Skip to content

Describe the identity lifecycle from provisioning to deprovisioning. Where do most organizations fail?

Short answer

Identity lifecycle management governs an account from creation to retirement: provisioning at onboarding (joiner), adjusting entitlements on role change (mover), and timely deprovisioning at exit (leaver), with periodic access reviews throughout. The most common failures are privilege creep on movers and orphaned accounts from missed deprovisioning.

Identity lifecycle management sits in the IAM domain and is where governance meets day-to-day operations. Interviewers ask it because broken lifecycle processes are behind a huge share of real breaches.

The lifecycle stages

  • Joiner (provisioning) — when someone is hired or onboarded, they receive accounts and entitlements based on their role, ideally via role-based provisioning so they get exactly what the job needs and no more.
  • Mover (modification) — on promotion, transfer, or project change, access must be adjusted: new rights added and old rights removed. The classic failure here is leaving the old access in place.
  • Leaver (deprovisioning) — on termination or contract end, all access is revoked promptly, ideally automatically and immediately for hostile exits.

Throughout, periodic access reviews / recertification confirm that people still need what they hold, and that no accounts have drifted out of policy.

Where organizations fail

Two failures dominate:

  • Privilege creep — movers accumulate entitlements across roles over years, quietly violating least privilege and building a dangerous over-entitled account. Regular recertification is the antidote.
  • Orphaned accounts — leavers (or service accounts) whose access was never disabled. These are prime targets for attackers and ex-employees and are a frequent audit finding.

Automation as the fix

Manual lifecycle processes break under scale. Tying provisioning to the HR system as the authoritative source, using SCIM for automated joiner/mover/leaver, and centralizing through SSO shrinks the window of risk and makes reviews enforceable rather than aspirational.

What interviewers look for

The full joiner-mover-leaver flow with the explicit point that movers must lose stale access, recognition of access reviews as a recurring control, and naming privilege creep and orphaned accounts as the headline failures — ideally tying remediation to automation and least privilege.

Likely follow-ups

  • How does timely deprovisioning reduce insider and ex-employee risk?
  • What is privilege creep and how do recertification campaigns fix it?
  • How can SSO and automated provisioning (SCIM) strengthen the lifecycle?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.