HR should own the employment record, while IT or IAM should own the access decision logic based on governed attributes. That split keeps business status separate from entitlement enforcement and reduces confusion during onboarding, transfers, and removals. Clear ownership is what keeps the workflow auditable and repeatable.
Why This Matters for Security Teams
Employee provisioning is not just an onboarding task. It is a control point where business status becomes access, and that handoff determines whether least privilege holds over time. When HR, IT, IAM, and managers blur ownership, lifecycle workflow drift into exceptions, delayed approvals, and stale access. That creates audit gaps and makes removals, transfers, and contractor changes harder to prove.
Current guidance from the OWASP Non-Human Identity Top 10 and NHIMG’s NHI Lifecycle Management Guide points to a simple operational split: the business function owns the source record, while the identity control function owns enforcement. That split matters because provisioning errors are rarely technical failures alone. They are ownership failures that show up when a joiner, mover, or leaver event is processed inconsistently across systems.
NHI Management Group research shows that only 20% of organisations have formal processes for offboarding and revoking API keys, which is a strong signal that lifecycle ownership is still too loosely defined in many environments. In practice, many security teams encounter access drift only after a transfer, termination, or audit exception has already exposed the gap.
How It Works in Practice
The cleanest model is to separate employment data from access policy. HR maintains authoritative employee status, manager, department, location, start date, end date, and employment type. IAM or IT then evaluates that data against governed access rules and assigns entitlements through automated workflows. In other words, HR says who the person is in the business record, while IAM decides what access that record permits.
This structure works best when provisioning is policy-driven rather than manually approved case by case. For example, a new hire in finance can be mapped to a role baseline, a location profile, and a system-specific exception set. A transfer can trigger both removal of old access and re-evaluation of the new access bundle. A termination event should immediately revoke access, disable sessions, and queue downstream cleanup for SaaS apps, directories, VPN, and privileged accounts.
- HR owns the employment event and source attributes.
- IAM owns the access decision logic and entitlement mapping.
- IT executes the technical provisioning path where automation is required.
- Managers can request access, but should not be the control owner.
That approach aligns with the lifecycle emphasis in the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs and the control discipline described in Top 10 NHI Issues. The same principle shows up in identity governance standards such as NIST SP 800-63 Digital Identity Guidelines, where trustworthy attributes and lifecycle assurance matter more than ad hoc approval trails. These controls tend to break down when provisioning is spread across local HR practices, shadow IT tickets, and app-by-app manual exceptions because no single team can reliably prove who changed what and why.
Common Variations and Edge Cases
Tighter ownership often increases workflow overhead, so organisations have to balance speed against control. That tradeoff becomes visible in mergers, highly regulated units, and contractor-heavy environments where a single “employee” workflow does not fit every case.
Best practice is evolving for edge cases. In some organisations, the hiring manager can act as the requester for access packages, but not the approver of policy exceptions. In others, compliance or legal may own special handling for regulated roles, while IAM still owns the enforcement logic. For temporary workers and vendors, the source-of-truth record may sit outside HR entirely, but the same rule holds: business context is owned upstream, and access decisions are owned by the control plane.
This is also where lifecycle mistakes multiply if removal is treated as optional. NHIMG’s research on the Guide to the Secret Sprawl Challenge highlights how quickly credentials and access records spread beyond central control. When organisations mix ownership, they often end up with duplicate approvals, delayed deprovisioning, and inconsistent records across HRIS, IAM, PAM, and application administrators. There is no universal standard for every exception path yet, but the consistent rule is that the source record and the enforcement decision should never live with the same loosely governed local owner.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Lifecycle ownership and access drift are central NHI governance concerns. |
| NIST CSF 2.0 | PR.AC-4 | Provisioning decisions directly affect access authorization and revocation. |
| NIST SP 800-63 | IAL2 | Authoritative attribute assurance is required before access is granted. |
Validate source attributes before provisioning and keep the identity proofing record separate from entitlements.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
