Bottom-up deprovisioning is the sequence of removing access from applications and dependent systems before disabling the identity provider. The method preserves administrative reach long enough to clean up entitlements, rotate credentials, and transfer ownership without stranding active access.
Expanded Definition
Bottom-up deprovisioning is an offboarding sequence used in NHI lifecycle management where dependent application access, API keys, service-account entitlements, and delegated permissions are removed before the identity provider is disabled. This order matters because NHIs often authenticate across multiple systems that can still act on their behalf even after the “main” identity appears retired.
In practice, the term is closest to a controlled shutdown of trust relationships rather than a simple account deletion. It applies to service accounts, machine users, workload identities, and agent credentials that may hold tokens in CI/CD pipelines, vaults, schedulers, or third-party integrations. Definitions vary across vendors, but the core principle is consistent with least-privilege and lifecycle governance in the NIST Cybersecurity Framework 2.0. NHIMG’s NHI Lifecycle Management Guide frames this as an orderly process of entitlement cleanup, credential rotation, and ownership transfer before final revocation.
The most common misapplication is disabling the identity provider first, which occurs when teams confuse directory deactivation with complete access removal and leave downstream systems stranded or still authenticated.
Examples and Use Cases
Implementing bottom-up deprovisioning rigorously often introduces operational delay, requiring organisations to weigh faster account shutdown against the risk of breaking production workloads or leaving orphaned access behind.
- A CI/CD service account is removed from build systems, deployment runners, and secret stores before the central directory entry is disabled, preventing stale pipeline access.
- An API integration is retired by revoking tokens in connected SaaS tools first, then rotating shared secrets, then deleting the owning NHI record.
- A cloud workload identity is cleaned out of IAM policies, trust relationships, and scheduled jobs before the issuing provider is turned off.
- A departing vendor integration is offboarded by transferring ownership, updating dependencies, and validating that no app still references its credentials, consistent with the lifecycle guidance in the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs.
- A stale service account is discovered during a cleanup campaign, where teams use the visibility and issue patterns described in Top 10 NHI Issues to confirm all dependent access is removed in order.
That sequence is especially important when credentials are embedded in code, CI/CD variables, or vault-backed automation, because a single missed dependency can keep the identity effectively alive even after offboarding appears complete.
Why It Matters in NHI Security
Bottom-up deprovisioning reduces the chance that an NHI remains usable through hidden dependencies after its primary owner thinks it is gone. NHIMG reports that only 20% of organisations have formal processes for offboarding and revoking API keys, which helps explain why so many environments retain dormant access paths long after an identity should be dead. It also directly supports Zero Trust and privilege minimisation by ensuring access is removed at every layer, not just at the directory boundary.
When this process is skipped, the result is often secret sprawl, orphaned entitlements, and delayed incident containment. An attacker who compromises one downstream integration can continue moving through systems that were never cleaned up, even if the source account was “disabled.” That is why deprovisioning must be coordinated with credential rotation, ownership handoff, and validation across apps, vaults, and pipelines. The same lifecycle discipline is echoed across NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs and the broader NHI Lifecycle Management Guide, especially where offboarding is tied to rotation and revocation.
Organisations typically encounter the full cost of poor bottom-up deprovisioning only after a breach, service interruption, or audit finding reveals that a supposedly retired NHI still had active reach.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-06 | Lifecycle offboarding and dependency cleanup are core to NHI deprovisioning. |
| NIST CSF 2.0 | PR.AC-1 | Access removal and account lifecycle control support identity and credential governance. |
| NIST Zero Trust (SP 800-207) | SC-7 | Zero Trust requires continuously limiting trust, including during offboarding and revocation. |
Remove downstream access before disabling the source identity and verify no residual entitlements remain.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
