Identity Lifecycle Management

Identity lifecycle management is where IAM stops being a static design exercise and becomes an operating discipline. Access is not correct forever just because it was correct once. People join, transfer, get promoted, leave, go on leave, return, and switch to contractor or partner status. Workloads are created, replatformed, retired, and replaced. This chapter focuses on how access is created, changed, reviewed, and removed across that full lifecycle.

Read the chapter in order. The first lesson covers provisioning and initial access baselines. The second focuses on movers, which are often harder than onboarding because old privileges linger. The third covers offboarding and rapid deprovisioning. The fourth explains how to make access reviews and recertification meaningful. The fifth covers workflow, approval, and exception handling so urgent business needs do not quietly become permanent privilege.

Later chapters on groups, privileged access, workload identity, governance, and cloud SaaS integration all depend on lifecycle discipline. If access still feels like something assigned once and rarely revisited, Chapter 7 is where that assumption changes.

In this section

• Provisioning and Initial Access
  Strong provisioning creates identities from authoritative signals, assigns minimal useful baseline access, and makes exceptions visible instead of burying them in ad hoc tickets.
• Movers: Role Changes, Transfers, and Promotions
  Mover events are dangerous because access is often added for the new role while old entitlements remain, creating privilege creep that onboarding and offboarding processes may never fully catch.
• Offboarding and Rapid Deprovisioning
  Rapid deprovisioning is one of the highest-value IAM controls because it removes stale accounts, active sessions, delegated ownership, and machine access after they are no longer justified.
• Access Reviews and Recertification
  Access reviews create value only when reviewers can understand what access means, why it exists, and what risk it carries; otherwise recertification becomes a rubber stamp.
• Workflow, Approval, and Exception Handling
  Exception paths are necessary in real organizations, but they need ownership, expiry, review, and audit so urgent business work does not silently become permanent privilege.