The identity record becomes fragmented, so IT may be provisioning against information that is already outdated. Once that happens, the organisation loses confidence that the person receiving access matches the current HR record. The result is slower onboarding, more errors, and weaker governance over who should receive application access.
Why This Matters for Security Teams
Spreadsheets and email tickets turn onboarding into a manual relay of identity data, and that is where governance starts to drift. Every copy, reply, and rekey step creates an opportunity for stale attributes, duplicate records, or approvals that no longer match the HR source of truth. NHI Management Group’s research on the State of Secrets in AppSec shows how fragmentation quickly becomes an operational risk when teams lose central visibility into sensitive access material.
The practical issue is not only speed. Manual onboarding weakens evidence quality for access reviews, makes it harder to prove who approved what, and increases the chance that privileged access is granted before employment status, manager, or role is confirmed. That is a direct governance failure, not just an administrative inconvenience. The NIST Cybersecurity Framework 2.0 emphasizes repeatable, risk-based control execution, which manual ticket chains rarely deliver consistently. In practice, many security teams encounter access sprawl only after an audit exception, a leaver mismatch, or an overprovisioned account has already exposed the gap.
How It Works in Practice
When onboarding depends on spreadsheets and email, the organisation is effectively running identity governance by version confusion. HR data may start in one file, move into a ticket, then be retyped into IAM, PAM, and application admin consoles. If any field changes mid-process, the provisioning team may still be acting on the old record. That creates inconsistency across account creation, group assignment, and entitlement approval.
A stronger model is to treat HR or workforce records as the system of record and trigger onboarding from that authoritative source. Best practice is evolving toward workflow automation, policy-as-code, and just-in-time approval paths so access is issued from current context rather than a static request thread. Where possible, organisations should validate:
- employment status before account creation
- manager and cost centre before role assignment
- application owner approval for sensitive access
- expiry or review dates for temporary access
- exception handling for contractors, transfers, and rehires
This matters because identity decisions are only as accurate as the inputs behind them. NHI Management Group has highlighted in the LLMjacking: How Attackers Hijack AI Using Compromised NHIs research that compromised identities become an immediate operational asset for attackers once they are trusted by downstream systems. The same principle applies to workforce onboarding: if the wrong record is trusted, the wrong access follows. Control design should therefore prioritise authoritative data, enforced workflow states, and revocation paths that close the loop after provisioning. These controls tend to break down in organisations with multiple HR systems or merged business units because no single workflow owns the final identity state.
Common Variations and Edge Cases
Tighter onboarding controls often increase coordination overhead, requiring organisations to balance speed against accuracy. That tradeoff is real, especially when hiring surges, mergers, or contractor-heavy projects create pressure to provision quickly. Current guidance suggests automation should not eliminate human approval for sensitive access, but it should reduce the number of places where identity data can diverge.
Some environments also need exceptions for temporary staff, emergency access, and cross-border hiring. Those cases are where spreadsheet-driven processes fail hardest, because manual handling encourages one-off decisions that never get fully recorded. The safer pattern is to codify exception paths so they are visible, time-bound, and auditable. If access is needed before all records are final, it should be issued as constrained, short-lived access rather than as a permanent entitlement.
This is especially important for organisations that already struggle with identity sprawl. The DeepSeek breach illustrates how quickly exposed identity material can become a broader compromise issue once trust boundaries are weak. For teams using NIST Cybersecurity Framework 2.0, the operational lesson is to reduce manual handoffs, preserve a single source of truth, and measure onboarding exceptions as governance events rather than administrative noise.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Manual onboarding weakens controlled access assignment and traceability. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Fragmented onboarding creates identity drift and mis-scoped access for NHIs. |
| NIST AI RMF | Automation and human oversight are needed where identity decisions affect trustworthy operations. |
Use AI RMF governance to ensure automated onboarding is accountable, traceable, and auditable.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
