Deprovisioning is the removal of access when a user changes roles or leaves an organisation. For security teams, it is the point where stale accounts, tokens, and permissions should disappear. Weak deprovisioning leaves residual access that can outlive the business need that created it.
Expanded Definition
Deprovisioning is the controlled removal of access, entitlements, secrets, and trust relationships when an identity is no longer authorised to act. In NHI operations, it applies to service accounts, API keys, certificates, tokens, and agent credentials, not just human users.
Definitions vary across vendors because some treat deprovisioning as a pure directory event, while others include revocation, vault cleanup, and downstream system removal. The operationally correct view is broader: if an NHI can still authenticate, retrieve secrets, or invoke tools after retirement, deprovisioning is incomplete. NIST Cybersecurity Framework 2.0 reinforces the need to manage identity and access as part of ongoing governance, not a one-time offboarding task, and the same expectation applies to NHI lifecycle controls in practice. NHI lifecycle discipline is described in the NHI Lifecycle Management Guide, which places revocation alongside rotation, inventory, and review.
The most common misapplication is treating deprovisioning as account disablement only, which occurs when teams remove a user entry but leave active tokens, shared secrets, or cloud permissions intact.
Examples and Use Cases
Implementing deprovisioning rigorously often introduces coordination overhead across identity providers, secret stores, and application owners, requiring organisations to weigh fast access removal against the cost of broad dependency mapping.
- A build pipeline service account is retired after a CI/CD migration. The old API key must be revoked in the vault, removed from code repositories, and blocked from any residual webhook callbacks.
- An AI agent loses access to a ticketing system after its workflow is decommissioned. Its tool permissions, refresh tokens, and embedded credentials must be removed together so the agent cannot continue acting unexpectedly.
- A contractor leaves a project, but their account had been used to create long-lived automation. The access review must include both the named user and the unattended NHI that inherited the same privileges, as described in the Top 10 NHI Issues.
- A certificate used by an internal service mesh is replaced during system retirement. Deprovisioning requires not only deletion from the registry but also invalidation across relying services and trust bundles.
- A Zero Trust program removes standing access from an unused integration. This aligns with NIST Cybersecurity Framework 2.0 expectations for access control and asset governance, and with lifecycle guidance in the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs.
Why It Matters in NHI Security
Weak deprovisioning leaves residual access behind, and residual access is one of the easiest ways for attackers to persist after a legitimate change in role, ownership, or system state. For NHIs, the problem is usually larger than a single account because access can exist in directories, vaults, pipelines, SaaS integrations, and infrastructure policy layers at the same time.
NHIMG research shows that only 20% of organisations have formal processes for offboarding and revoking API keys, which means deprovisioning is often the weakest step in the lifecycle rather than the strongest. That gap matters because stale access is rarely visible until it is exploited or discovered during an incident review. The same risk pattern appears in the NHI Lifecycle Management Guide, where offboarding is treated as a coordinated control, not an isolated helpdesk action. NIST guidance on continuous access governance supports that operational model, especially where privileges must be removed quickly and verified across multiple systems.
Organisations typically encounter lingering access only after an audit, breach, or service retirement, at which point deprovisioning becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-06 | Covers lifecycle and offboarding failures that leave NHIs active after retirement. |
| NIST CSF 2.0 | PR.AA | Addresses identity lifecycle and access removal as part of access management. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuously revalidated access, including prompt revocation when trust ends. |
Tie deprovisioning to access governance, then confirm removal across directories, vaults, and dependent services.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 31, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
