The gap that appears when a product’s access state no longer matches the customer’s current organisational reality. It often shows up as duplicate accounts, stale memberships, or orphaned access, and it becomes a governance problem when provisioning is treated as a one-time event instead of a continuous process.
Expanded Definition
Onboarding lifecycle drift describes a state mismatch between a product’s access configuration and the customer’s current organisational reality. It is not just a provisioning delay; it is the accumulation of stale entitlements, duplicate accounts, orphaned memberships, and inherited access that no longer reflects the customer’s active teams, applications, or governance boundaries.
In NHI operations, the term matters because service accounts, API keys, and automation tokens are often created during implementation and then left to age without continuous reconciliation. That creates drift between the intended identity state and the actual state observed in directories, SaaS platforms, CI/CD systems, and secrets stores. The OWASP Non-Human Identity Top 10 treats lifecycle and entitlement failures as a core risk area, while the NHI Lifecycle Management Guide frames lifecycle control as an ongoing governance function, not a launch activity.
Definitions vary across vendors on whether drift includes only access sprawl or also ownership, metadata, and approval-state mismatches, but no single standard governs this yet. The most common misapplication is treating onboarding as a one-time event, which occurs when access creation is not tied to later review, offboarding, or customer-org change events.
Examples and Use Cases
Implementing lifecycle control rigorously often introduces reconciliation overhead, requiring organisations to weigh faster onboarding against the cost of continuous access validation.
- A SaaS platform provisions a service account for each customer workspace, but old accounts remain active after mergers, creating duplicate paths into the same data.
- An integration created for a pilot project keeps broad group membership after the pilot ends, so the NHI still inherits privileges from teams that no longer exist.
- A secrets manager stores API keys for a customer’s old tenant structure, while the customer has already split operations into new business units, leaving orphaned access behind. The Guide to the Secret Sprawl Challenge is useful here.
- Offboarding removes human users but not automation tokens tied to those users, which keeps integrations alive after ownership has changed.
- Customer success reassigns admins during an acquisition, but the product still maps the previous org chart, so privileged access remains attached to obsolete roles.
These patterns align with lifecycle weaknesses described in the 2025 State of NHIs and Secrets in Cybersecurity, where former-employee tokens and duplicated secrets show how quickly unmanaged state accumulates. For implementation guidance, the lifecycle framing in the Ultimate Guide to NHIs helps distinguish onboarding from the later steps that keep identity state current.
Why It Matters in NHI Security
Lifecycle drift becomes a security issue when stale access outlives the business condition that justified it. The operational impact is usually broader than a single misconfigured account because NHIs can be reused across applications, embedded in pipelines, or connected to customer data paths. NHI Mgmt Group research shows that 60% of NHIs are overused, which means one drifted identity can expose multiple systems if it is not rechecked against current ownership and purpose.
That is why lifecycle governance must connect onboarding, review, rotation, and offboarding. The Top 10 NHI Issues and the static vs dynamic secrets guidance both reinforce the same operational point: identities that are not continuously reconciled become difficult to trust. Drift also weakens zero trust assumptions because access decisions no longer reflect present-day context.
Organisations typically encounter the consequences only after a customer reorg, acquisition, or incident review reveals that obsolete accounts still have access, at which point onboarding lifecycle drift becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Lifecycle drift stems from unmanaged NHI creation, ownership, and entitlement decay. |
| NIST CSF 2.0 | PR.AA-1 | Identity and access are expected to be managed over time, not only at provisioning. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuously validated identity state, which drift undermines. |
Tie NHI onboarding to ownership, expiry, and periodic review so access stays aligned to current purpose.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 7, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
