A mover event is a change in role, team, location, manager, or job function that can alter what access a person should have. In governance programmes, mover events are often the clearest signal that access must be re-evaluated immediately rather than waiting for a periodic review.
Expanded Definition
A mover event is an identity lifecycle change that can invalidate previously acceptable access, even when the person remains employed. In NHI governance, the key question is not whether the employee is “active,” but whether the access still matches the new job function, team, location, manager, or operating model.
Definitions vary across vendors on whether mover events are treated as HR data changes, access governance triggers, or continuous assurance signals. In practice, mover events sit at the intersection of IAM, PAM, RBAC, and JIT controls because each of those mechanisms can be affected when responsibilities change. A role shift may justify reduced entitlements, a location change may affect privileged access paths, and a manager change can alter approval authority for future access requests. NIST’s NIST Cybersecurity Framework 2.0 reinforces the broader governance need to keep access aligned to current business context.
The most common misapplication is treating mover events as administrative updates only, which occurs when HR records change but access recertification, privilege revocation, and approval routing are left untouched.
Examples and Use Cases
Implementing mover-event controls rigorously often introduces coordination overhead, requiring organisations to weigh faster business mobility against the cost of tighter entitlement review.
- An engineer transfers from application development to a customer support function, so privileged repository access, production secrets, and deployment rights are re-evaluated immediately.
- A manager changes from one business unit to another, and RBAC inheritance is recalculated so prior team-level permissions do not persist by default.
- An employee relocates to a regulated region, triggering review of data access, PAM workflows, and any jurisdiction-sensitive systems that should now be restricted.
- A contractor becomes a full-time employee, and previously narrow JIT access is expanded only after formal approval and entitlement validation.
NHIMG research on NHIs shows why movers matter beyond human accounts: only 20% of organisations have formal processes for offboarding and revoking API keys, and even fewer have robust rotation procedures. That gap, described in the Ultimate Guide to NHIs, often mirrors the way mover events are handled for service identities, scripts, and automations that follow employees across teams. For identity-driven operations, the same change event can require updates to both human approvals and the linked NIST Cybersecurity Framework 2.0 access controls.
Why It Matters in NHI Security
Mover events are dangerous because they create a false sense of continuity. A person may still be trusted, but their access assumptions no longer match the new role. That mismatch is especially risky when access is granted through standing permissions, shared service credentials, or broad group memberships that were never designed to shrink automatically.
In NHI governance, mover handling should be as important as joiner and leaver handling because privilege creep often begins with a legitimate transfer, not a malicious action. NHIMG research shows that 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface. When employee transitions are not tied to immediate entitlement review, the same drift can affect machine identities, automation accounts, and delegated access paths. The Ultimate Guide to NHIs frames this as a lifecycle governance issue, while the NIST Cybersecurity Framework 2.0 emphasizes continuous access governance and risk reduction.
Organisations typically encounter lateral movement, audit findings, or unexpected data exposure only after a role change has already taken effect, at which point mover event controls become operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access permissions should reflect current business context after a mover event. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Mover events can extend to service identities and create privilege drift. |
| NIST Zero Trust (SP 800-207) | JIT access | Zero Trust expects access to be continuously verified, not left standing after a change. |
Use just-in-time access and revalidation so moved users do not retain stale privileges.
Related resources from NHI Mgmt Group
- What makes Shai Hulud 2.0 different from a normal npm malware event?
- What is the difference between quarterly certification and event-driven access control?
- When does event-driven IAM reduce risk more than periodic access reviews?
- When should organisations treat a successful login as a security event?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 7, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
