Manual JML breaks when identity state changes faster than human workflows can process them. The result is delayed onboarding, stale access after role changes or departures, and poor auditability. Once access and business state diverge, organisations lose least-privilege consistency and create a persistent window for misuse or compliance failure.
Why This Matters for Security Teams
Manual joiner-mover-leaver handling turns identity governance into a queueing problem, not a control problem. Every ticket, spreadsheet update, and approval handoff adds delay between a business event and the access state that should follow it. That lag is where risk accumulates: new hires wait for access, movers keep permissions from prior roles, and leavers remain active long after departure. For NHIs, the same pattern is even more dangerous because service accounts, API keys, and automation identities often outlive the people who requested them. The issue is not just operational friction. It is a persistent gap between intended access and actual access, which undermines least privilege, auditability, and zero trust alignment. Current guidance in the NIST Cybersecurity Framework 2.0 treats identity governance as a core protective function, but manual workflows rarely keep pace with modern identity volume. In practice, many security teams discover stale access only after a role change, offboarding event, or incident has already exposed the mismatch.How It Works in Practice
Effective JML for both human and non-human identities depends on lifecycle events being authoritative and machine-enforced, not manually interpreted. The practical model is: HR, IAM, ITSM, or workload orchestration emits a change event; policy evaluates what access should exist; provisioning and revocation happen automatically; and evidence is retained for review. NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs and NHI Lifecycle Management Guide both emphasize that lifecycle control is only reliable when issuance, rotation, revocation, and offboarding are tied to a source of truth. Practical JML design usually includes:- Automated onboarding triggered by verified identity or workload creation events.
- Role- or attribute-based access assignment, with approvals only for exceptions.
- Immediate deprovisioning on termination, contract end, or workload retirement.
- Short-lived secrets and just-in-time access instead of standing permissions.
- Logging that proves when access changed, who approved it, and what was revoked.
Common Variations and Edge Cases
Tighter JML control often increases operational overhead, requiring organisations to balance speed against assurance. That tradeoff is real, especially where legacy applications cannot consume event-driven provisioning or where multiple business units define “joiner” and “leaver” differently. Current guidance suggests that these exceptions should be isolated, documented, and reduced over time rather than accepted as the default. A few edge cases matter:- Contractors and third parties may need separate lifecycle rules, since their offboarding often depends on procurement or vendor management rather than HR.
- Shared accounts and break-glass access should follow a separate process, because they do not map cleanly to standard JML flows.
- NHIs created by CI/CD, scripts, or agents may have no human owner in the usual sense, so lifecycle ownership must be assigned to a service or team.
- High-churn environments may require policy-as-code and workflow automation to prevent revocation delays from piling up.
Related resources from NHI Mgmt Group
- What breaks when privileged access is still managed through manual tickets?
- What breaks when access is managed through too many manual steps?
- What breaks when JML processes are still manual in a SaaS-heavy environment?
- What breaks when privileged access is managed through scripts and manual reconciliation?
Deepen Your Knowledge
NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
Reviewed and updated by the NHIMG editorial team on July 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org