Subscribe to the Non-Human & AI Identity Journal
Home Glossary NHI Lifecycle Management Joiner, Mover, Leaver Workflow
NHI Lifecycle Management

Joiner, Mover, Leaver Workflow

← Back to Glossary
By NHI Mgmt Group Updated May 16, 2026 Domain: NHI Lifecycle Management

A joiner, mover, leaver workflow is the process that grants, updates, and removes access as a user or identity changes state. In modern programs, the same logic should extend beyond employees to service accounts and AI agents so access does not persist after need ends.

Expanded Definition

A joiner, mover, leaver workflow is the lifecycle control that grants, modifies, and removes access when an identity is created, changes role, or exits. In NHI programs, the same process should cover service accounts, API keys, workloads, and AI agents, not just human users.

Definitions vary across vendors because some IAM teams treat the workflow as an HR trigger, while security teams treat it as an authorization state machine. For NHI security, the practical goal is consistent entitlement change tied to source of truth, policy, and time-bound approval. That means a joiner event may create a service account with scoped access, a mover event may rotate credentials and narrow permissions, and a leaver event may revoke tokens, disable accounts, and archive audit evidence. This is closely aligned with the lifecycle thinking reflected in Ultimate Guide to NHIs and the access governance expectations in NIST Cybersecurity Framework 2.0.

The most common misapplication is treating leaver processing as a human-offboarding task only, which occurs when service accounts, secrets, and AI agents are excluded from the same lifecycle controls.

Examples and Use Cases

Implementing joiner, mover, leaver workflows rigorously often introduces coordination overhead, requiring organisations to balance automation speed against approval quality and evidence retention.

  • A new CI/CD pipeline is onboarded as a joiner, assigned a narrowly scoped role, and issued secrets from a managed vault instead of hardcoded credentials.
  • An AI agent becomes a mover when its tool access expands to production systems, triggering reauthorization, logging, and a fresh risk review.
  • A departing contractor is a leaver, so tokens, certificates, and API keys are revoked immediately rather than waiting for a manual ticket queue.
  • A platform team rotates a service account during a mover event because the workload changed clusters and inherited broader permissions than intended.
  • An organisation validates offboarding against the lifecycle guidance in the Ultimate Guide to NHIs while using NIST Cybersecurity Framework 2.0 to tie access changes to governance and auditability.

These examples show why the workflow is not just an HR bridge. It is the mechanism that keeps identity state, privilege state, and business state aligned as systems change.

Why It Matters in NHI Security

Joiner, mover, leaver discipline matters because access drift is a primary cause of overprivilege, orphaned secrets, and stale agent permissions. When an identity changes state but its entitlements do not, the result is standing access that no longer matches operational need. That is especially dangerous for NHIs, where credentials are often embedded in code, pipelines, or machine-to-machine trust paths.

NHIMG research shows that Ultimate Guide to NHIs reports only 20% of organisations have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them. In practice, that gap means many leaver events never fully complete, and mover events may widen access instead of narrowing it. The risk is consistent with the governance focus of NIST Cybersecurity Framework 2.0, which emphasises access control, asset visibility, and continuous protection.

Organisations typically encounter the consequences only after a breach, a failed audit, or an incident response review reveals that old credentials and permissions were never removed, at which point joiner, mover, leaver control becomes operationally unavoidable to fix.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-05Lifecycle and offboarding failures are central NHI risk patterns.
NIST CSF 2.0PR.AC-4Least-privilege access must change as identities join, move, or leave.
NIST Zero Trust (SP 800-207)SC-7Zero Trust requires continuous verification as identity state changes.

Review entitlements on each lifecycle event and remove excess access promptly.

Deepen Your Knowledge

Ultimate Guide to NHIs → NHI Foundation Course → Discussion Forum →
NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on May 16, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.