User deprovisioning is the controlled removal of access when a person changes role or leaves an organisation. In mature IAM and IGA programmes, it covers accounts, entitlements, licenses, and audit records so the identity no longer has an operational path into systems that should no longer trust it.
Expanded Definition
User deprovisioning is the operational closure of an identity’s access path when a person changes responsibilities, goes on leave, or exits the organisation. In mature IAM and IGA programs, it goes beyond disabling a login. It also removes entitlements, revokes tokens and certificates where applicable, closes delegated access, and preserves audit evidence so the former identity cannot continue acting with trust. For NHI Management Group, the practical test is whether the identity can still authenticate, authorize, or be impersonated after the change event.
Definitions vary across vendors on whether deprovisioning is a subset of joiner-mover-leaver processing or a broader lifecycle control, but the security intent is consistent: eliminate residual access quickly and verifiably. This is especially important where user accounts are tied to service accounts, shared admin roles, or automation paths that outlive the person who requested them. The NIST Cybersecurity Framework 2.0 frames this as access governance and control hygiene, while the NHI Lifecycle Management Guide treats offboarding as a lifecycle event, not a ticket closure.
The most common misapplication is assuming an account lock or HR termination notice equals deprovisioning, which occurs when downstream entitlements, API tokens, and privileged session paths remain active.
Examples and Use Cases
Implementing deprovisioning rigorously often introduces a timing and coordination constraint, requiring organisations to weigh rapid access removal against business continuity and evidence retention.
- A sales engineer leaves the company and their SSO account is disabled, but the connected CRM API token is also rotated so integrations cannot continue using inherited trust.
- A contractor’s access is narrowed during a role change, with stale project folders, shared drives, and privileged group memberships removed in the same workflow.
- An administrator is terminated, and the PAM checkout record, VPN access, and break-glass privileges are revoked while logs are preserved for investigation.
- A cloud platform user is transferred to another team, so old IAM roles, long-lived secrets, and application-specific entitlements are removed before new access is granted.
These workflows align closely with Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs, because user offboarding often affects non-human access objects the person created or controlled. For process design, NIST Cybersecurity Framework 2.0 is useful for mapping removal of access privileges to governance outcomes.
Why It Matters in NHI Security
User deprovisioning matters because human departures frequently leave behind machine trust. A person may be gone, but the API keys, service-account passwords, delegated consent grants, and automation credentials they touched can remain valid. NHI Management Group reports that only 20% of organisations have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them. That gap is why deprovisioning is a core control in NHI security, not just an HR afterthought.
When deprovisioning is incomplete, the organisation keeps paying for access it no longer needs: license waste, privilege sprawl, audit ambiguity, and a broader attack surface. The issue is amplified in zero trust environments, where every residual credential becomes an unnecessary trust anchor. The Top 10 NHI Issues highlights how lingering access and weak offboarding are recurring sources of exposure, while the Ultimate Guide to NHIs reinforces lifecycle governance as a prerequisite for Zero Trust maturity. Organisations typically encounter the true cost only after a departure-related access review, a fraud event, or a post-incident audit, at which point deprovisioning becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Defines access permissions management and least-privilege control relevant to offboarding. |
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers improper secret and credential management that often persists after offboarding. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous reassessment, including timely removal of no-longer-trusted identities. |
Revoke exposed credentials, tokens, and keys during deprovisioning and confirm downstream rotation.
Related resources from NHI Mgmt Group
- What breaks when user deprovisioning is not tied to a documented workflow?
- When do service accounts become a higher risk than ordinary user accounts?
- What is the difference between rotation and deprovisioning for NHIs?
- How should security teams govern infrastructure identities alongside user identities?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 25, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
