Joiner Mover Leaver Drift

Expanded Definition

Joiner mover leaver drift describes the decay between a person or AI agent’s current role and the access it still holds. In NHI operations, the issue is not only onboarding and offboarding, but also the failure to update credentials, tokens, API keys, certificates, and service-account entitlements when responsibilities change. That makes it different from general identity hygiene because the risk appears across the full lifecycle, not just at termination.

In mature programs, this term covers permission revocation, secret rotation, ownership transfer, and access revalidation after a joiner, mover, or leaver event. The concept aligns closely with NIST Cybersecurity Framework 2.0, especially where identity governance and access maintenance support continuous protection. Definitions vary across vendors when they treat drift as a narrow HR workflow issue, but in NHI security it is broader: any delay between role change and access correction counts.

The most common misapplication is treating drift as an HR ticketing problem, which occurs when teams close the change request without confirming that every related NHI credential, integration, and automation path was updated.

Examples and Use Cases

Implementing joiner mover leaver controls rigorously often introduces coordination overhead, requiring organisations to weigh faster business change against tighter entitlement verification and secret rotation.

• A developer moves from one product team to another, but old CI/CD secrets still allow access to the previous team’s deployment pipeline.
• An AI agent is reassigned to a limited support workflow, yet its broader tool permissions remain active, creating overreach after the move.
• A contractor leaves, but their API key is still present in code, which means the leaver event did not fully remove machine access.
• A service account changes ownership during an internal re-org, but no one revalidates the linked tokens or certificate trust chain.
• After a breach investigation, teams discover the initial access path came from stale credentials tied to an old role, similar to the pattern seen in the Salesloft OAuth token breach.

For lifecycle controls, organisations often pair internal governance with guidance from NIST Cybersecurity Framework 2.0 and identity lifecycle practices that define when access must be reviewed, reduced, or removed.

Why It Matters in NHI Security

Joiner mover leaver drift is dangerous because NHIs do not “self-correct.” Tokens, certificates, and service accounts can remain active long after the business reason for access has disappeared. That creates silent privilege accumulation, weakens least privilege, and gives attackers durable paths into SaaS, cloud, CI/CD, and agentic workflows. It also makes incident response slower because defenders must sort through stale and current access at the same time.

This is where lifecycle discipline becomes a security control rather than a process preference. NHI Mgmt Group reports that only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which helps explain why stale access persists across the environment. The same lifecycle gap shows up in Ultimate Guide to NHIs, especially where poor offboarding and weak visibility combine into avoidable exposure. The lesson is reinforced by NIST Cybersecurity Framework 2.0: access management must be continuous, not event-driven.

Organisations typically encounter this issue only after a compromised key, failed audit, or unauthorized data access, at which point joiner mover leaver drift becomes operationally unavoidable to address.

Related resources from NHI Mgmt Group

• Why do service accounts and API keys complicate joiner-mover-leaver processes?
• How can organisations use access profiles in joiner-mover-leaver workflows?
• Joiner, Mover, Leaver Workflow
• Joiner-Mover-Leaver Lifecycle