← All glossary terms
Non-Human Identities4 min read

What is Non-Human Identity Lifecycle Management?

NHI lifecycle management covers provisioning, ownership transfer, scoping changes, recertification, and decommissioning of non-human identities.

What is Non-Human Identity Lifecycle Management?

Definition

Non-Human Identity (NHI) lifecycle management is the structured process of managing every NHI from creation through decommissioning — including ownership changes, permission changes, recertification, and retirement.

It is the parallel to human Joiner / Mover / Leaver (JML) processes — applied to service accounts, workloads, OAuth apps, API keys, secrets, bots, and AI agents.

In simple terms:

NHI lifecycle management = treating non-human identities with the same lifecycle discipline as human identities, so they don't accumulate as orphans.


Why It Matters

  • Without lifecycle management, NHIs accumulate forever — orphans, over-permissioned, leaked, abandoned.
  • Major breach pattern: stale NHI created by a departed employee.
  • Compliance frameworks increasingly require NHI lifecycle.
  • Cloud sprawl multiplies the problem.

NHI Lifecycle Stages

1. Provisioning

Trigger: New use case (app, integration, agent, workload).

Activities:

  • Risk assessment.
  • Approval workflow.
  • Identity creation (per-purpose, per-app).
  • Permission assignment (least privilege).
  • Owner assignment (named human).
  • Authentication setup (federation / managed identity preferred).
  • Audit setup.
  • Documentation.

2. Use

Activities:

  • Routine use by app / workload.
  • Audit logging.
  • Anomaly detection.
  • Cost / usage monitoring.

3. Change

Triggers:

  • New feature requires more permissions.
  • Owner changes role.
  • Integration with new system.

Activities:

  • Re-review (risk + scope).
  • Approval workflow for additions.
  • Permission adjustment.
  • Documentation update.

4. Owner Transition

Triggers:

  • Owner leaves company.
  • Owner changes role.
  • Team reorganization.

Activities:

  • Identify orphaned NHIs.
  • Notify team / manager.
  • Reassign owner.
  • If no owner found within SLA → flag for review / decommissioning.

5. Recertification

Triggers:

  • Quarterly / annual cycle.
  • Risk-based (more frequent for high-tier).

Activities:

  • Owner confirms NHI still needed.
  • Permissions reviewed for least privilege.
  • Authentication still appropriate.
  • Documentation current.

6. Decommissioning

Triggers:

  • Use case retired.
  • Owner unable to justify.
  • Orphan detected without claim.
  • Automatic on workload deletion.

Activities:

  • Disable NHI (suspend, not delete).
  • Wait period (catch dependencies).
  • Revoke tokens / keys.
  • Delete identity.
  • Archive audit trail.
  • Update inventory.

7. Audit

  • Every lifecycle event logged.
  • Auditable for compliance.

Common Lifecycle Failures

1. No Provisioning Workflow

NHIs created ad hoc; no inventory.

2. No Owner

Or owner is "DevOps team" (not a person).

3. No Decommissioning Trigger

Workload deleted; identity persists.

4. No Leaver Process

Departed employee's NHIs orphan.

5. No Recertification

Permissions accumulate; never reviewed.

6. No Change Tracking

Permissions added silently.

7. Sudden Delete (No Suspend)

Accidentally breaks dependencies.

8. Audit Gap

No log of who created / changed / used.


Real-World Examples

1. Leaver Process for NHIs

Org connected NHI inventory to HR. When developers leave, their NHIs auto-flag for ownership transfer or decommissioning. Eliminated 1,200+ orphan NHIs that had accumulated over years.

2. Provisioning Workflow

New SAs require ticket with use case, risk assessment, and owner. Reduces shadow NHIs; ensures inventory is accurate from creation.

3. Auto-Decommissioning on Workload Deletion

When K8s namespace deleted, associated cloud SAs and IAM bindings auto-remove. Eliminated stale resources.

4. Recertification Catches Permission Creep

Quarterly review found agent's permissions had doubled over a year. Reverted to needed minimum.

5. Suspended-Then-Deleted

Org suspends NHIs for 30 days before deletion. Caught 5% with hidden dependencies; restored without incident.


Implementation Patterns

Hub-and-Spoke

Central NHI management platform (Forestall, IGA tool) integrates with cloud / SaaS / AD / K8s for lifecycle actions.

Event-Driven

  • HR system → leaver event → NHI lifecycle workflow.
  • Cloud audit → resource creation → NHI provisioning.
  • Workload deletion → NHI decommission.

Self-Service

  • Developers request new NHIs via portal.
  • Owners self-serve recertification, change requests.
  • Reduces friction; preserves governance.

Risk-Driven

  • High-risk NHIs: weekly review, more rigorous workflow.
  • Low-risk NHIs: annual review, lighter workflow.

Best Practices

  1. Provisioning workflow for new NHIs (with approval + risk review).
  2. Owner per NHI — named human (not team).
  3. HR integration for leaver events.
  4. Workload integration for auto-decommissioning.
  5. Recertification cadence — risk-tiered.
  6. Suspend-then-delete to catch dependencies.
  7. Audit every lifecycle event.
  8. KPI tracking (provisioning SLA, recertification completion, orphans %).
  9. Self-service to scale.
  10. Cross-functional governance.

Checklist

  • Provisioning workflow defined?
  • Approval + risk review on creation?
  • Owner per NHI (named human)?
  • HR integration for leavers?
  • Workload integration for decommissioning?
  • Recertification cadence?
  • Risk-tiered cadence?
  • Suspend-then-delete?
  • Lifecycle audit?
  • KPIs tracked?
  • Self-service available?
  • Cross-functional ownership?

How Forestall Helps

Forestall integrates NHI inventory with HR and DevOps to automate lifecycle:

  • Auto-flag orphans on leaver events.
  • Auto-decommission on workload deletion.
  • Recertification campaigns.
  • Lifecycle audit and KPIs.

Frequently Asked Questions

How is NHI lifecycle different from human JML?

Same concept, different triggers (workload events, code changes, leaver events) and identity types (SAs, OAuth apps, API keys, agents).

Should NHI lifecycle be automated?

Yes — manual processes don't scale to 50K+ NHIs.

What about NHIs created before lifecycle existed?

Backfill — discover, assign owners, recertify, decommission orphans.

Who's responsible for NHI lifecycle?

Identity Security / IAM team; partnership with DevOps, Cloud, IT.

How often should I recertify?

Risk-tiered — high tier quarterly; medium semi-annually; low annually.


Conclusion

NHI lifecycle management closes the gap that allows NHIs to accumulate forever as orphans. Build provisioning, change, recertification, and decommissioning workflows; integrate with HR and DevOps; risk-tier the cadence; automate at scale; and track KPIs. With NHI lifecycle in place, your NHI inventory shrinks (no more orphans), risk drops, and compliance becomes routine.

Non-Human IdentityIdentity LifecycleJML

Automate NHI lifecycle from provisioning to decommissioning.

Forestall ties NHI lifecycle to HR and DevOps events for end-to-end management.

We respect your privacy

We use cookies to keep this site secure and working properly. With your permission, we also use optional cookies to understand usage and improve the experience. Cookie Policy

You can change your choice at any time.

What is NHI Lifecycle Management? | Forestall