Identity lifecycle drift is the gap between the business reason for access and the access that continues to exist after that reason changes. It appears when provisioning, review, and offboarding do not stay aligned. In ITSM-heavy environments, drift often shows up as approved access that was never fully revoked or reassigned.
Expanded Definition
Identity lifecycle drift describes a control failure, not a single event: the identity still exists, but its approved business purpose has changed or ended. In NHI operations, that gap can involve service accounts, API keys, workload identities, certificates, or bot credentials that remain active after the original workflow, application owner, or vendor relationship shifts. The concept is closely related to entitlement creep, but lifecycle drift is broader because it includes provisioning, review, rotation, reassignment, and offboarding timing.
In practice, no single standard governs this yet. Some teams treat it as an IAM hygiene issue, while others classify it as an NHI governance problem because machine identities often outlive the business context that justified them. Guidance in the OWASP Non-Human Identity Top 10 and NHIMG’s NHI Lifecycle Management Guide both point toward the same operational reality: identity state must track business state continuously, not only at provisioning time.
The most common misapplication is assuming a completed ticket means access is fully aligned, which occurs when approval workflows are not tied to revocation, ownership change, or periodic recertification.
Examples and Use Cases
Implementing lifecycle governance rigorously often introduces coordination overhead, requiring organisations to weigh faster delivery against tighter ownership, review, and revocation discipline.
- A service account created for a migration project keeps broad database access after the cutover, because the decommissioning task never reached the IAM team.
- An API token issued to a third-party integration remains valid after the vendor contract changes, creating hidden access risk until the token is discovered in a later audit.
- A CI/CD robot identity is reassigned from one repository to another, but its original permissions are never reduced, so the identity accumulates unrelated privileges over time.
- An employee offboarding process closes human access, but a related automation credential remains active in a secrets store, as highlighted in NHIMG’s Ultimate Guide to NHIs.
- A certificate used by an internal agent is renewed mechanically, even though the agent’s upstream workflow was retired, leaving an unnecessary trust path in place.
These cases map directly to lifecycle breakdowns discussed in the lifecycle processes for managing NHIs and are often detected only when teams compare access inventories against current business ownership.
Why It Matters in NHI Security
Identity lifecycle drift is dangerous because machine identities are often numerous, persistent, and easy to overlook once they are embedded in pipelines, tickets, and service workflows. NHIMG reports that only 20% have formal processes for offboarding and revoking API keys, which helps explain why drift becomes a recurring exposure pattern rather than an isolated exception. When access survives beyond its business purpose, attackers can exploit dormant tokens, stale certificates, and over-retained privileges to move laterally or impersonate trusted automation.
This is also why lifecycle drift matters in zero trust programs: the policy says access should be continuously evaluated, but the identity record often says otherwise. NHIMG’s Top 10 NHI Issues and the What are Non-Human Identities section both frame this as a governance and visibility problem, not just a clean-up task. Practitioners also use the OWASP guidance to translate the issue into control objectives such as ownership, review cadence, and revocation assurance.
Organisations typically encounter identity lifecycle drift only after an audit, incident, or vendor change exposes stale access, at which point the term becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Lifecycle drift reflects weak ownership and review of machine identities. |
| OWASP Non-Human Identity Top 10 | NHI-02 | Stale credentials and tokens are a direct outcome of poor secret lifecycle control. |
| NIST CSF 2.0 | PR.AC-1 | Access permissions must be managed through the full identity lifecycle. |
Inventory secrets, rotate them on schedule, and revoke them when the business need ends.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
