point toward continuous control validation, not periodic paperwork alone. In practice, many security teams discover the break only after a leaver account or over-privileged service identity has already been used in the wild.
How It Works in Practice
The practical fix is continuous reconciliation across identity sources, not a one-time access review. HR events should trigger access evaluation, but the entitlement system must also compare what each user, service account, and privileged identity actually has against what policy allows. For human access, that means aligning joiner-mover-leaver events with RBAC, PAM, and access request workflows. For machine access, it means tying secrets, tokens, certificates, and service account permissions to a lifecycle owner and expiry path. NHI Management Group’s NHI Lifecycle Management Guide and Lifecycle Processes for Managing NHIs both emphasize that lifecycle discipline is the control, not a side task.
- Map each access grant to an owner, business purpose, and expiration condition.
- Reconcile HR, IAM, PAM, and application entitlements on a continuous or near-real-time basis.
- Auto-disable or queue review when an employee exits, a contractor term ends, or a role changes.
- Track exceptions separately so emergency access does not become standing access.
- Verify revocation in downstream systems, not just in the source directory.
For privileged access, this should be paired with short-lived credentials and just-in-time elevation where possible, because long-lived standing access is the main failure mode. For cloud and application teams, the control evidence should show both the event that changed the lifecycle state and the downstream removal of access. That aligns with the operational direction in NIST CSF 2.0 and the audit focus in Ultimate Guide to NHIs — Regulatory and Audit Perspectives. These controls tend to break down in federated environments with multiple HR systems or disconnected SaaS apps because revocation is not propagated consistently across all entitlement stores.
Common Variations and Edge Cases
Tighter lifecycle control often increases operational overhead, requiring organisations to balance fast access restoration against stronger revocation discipline. That tradeoff becomes visible in mergers, contractor-heavy workforces, and third-party integrations, where identity ownership is split across teams and systems. In those environments, best practice is evolving rather than settled, especially for shared accounts and delegated admin access.
One common edge case is a terminated employee whose access was removed in the directory but remains active in SaaS apps, cloud roles, or local application databases. Another is machine access that never maps cleanly to HR at all, which is why NHIs must be governed with lifecycle policies of their own. NHI Management Group’s Top 10 NHI Issues and Ultimate Guide to NHIs — Static vs Dynamic Secrets highlight why static credentials and poor rotation make lifecycle failures harder to detect. The practical rule is simple: if access cannot be revoked quickly and proven across all downstream systems, the ITGC is not actually controlling access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access changes must track lifecycle events to keep privileges current. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers lifecycle and rotation gaps that leave stale access active. |
| NIST AI RMF | AI RMF governance supports accountable lifecycle management for autonomous identities. |
Assign ownership for identity lifecycle controls and verify decisions through ongoing monitoring.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
