A leaver event is the authoritative signal that a person no longer requires organisational access. Strong governance treats it as a control trigger, not an HR note, because the timing of that signal determines whether access is removed before it can be misused or accidentally retained.
Expanded Definition
A leaver event is the control signal that an identity, account, or access path should be removed because the person behind it is no longer authorised to use organisational resources. In NHI governance, the term matters because access may be mediated by human-owned accounts, shared administrative credentials, delegated tokens, or downstream service entitlements that do not disappear automatically when employment ends.
Definitions vary across vendors, but in security operations the leaver event should be treated as a lifecycle trigger with a clear source, timestamp, and workflow owner. That trigger may originate from HR, a manager action, an IAM workflow, or a privileged access record, yet the security requirement is the same: it must initiate revocation, not merely record departure. This aligns with the control logic used in the NIST Cybersecurity Framework 2.0, where identity lifecycle controls depend on timely deprovisioning and access review.
The most common misapplication is treating a leaver event as a payroll or HR status change only, which occurs when security systems do not receive a timely, machine-readable revocation signal.
Examples and Use Cases
Implementing leaver event handling rigorously often introduces coordination overhead, requiring organisations to balance fast access removal against the operational need to preserve evidence, handover continuity, and service stability.
- A contractor’s engagement ends, and the HR termination record triggers immediate disablement of SSO sessions, API keys, and privileged bastion access.
- A developer transfers to a non-production role, and the leaver event for the old role removes production deployment rights while preserving only the minimum access needed for transition tasks.
- An incident response team receives a departure notice for a platform engineer, and the workflow revokes local admin rights, rotates shared secrets, and updates break-glass governance.
- A third-party operator exits a managed service relationship, and the leaver event closes delegated access, token grants, and any NHI-linked certificates tied to that operator.
- Organisations using lessons from the Ultimate Guide to NHIs often map leaver events to service account offboarding so human departure does not leave orphaned automation behind.
In identity standards discussions, the closest operational analogue is timely session and credential invalidation, a pattern reinforced by the NIST Cybersecurity Framework 2.0 emphasis on access governance.
Why It Matters in NHI Security
Leaver events matter because delayed offboarding creates a window where former insiders, stale service relationships, and inherited privileges can still be used to access systems, rotate secrets, or impersonate legitimate activity. In NHI environments, that risk extends beyond a departing employee’s badge or laptop. Tokens, SSH keys, CI/CD credentials, and delegated admin rights may remain valid long after the person has left, especially when access is spread across cloud, code, and automation layers.
NHIMG research shows that only 20% of organisations have formal processes for offboarding and revoking API keys, and 91.6% of secrets remain valid five days after the targeted organisation is notified. Those numbers show why leaver events must drive immediate control actions, not downstream cleanup. The same governance gap also appears in broader lifecycle hygiene described in the Ultimate Guide to NHIs, where delayed revocation often correlates with excessive standing access and orphaned identities.
Organisations typically encounter the consequences only after a resignation, termination, or vendor exit exposes an account that was never fully revoked, at which point the leaver event becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Leaver events drive deprovisioning of NHIs and their linked access paths. |
| NIST CSF 2.0 | PR.AA | Identity management depends on timely removal of access when users leave. |
| NIST SP 800-63 | Identity lifecycle guidance supports termination of authenticators and sessions. |
Trigger immediate revocation, secret rotation, and orphaned-account cleanup when a leaver event occurs.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
