The access request lifecycle is the end-to-end process from request initiation through approval, provisioning, usage, review, and revocation. In mature IAM programmes, each stage is linked so the organisation can prove authorization, monitor entitlement use, and remove access when the original need ends.
Expanded Definition
The access request lifecycle is the governance chain that turns a request into a time-bound entitlement, then tracks it through approval, provisioning, active use, review, and revocation. In NHI operations, that chain must cover service accounts, API keys, tokens, certificates, and agent permissions, not just human logins.
Used properly, the lifecycle creates an auditable record of why access existed, who approved it, what system received it, and when it was removed. That matters because NHI access often persists in scripts, CI/CD pipelines, and automation platforms long after the original business need has changed. The nhi lifecycle management Guide and the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs both treat lifecycle control as a core governance practice, while OWASP’s OWASP Non-Human Identity Top 10 frames weak lifecycle handling as a direct security risk.
Definitions vary across vendors on whether lifecycle management includes only approval and revocation or also ownership, recertification, and secret rotation. The most common misapplication is treating the lifecycle as a one-time ticket, which occurs when access is granted without a defined review date or offboarding trigger.
Examples and Use Cases
Implementing the access request lifecycle rigorously often introduces administrative overhead, requiring organisations to balance faster automation against stronger authorization evidence.
- A developer requests a short-lived API key for a deployment pipeline, the request is approved by a system owner, and the key is revoked automatically when the release window ends.
- An AI Agent receives access to a ticketing platform and secret vault, with the request tied to a documented task, scoped permissions, and a review date aligned to the agent’s operating boundary.
- A platform team uses NHI Lifecycle Management Guide guidance to ensure every service account has an owner, purpose, and offboarding path before provisioning.
- A security team applies the same discipline to stale credentials after an incident, because the Guide to the Secret Sprawl Challenge shows how unmanaged secrets spread across code, tickets, and collaboration tools.
- An organisation aligns review and approval steps with the OWASP Non-Human Identity Top 10 to reduce overprivileged machine access before it becomes abuse-prone.
In mature environments, the lifecycle is also used to enforce just-in-time access, so standing privilege is replaced with expiring access that is easier to audit and easier to remove.
Why It Matters in NHI Security
When the access request lifecycle is weak, organisations lose the ability to prove why an NHI exists, whether it is still needed, and whether it has been overused or overprivileged. That is especially dangerous because NHIs often outnumber human identities by 25x to 50x, which multiplies the chance that one forgotten entitlement becomes a persistent exposure.
NHIMG research shows that only 20% of organisations have formal processes for offboarding and revoking API keys, and fewer still have reliable rotation procedures. That gap aligns with the findings in 52 NHI Breaches Analysis and the broader warning in Ultimate Guide to NHIs that excessive privilege and poor lifecycle governance are recurring breach conditions. In zero trust programmes, lifecycle control also supports least privilege and continuous verification, which is why it matters to ZTA and to operational models built around review and revocation.
Organisations typically encounter the true cost only after a compromised token, stale service account, or abandoned integration is discovered in an incident, at which point the access request lifecycle becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Addresses secret and credential lifecycle weaknesses that create persistent NHI exposure. |
| NIST Zero Trust (SP 800-207) | PR.AC-1 | Zero Trust requires continuous access validation, not one-time approval. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access governance depends on approved, reviewed, and revoked entitlements. |
Track every NHI entitlement from request to revocation and remove standing access on a set schedule.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 27, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
