The Joiner-Mover-Leaver Process for IAM

Understanding the Joiner-Mover-Leaver Process for IAM: Benefits, Risks, & Best Practices

In a modern organization, the workforce is in a state of constant flux. Every day, new hires need tools to be productive, employees transfer to sensitive new roles, and staff depart the company.

For many organizations, however, the IT processes governing these shifts are static and reactive. They rely on disjointed tickets, manual emails, and batch updates that lag days—or even weeks—behind reality.

This latency is the defining challenge of the Joiner-Mover-Leaver (JML) process.

When the JML lifecycle is disconnected, it createsidentity drift: a dangerous divergence where active permissions no longer match employment reality. The HR system knows an employee has been terminated, but the Active Directory does not. In that window of exposure, data is stolen, compliance audits are failed, and operational velocity grinds to a halt.

Effective JML management is no longer just about administrative efficiency; it is about architectural synchronization. It requires treating identity not as a static setting, but as a fluid lifecycle that reacts in real-time to the business.

Defining the Joiner, Mover, and Leaver process

The JML framework breaks down the user lifecycle into three distinct operational phases. Each phase has its own specific triggers, automation requirements, and risk profiles.

The Joiner phase (onboarding)

The Joiner phase covers the entire sequence from an employee accepting an offer to their first productive login. The primary challenge here is distinguishing between pre-boarding (staging accounts early so equipment can be shipped) and activation (enabling access only on the start date).

• Trigger: A new employee record is created in the HRIS with a future start date.
• Objective: To provide birthright access immediately upon arrival, eliminating the day one productivity gap.
• Key action: Role-based user provisioning. Role-based access controls grant baseline access based strictly on attributes. For example, if the Department attribute is set to “Sales,” the user is automatically provisioned into Salesforce, Slack, and Email. This creates a zero-touch workflow where the HR entry alone drives the downstream action.

Key risks

• The best-guess problem: When provisioning is manual, IT often lacks context about what a user actually needs. This leads to cloning users—copying access from a similar employee. This inevitably grants the new user excessive privileges inherited from the colleague, violating Least Privilege from Day 1.
• Productivity latency: Manual handoffs between HR and IT create delays. Employees left without proper access on their first day experience immediate morale drops and lost productivity.

Learn more → Simplify Onboarding with Automated Account Provisioning

The Mover phase (transitions)

This is the most complex phase and the primary source of identity drift. When an employee changes roles—whether a promotion, a lateral transfer, or a location change—their access often accumulates rather than evolves. This leads to privilege creep, where users retain sensitive access from previous roles (e.g., a developer who moves to Sales still has production database access).

• Trigger: An update to the Job Code, Department, or Cost Center field in the HRIS.
• Objective: To adjust permissions dynamically, ensuring the user has exactly what they need for the new role and nothing from the old one.
• Key action: Re-certification. Mover events should trigger an automatic review. For soft moves (promotions), incremental access is added. For hard moves (department changes), the system performs a teardown of previous access and provisions a new birthright set, requiring the manager to explicitly re-approve any exceptions.

Key risks

• Privilege creep: In Agile or matrixed organizations, roles shift frequently. Without automation, IT often adds new permissions but fails to revoke the old ones. A user who moves three times in two years can accumulate a toxic combination of access rights (e.g., a former developer retaining production database keys after moving to Sales).
• Silent moves: Often, business units change a user’s responsibilities without formally updating HR. Since IT relies on HR data, they remain unaware of the change, leaving the user with incorrect access for months.

The Leaver phase (offboarding)

The Leaver phase focuses entirely on risk containment. The goal is to eliminate the latency between an employee’s physical departure and their digital termination. In manual environments, this revocation gap can leave accounts active for days after an employee has left, creating a massive vulnerability for data exfiltration.

• Trigger: A status change to Terminated or a future-dated Last Working Day in the HRIS.
• Objective: To instantly revoke all access and transfer ownership of business-critical data.
• Key action: User deprovisioning. Revocation must be total and immediate. Beyond simply disabling the Active Directory account, the workflow must trigger a cascade of API calls to invalidate active SSO sessions, revoke OAuth tokens (which often survive password resets), and wipe mobile device management (MDM) profiles.

Key risks

• The “just in case” gap: Organizations often leave contractor accounts active after a project ends, assuming they “might be used again.” These dormant accounts become unmonitored backdoors for attackers.
• Data exfiltration: Layoffs often happen quickly, giving IT little time to prepare. If access is not cut off instantly (including active mobile sessions and file-sharing tokens), disgruntled employees can download sensitive data or delete critical files within minutes of being notified.

Learn more → The User Provisioning and Deprovisioning Process Explained

Who is responsible for JML?

A common failure mode in JML is assuming that user identities are solely an IT problem. In a modern framework, responsibility is distributed across different stakeholders, each owning a specific slice of the lifecycle.

• Human resources. HR owns the Joiner and Leaver signals, making them the de facto root administrators for access. Since the entire automated chain relies on the HRIS as the source of truth, HR is responsible for ensuring that start dates, job codes, and termination statuses are accurate and timely. If HR delays a termination entry, they—not IT—are accountable for the resulting security gap.
• Business managers. Managers possess the operational context that IT lacks—they know why a user needs access. Therefore, they must move beyond rubber-stamping requests to become the primary approvers for role changes and access certifications. By validating that their direct reports actually require specific privileges, managers act as the first line of defense against privilege creep.
• IT department. Ideally, IT teams should stop being the gatekeepers of every individual permission. Their modern role is to act as the “referee,” maintaining the infrastructure (IGA platform, directories, API connectors) that enforces the rules. Instead of manually fulfilling tickets, IT builds the self-service workflows and guardrails that allow the business to fulfill its own needs securely.
• Security team: This group verifies that the automated process is working as designed. They move from reactive cleanup to proactive monitoring, scanning logs for anomalies (e.g., “Why did this terminated user just log in?”) and ensuring the entire architecture remains compliant with frameworks like ISO 27001, SOX, or NIST.

Case study → How System1 achieved SOX compliance with ConductorOne

“Being able to show ConductorOne to internal auditors, there they can generate time-stamped, immutable reports, and see logs in one console, was impressive.” - Jack Chen, Director of Information Technology, System1

Risks of ineffective JML management

When the identity lifecycle is disconnected or manual, it creates specific vulnerabilities that attackers exploit. These are not theoretical security risks; they are the most common vectors for data breaches and compliance failures.

Orphan accounts

These are active accounts that no longer have a valid owner—often left behind when an employee departs, but the deprovisioning process fails to catch every system.

Because they are not associated with an active employee, they often fly under the radar during audits, becoming prime targets for attackers to hijack for lateral movement.

Zombie accounts

Distinct from orphan accounts, zombie accounts appear disabled on the surface (e.g., the AD user is locked) but retain active backdoor access.

This typically happens when the offboarding process fails to remove derived credentials, such as active API keys, OAuth tokens, or SSH keys, allowing a terminated user (or an attacker) to continue running tasks in the background.

Shadow IT and ad-hoc access

In rigid environments where the Joiner process is slow, users bypass IT to sign up for SaaS tools directly. This creates a shadow inventory of identities that IT is unaware of.

When these employees leave, their access to these shadow apps remains active because the apps were never connected to the central directory in the first place.

💡Shadow IT is a reality—but it doesn’t have to be a risk. ConductorOne discovers unauthorized apps so you can manage them securely.

• Monitor shadow app signups and logins to determine whether to bring an app under governance.
• Authorize a shadow app to bring it under full control, or choose to ignore it if it’s of low concern.
• Sanctioned shadow apps act like any other app in ConductorOne.

HR-IT disconnect

This is the root cause of access gaps. Drift occurs when the reality in HR (e.g., “User promoted to Manager”) is not synchronized with IT systems immediately.

This latency results in users retaining access they no longer need (violating least privilege) or waiting days for the access they do need (impacting productivity).

Benefits of automating JML

Implementing a modern, automated JML process is a security and operational imperative for any business. Moving from manual ticketing to event-driven automation delivers four distinct categories of ROI: security, compliance, cost, and user experience.

Reduced attack surface (security)

Manual offboarding is the single biggest contributor to insider threats. By automating the Leaver process, organizations eliminate the window of opportunity for data exfiltration.

• Zero standing privileges: Automated Mover workflows ensure that access rights do not accumulate over time, strictly enforcing the principle of least privilege.
• Immediate revocation: Kill switch automation removes access to all applications instantly—including those outside the firewall—preventing former employees from retaining shadow access.

Audit confidence (compliance)

For regulated industries, the JML process is the first thing auditors scrutinize. Automation transforms compliance from a quarterly scramble into a continuous state.

• Audit-ready logs: Every provisioning and deprovisioning event is inextricably linked to an HR trigger, creating an immutable audit trail for frameworks like SOX, GDPR, and ISO 27001.
• Elimination of human error: Automation removes the risk of an IT admin forgetting to revoke a specific permission, ensuring 100% consistency in policy enforcement.

Learn more → Automating Compliance Controls to Achieve Least Privilege Access

Operational efficiency (cost)

Manual provisioning is a massive drain on high-value IT resources.

• Reclaiming IT time: Onboarding a single employee manually can take 6-7 hours of cumulative effort across departments. Automation creates a zero-touch workflow that can reduce this provisioning time by up to 96%, freeing IT staff to focus on strategic infrastructure rather than ticket fulfillment.
• License optimization: Automated Leaver processes instantly harvest licenses (e.g., Salesforce, Microsoft 365) the moment a user departs, preventing the organization from paying for unused seats.

Day one productivity (experience)

The Joiner experience sets the tone for an employee’s tenure.

• Immediate impact: Instead of waiting days for access to email or project tools, new hires are productive from the minute they log in.
• Frictionless mobility: Current employees transferring roles do not suffer downtime while waiting for new permissions, maintaining business continuity during transitions.

Best practices for successful JML implementation

Building the architecture is only half the battle. Successful JML implementation requires shifting operational habits to ensure the technology is actually effective.

1. Shift approval responsibility to business owners

A common anti-pattern is IT acting as the gatekeeper for access requests. IT administrators often lack the context to know whether a Junior Analyst actually needs access to the Finance-Production database.

• Best practice: Implement a data owner model. The manager or the application owner—not the Help Desk—must be responsible for approving access requests and conducting certifications. IT’s role is to provide the platform for these decisions, not to make the decisions themselves.

2. Adopt micro-certifications for movers

Traditional access reviews happen annually or quarterly. In a dynamic organization, this is too infrequent to catch identity drift.

• Best practice: Trigger event-based certifications. When a user changes departments (a Mover event), the system should automatically generate a mini-review for the new manager to validate the user’s inherited access. This catches privilege creep in real time rather than letting it fester for months.

3. Formalize the sponsorship model for contractors

Non-employees (contractors, vendors, partners) are the biggest blind spot in JML because they rarely originate in the HR system.

• Best practice: Enforce a strict sponsorship policy. Every external identity must be attached to a full-time employee (Sponsor) who is accountable for their lifecycle. These accounts should always have a hard-coded expiry date (e.g., 90 days) that forces the Sponsor to explicitly renew access, preventing vendor accounts from remaining active indefinitely by mistake.

Related reading → 13 Step Vendor Offboarding Checklist for Legal & IT Teams

4. Automate birthright first

Trying to automate every single permission on Day 1 is a recipe for failure.

• Best practice: Focus automation efforts on birthright access (the 80% of apps everyone needs) first. Leave complex, high-risk entitlements (like production server access) to request-based workflows. This delivers immediate ROI and speed for the majority of users while keeping sensitive access under strict, human-reviewed control.

5. Monitor for backdoor re-entry

Sophisticated attackers (or disgruntled employees) often create shadow credentials to maintain access after offboarding.

• Best practice: Your Leaver process must extend beyond the directory. Consider implementing user behavior analytics (UBA) to monitor for specific post-termination signals, such as the use of service accounts previously managed by the leaver, or API keys that were created just days before departure.

How ConductorOne automates the JML lifecycle

ConductorOne is built specifically to handle the velocity of modern, cloud-forward JML processes, replacing disjointed scripts, manual processes, and tickets with a unified identity lifecycle management platform.

• Automate zero-touch onboarding: ConductorOne integrates directly with your HRIS to detect Joiner events in real-time. It automatically provisions birthright access to your core applications (Okta, Slack, GitHub, AWS) so new hires are productive on day one without IT intervention.
• Eliminate mover privilege creep: Stop relying on manual tickets for role changes. ConductorOne enables Just-in-Time (JIT) access, ensuring users hold the high-risk permissions only for the time they need them. When a user changes roles, the platform can trigger targeted micro-certifications, forcing the new manager to validate inherited access and preventing toxic combinations of entitlements.
• Execute a perfect kill switch: Secure your offboarding with an automated Leaver workflow. ConductorOne doesn’t just disable the SSO user; it orchestrates deep deprovisioning across your stack—revoking API keys, closing active sessions, and removing granular entitlements in downstream apps—ensuring that a terminated employee loses all access instantly.
• Audit-readiness: Every access request, approval, and automated lifecycle event is logged in a central, human-readable audit trail. This transforms compliance from a painful quarterly scramble into a continuous state of readiness for SOC 2, SOX, HIPAA, and ISO 27001.

Ready to modernize your identity lifecycle? Book a demo with ConductorOne to see how you can eliminate identity drift, secure your offboarding, and automate your JML process today.

Joiner-Mover-Leaver Process FAQs:

How does JML fit into a broader identity and access management (IAM) strategy?

JML acts as the lifecycle engine for identity and access management. While access control defines the rules (who can access what), JML ensures those rules are applied dynamically as employees change roles. Integrating JML workflows with modern IAM systems ensures that security policies adapt in real-time to workforce changes, rather than relying on static permissions.

Why is managing Movers often harder than Joiners or Leavers?

Movers create complex access changes that are hard to track. Unlike a new hire who starts fresh, a moving employee often accumulates permissions, leading to excessive user access.

Effective JML processes must trigger a re-certification event during a move to ensure the user’s digital identities are updated and old permissions are stripped away to maintain secure access.

How does automating JML improve an organization’s security posture?

Automation is the most effective way to prevent unauthorized access. By removing manual latency from the Leaver process, organizations ensure access is revoked the moment an employee departs.

This significantly strengthens the overall security posture by eliminating the ghost accounts that often serve as entry points for attackers.

What is the role of identity governance in JML?

Identity governance acts as the oversight layer. While access management handles the execution (granting/revoking), governance ensures those actions follow policy.

It continuously monitors access changes—like a user moving departments—to detect drift. This visibility is critical for preventing compliance violations during compliance audits.