Who should own access revocation when identities change or leave?

Why This Matters for Security Teams

Access revocation is not a clerical task. It is the control that stops stale identities from retaining reach after a role change, termination, contract end, or service retirement. When that ownership is unclear, organisations end up with orphaned access, lingering tokens, and elevated permissions that nobody can confidently explain. NHI Management Group notes that only 20% of organisations have formal processes for offboarding and revoking API keys, which shows how often revocation is treated as an afterthought rather than a lifecycle control in practice, as covered in the Ultimate Guide to NHIs.

The operational lesson is simple: ownership must sit with the identity governance function, because that team can coordinate HR events, application context, and technical enforcement into one accountable workflow. Security teams often assume the application owner will remember to remove access, or that IT will catch it during a ticket queue, but neither model scales well when identities are changing continuously. The control objective is to revoke access based on lifecycle state, not on someone noticing a request.

This is also where the broader NHI risk picture matters. The OWASP Non-Human Identity Top 10 treats stale credentials and weak lifecycle governance as repeatable failure modes, not edge cases. In practice, many security teams encounter access drift only after an audit finding, a breach review, or a departing worker still has valid access weeks later.

How It Works in Practice

Revocation works best when it is tied to authoritative lifecycle events and enforced through a single governance workflow. HR should trigger employment state changes, app owners should confirm application-specific entitlement dependencies, and IT or platform teams should execute the technical removal. Identity governance then becomes the orchestration point that decides when access must be removed, what downstream systems are affected, and whether exceptions need temporary containment.

For human identities, that usually means deprovisioning accounts, disabling sessions, revoking tokens, removing group memberships, and updating privileged access paths. For non-human identities, the same principle applies, but the technical actions differ: rotate or revoke secrets, expire short-lived tokens, disable service accounts, and remove machine-to-machine permissions. This is why the NHI lifecycle guidance in Ultimate Guide to NHIs - Key Challenges and Risks is so relevant: the risk is not just unused access, but access that remains valid long after the business reason has ended.

• Use HR, CMDB, ticketing, or IAM events as the authoritative trigger, not manual follow-up.
• Assign identity governance as the owner of the revocation workflow and SLA.
• Require app owners to validate app-specific dependencies before disabling shared accounts or production roles.
• Automate token, session, and secret revocation where the platform supports it.
• Log evidence of revocation completion for audit, incident response, and exception tracking.

This model aligns with lifecycle governance principles in the OWASP Non-Human Identity Top 10, which emphasises that identity removal must be as deliberate as identity issuance. These controls tend to break down when ownership is split across multiple tickets, because no single team can prove that access was actually removed everywhere it mattered.

Common Variations and Edge Cases

Tighter revocation control often increases coordination overhead, so organisations have to balance speed against service continuity. That tradeoff becomes visible when accounts are shared, legacy applications lack modern APIs, or a departing user also owns a brittle integration that cannot tolerate immediate shutdown.

Current guidance suggests that identity governance still owns the decision, even when execution is delegated. The exception is not who owns the control, but how the control is carried out. In some environments, app owners may need a short exception window to preserve uptime while IT removes the access in stages. In regulated environments, though, the exception should be temporary, documented, and time bound.

For machine identities, the edge case is often credential sprawl. Static secrets buried in code, CI/CD tools, or local files may survive far longer than the account record itself. NHI Management Group reports that 96% of organisations store secrets outside secrets managers in vulnerable locations, which makes revocation incomplete unless secret discovery and rotation are part of the offboarding process, not separate hygiene work. That risk profile is one reason the 52 NHI Breaches Analysis remains a practical reminder that identity departure is only safe when downstream access paths are closed too.

Best practice is evolving, but the direction is clear: ownership stays with governance, execution is federated, and evidence matters. Where legacy systems cannot support automated revocation, compensating controls and periodic reconciliation become mandatory.

Related resources from NHI Mgmt Group

• How should security teams run access reviews for non-human identities?
• How should security teams govern non-human identities that have persistent access?
• What breaks when cloud access tools cannot see all delegated identities?
• Why do SSO tools often fail to solve access governance on their own?