Mover events are dangerous because access is often added for the new role while old entitlements remain, creating privilege creep that onboarding and offboarding processes may never fully catch.
Mover events happen when an identity changes role, team, business unit, environment, or operational responsibility. Promotions, lateral transfers, project reassignments, contractor extensions, and workload repurposing all belong here. In practice, mover events are often harder than onboarding because the organization must do two things well at the same time: add the access the new role needs and remove the access the old role no longer justifies.
Most IAM systems are better at the first part than the second. They can add entitlements quickly because adding solves an immediate productivity problem. Removing old entitlements requires more context, more confidence, and sometimes more courage. That is why mover events are a major source of privilege creep. A user accumulates access across each transfer until their effective privilege reflects everything they once did, not what they do now.
Mover risk is operational and security-related at the same time. Stale access can expose sensitive data, increase the blast radius of compromise, and undermine separation of duties. It can also confuse everyday operations. Users retain permissions that reviewers no longer understand, app owners fear removing them, and audit evidence becomes ambiguous because the entitlement history is messy.
The strongest mover model treats a role change as a lifecycle event, not only as an additive request. That means the system should ask:
The diagram below shows why mover events drift so easily.
stateDiagram-v2
[*] --> InitialRole
InitialRole --> AddedAccess: transfer or promotion
AddedAccess --> ReviewGap: old access not removed
ReviewGap --> AccumulatedPrivilege: repeated changes
AccumulatedPrivilege --> IncidentOrAudit: misuse or discovery
What to notice:
Joiners usually follow a cleaner template. Movers do not. Their old entitlements may span:
Some of that access may still be justified. Some may be obsolete. Some may be tied to systems whose owners barely know why it exists. That makes “remove everything and re-add later” tempting but operationally risky, while “leave it all in place” is obviously weak. Mature IAM therefore needs a deliberate mover pattern rather than relying on ad hoc ticket review.
A good mover workflow often has two parts:
This is stronger than purely additive logic because it treats access as something to reconcile, not only to grow. It also makes access reviews more meaningful later because reviewers can distinguish between baseline rights and leftover exceptions.
The YAML below shows a generic mover workflow that recalculates baseline access and flags stale privileges for review.
1mover_workflow:
2 trigger: role_change_event
3 steps:
4 - recalculate_new_baseline
5 - compare_current_entitlements_to_new_baseline
6 - remove_auto-managed_old_access
7 - flag_high_risk_or_manual_exceptions_for_review
8 - set_review_deadline_days: 7
9 high_risk_categories:
10 - privileged_admin
11 - customer_data_access
12 - finance_approval
This workflow is useful because it avoids two common failures:
The high_risk_categories list also shows an important principle. Some entitlements are important enough that automatic carryover should be challenged explicitly.
Promotions can create a special mover problem. A user may move from contributor to approver, from operator to admin, or from analyst to financial reviewer. If old and new permissions combine carelessly, the resulting access can break separation of duties. For example:
This is why mover logic should not only check least privilege. It should also check conflicting duty combinations.
A company handles internal transfers by adding the destination team’s role set immediately, then asking the old manager to “remove anything unnecessary later if they notice it.” Several high-value SaaS tools and privileged roles are excluded from the workflow because they are “too complicated to automate.” Is that a strong mover process?
No. It institutionalizes privilege accumulation. The stronger design recalculates baseline access centrally, removes deterministic stale access automatically, and routes the harder privileged cases into explicit review rather than excluding them from the process. Complexity is not a reason to ignore lifecycle risk.
SC-900 • governance and identity operations • enterprise IAM architecture tracks
Mover discipline prevents privilege creep, but offboarding remains the fastest way to cut risk after access should no longer exist at all. That is the focus of the next lesson.