Mover events are riskier because they require two actions at once: granting new access and removing old access. If the revocation side lags, users accumulate entitlements from multiple roles. That creates overprovisioning, which is one of the most common ways privilege creep enters an IAM programme.
Why Mover Events Carry More Risk Than New Hires
Mover events are riskier because onboarding adds access into a known starting point, while a role change must simultaneously expand legitimate access and remove what is no longer appropriate. That dual action creates a timing gap where old entitlements can linger, especially when approvals, ticketing, and IAM updates are split across different teams. Current guidance from NIST Cybersecurity Framework 2.0 supports disciplined access governance, but mover handling is where many programmes struggle to execute it consistently.
NHIMG research shows how quickly weak lifecycle control turns into exposure: the Ultimate Guide to NHIs notes that 97% of NHIs carry excessive privileges and only 20% of organisations have formal offboarding and revocation processes for API keys. The same pattern appears in human identity programmes when entitlements are not removed as part of the move. In practice, many security teams discover privilege creep only after a transfer, promotion, or team change has already widened access beyond what the new role requires.
How Mover Governance Should Work in Practice
Effective mover handling is a join-the-dots process, not a single IAM update. The goal is to recalculate access from the new role, then revoke everything that no longer maps to that role with minimal delay. That means the identity workflow, HR trigger, manager approval, and entitlement engine all need to be aligned. When access is based on RBAC, the move should trigger a full entitlement review rather than a simple add-on change, because inherited permissions are the usual source of hidden overprovisioning.
Security teams should treat the move as a controlled re-certification event:
- Compare the current entitlements to the destination role before making changes.
- Remove stale group membership, app roles, VPN access, and admin privileges as part of the same workflow.
- Use time-bound elevation only when the new role needs temporary access during transition.
- Log the before-and-after access state so auditors can see what changed and when.
This is where lifecycle hygiene matters. The 52 NHI Breaches Analysis is useful because it shows how poor credential control repeatedly turns routine identity changes into incident paths. For teams managing secrets and service accounts, the same principle applies: a mover event should trigger revocation, re-issuance, or re-scoping, not just a new entitlement grant. Standards bodies increasingly point toward continuous access evaluation, but there is no universal standard for mover automation yet, so organisations need explicit policy logic, not informal ticket handling. These controls tend to break down when HR data is late, role definitions are vague, or access is embedded in local application owners outside central IAM.
Common Exceptions and Failure Modes
Tighter mover controls often increase operational overhead, requiring organisations to balance faster role transitions against stronger revocation discipline. That tradeoff becomes visible in merged companies, matrix organisations, and project-based teams where one person may legitimately need overlapping access for a short period. Best practice is evolving here: current guidance suggests using temporary exceptions with expiry, rather than leaving legacy access in place indefinitely.
Edge cases also matter. Some systems do not support clean role subtraction, so deprovisioning may require manual cleanup in downstream applications, SaaS consoles, and shared admin groups. Shared accounts, delegated admin rights, and emergency access break the neat mover model because the entitlement is not tied to one person alone. In those cases, security teams should segment access, add owner review, and verify the change at the system level rather than assuming the IAM directory is authoritative. The Top 10 NHI Issues resource reinforces the broader lesson: identity risk rises sharply when access outlives the business need, whether the identity is human or non-human.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Mover events hinge on timely access revocation and least privilege. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Overprovisioning and stale access mirror common NHI lifecycle failures. |
| NIST AI RMF | Governance and accountability matter when access changes dynamically. |
Recalculate access on role change and remove obsolete entitlements immediately.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
