Manual JML creates delays, missed revocations, and orphaned accounts. In SaaS-heavy environments, those failures leave former employees and business teams with active access long after it should have ended. The practical consequence is not just higher breach exposure, but weaker auditability and unnecessary license spend.
Why This Matters for Security Teams
Manual joiner-mover-leaver processes become fragile as soon as access spans dozens of SaaS apps, each with its own admin console, token model, and approval path. The core failure is timing: entitlements remain active after role changes, transfers, or exits, even when HR has already closed the record. That gap weakens least privilege, complicates audit trails, and turns routine offboarding into a security control failure rather than an HR task.
NHIMG research shows how quickly identity sprawl becomes operational risk, with only 20% of organisations having formal processes for offboarding and revoking API keys. The same pattern appears in real incidents such as the Snowflake breach and the Salesloft OAuth token breach, where access paths persisted long enough to be abused. Current guidance from the NIST Cybersecurity Framework 2.0 reinforces that identity governance must be continuous, not episodic.
In practice, many security teams discover the real cost only after an audit exception, a license overage, or a departed user still holding active SaaS permissions.
How It Works in Practice
In a SaaS-heavy environment, manual JML usually means three disconnected workflows: HR updates employment status, IT or app owners approve access changes, and admins remove accounts one system at a time. Each step introduces delay, and each delay increases exposure. The problem is not only speed. Manual handling also creates inconsistency, because different SaaS platforms expose different deprovisioning methods for users, groups, SCIM connectors, API keys, delegated admin roles, and service-linked credentials.
Practitioners generally reduce breakage by automating lifecycle triggers from the system of record, then enforcing policy at the identity layer and the app layer together. That often includes:
- HR-triggered provisioning and deprovisioning from the authoritative source of truth.
- SCIM or equivalent automated account removal where supported.
- Role changes tied to time-bound approvals rather than ticket chains.
- Immediate revocation of sessions, tokens, and API keys when employment status changes.
- Periodic reconciliation to find orphaned accounts, stale groups, and shadow admins.
NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful here because the same lifecycle discipline applies to human and non-human access: create, use, rotate, revoke, verify. The control objective is not simply account closure; it is ensuring that every entitlement has an owner, a purpose, and a termination condition. That aligns with identity governance patterns described in NIST CSF 2.0, where access management must be measurable and repeatable, not ad hoc. These controls tend to break down when SaaS apps lack SCIM support and admins must revoke access manually across fragmented consoles because revocation is then dependent on individual follow-through.
Common Variations and Edge Cases
Tighter JML automation often increases implementation overhead, requiring organisations to balance speed of revocation against application compatibility and change-management risk. Some SaaS tools do not support full deprovisioning, while others preserve data or shared assets in ways that complicate immediate removal. Best practice is evolving here, and there is no universal standard for how every SaaS platform should handle delegated ownership, guest access, or shared inboxes after departure.
Edge cases usually appear in three places. First, contractors and partners may sit outside the core HR workflow, so their access never enters the standard leaver path. Second, business-owned SaaS accounts often bypass central IAM, which means manual clean-up depends on local managers remembering to act. Third, high-value integrations can leave behind OAuth grants, refresh tokens, or API keys even after the user account itself is removed. That is why incidents such as the BeyondTrust API key breach matter: account deletion alone does not always end access.
For this reason, current guidance suggests pairing JML automation with access reviews, license reconciliation, and explicit token revocation. Manual processes still have a place for exception handling, but they should not be the default control for ordinary leavers.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Identity and access rights must be provisioned, changed, and removed on time. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Manual JML often leaves stale credentials and orphaned non-human access behind. |
| NIST AI RMF | Lifecycle governance is part of accountable AI and identity risk management. |
Automate joiner-mover-leaver changes and verify revocation against PR.AC-4 during each access cycle.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
