Joiners start from a baseline and leavers are supposed to be fully removed. Movers are different because they keep prior access while acquiring new access for the next role. That makes them the highest-risk cohort for entitlement carryover, stale admin rights, and cross-team overexposure.
Why This Matters for Security Teams
Internal moves are riskier than joiners or leavers because the person is already trusted, already mapped into systems, and often already exempted from some controls. That makes entitlement drift easy to miss. A role change can silently preserve old access while adding new permissions, which is exactly how overexposure, toxic combinations, and delayed revocation accumulate across identity stores, SaaS tools, and admin planes.
This is not a theoretical edge case. NHIMG’s Top 10 NHI Issues shows how excessive privilege and weak lifecycle discipline compound exposure, and the same pattern appears in human identity programs when mover workflows are manual or fragmented. Current guidance from the NIST Cybersecurity Framework 2.0 favors continuous identity governance, but many organisations still treat role change as an HR event instead of a security control point.
In practice, many security teams discover mover risk only after an audit, an incident, or a failed access review reveals that yesterday’s privileges were never removed.
How It Works in Practice
A secure mover process starts with the principle that a role change is both a removal and an assignment event. The old role should be explicitly withdrawn before or at the same time as new access is granted, rather than layered on top. This is where entitlement governance, IAM, and business ownership need to work as one workflow, not as separate tickets.
Practitioners typically reduce risk by combining the following steps:
- Recompute access from the new role, rather than modifying the existing access set in place.
- Review privileged entitlements separately, because admin rights rarely map cleanly to job titles.
- Flag cross-functional access that no longer has a business justification.
- Force reapproval for sensitive systems, especially finance, production, and customer data platforms.
- Shorten the window between role change and entitlement cleanup so stale access does not persist.
For organisations with mature identity controls, this means using role engineering, automated recertification, and joiner-mover-leaver workflows that are tied to authoritative sources of record. NHIMG’s Ultimate Guide to NHIs - Key Challenges and Risks highlights how excessive standing access and weak lifecycle hygiene widen exposure, especially when permissions are inherited across systems. The same operational lesson applies to human movers: if the old access path is left intact, the new role becomes additive instead of substitutive.
Where this breaks down is in hybrid environments with fragmented IAM, local application admins, and no central entitlement inventory, because the organisation cannot reliably prove what should be removed.
Common Variations and Edge Cases
Tighter mover controls often increase operational overhead, requiring organisations to balance speed of change against the risk of privilege carryover. That tradeoff is most visible in mergers, reorganisations, and matrixed teams where employees can temporarily need overlapping access while responsibilities shift.
There is no universal standard for this yet, but current guidance suggests treating these cases as exception-managed, time-bounded access rather than allowing open-ended overlap. In higher-risk environments, that usually means step-up approval, time-limited access, and explicit expiration dates for temporary permissions. For privileged roles, the bar should be even higher because a mover can retain admin rights from the previous team and use them in a new context without obvious detection.
Edge cases also appear when the new role is broader than the old one. In those scenarios, security teams should avoid “grant first, clean later” habits, because later rarely arrives on time. The safer model is to remove obsolete entitlements first, then add only the access that is justified for the new function. That approach aligns with the control logic emphasized in OWASP Non-Human Identity Top 10 and helps prevent residual privilege from becoming the hidden default.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Mover risk is driven by poor entitlement changes and stale access. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Excessive standing privilege and lifecycle gaps mirror mover overexposure. |
| NIST AI RMF | GOVERN | Identity governance needs accountable, repeatable decisioning for access changes. |
Assign clear ownership for mover approvals and track privilege decisions as governed processes.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
