← Blog

Playbook

Joiner, mover, leaver: the access lifecycle where risk actually lives

By the Secriiti team · Apr 22, 2026 · 8 min read

If you want to find access risk, don't start by watching people. Start by watching three moments: when someone joins, when they move, and when they leave. The overwhelming majority of access risk is created — or revealed — at one of these transitions. Instrument them well and you've covered most of the surface without monitoring anyone's day-to-day work.

Here's a practical playbook for each, using metadata you already generate.

Joiner: the over-provisioning moment

New access is granted in a hurry. A manager wants the new hire productive on day one, so they copy permissions from a teammate — and inherit every scope that teammate ever accumulated. The result is someone who starts with more access than their role needs and no record of why.

What to watch (metadata only):

  • Initial entitlement sets that exceed the role baseline for that team.
  • "Copied from" provisioning that imports admin or sensitive scopes.
  • Access granted but never used in the first 30–60 days — a sign it was never needed.

The signal: a joiner whose granted access is wider than peers in the same role, especially scopes that sit unused. That's privilege to trim before it becomes permanent.

Mover: the accumulation moment

Internal moves are the quietest risk of the three, because nobody treats them as a security event. Someone changes teams, picks up the access their new role needs — and keeps everything from the old one. Do that across a few transfers over a career and you get an account with the combined privileges of three different jobs. This is how privilege creep actually happens: not through one bad grant, but through additions that are never matched by removals.

What to watch (metadata only):

  • Role or team changes that add entitlements without retiring the previous role's scopes.
  • Accounts whose access spans systems that no single role in the org should need together (a separation-of-duties red flag).
  • Old-team resources still being accessed weeks after a transfer — or, just as telling, not accessed at all (dormant but live).
The mover problem isn't that people gain access. It's that organizations are very good at adding and very bad at subtracting.

The signal: an identity whose entitlement footprint keeps growing across role changes, with stale scopes that are no longer exercised. Each transition is a natural prompt to review and revoke.

Leaver: the de-provisioning lag

Departures are the most obvious risk and still routinely mishandled. Offboarding is a multi-system chore, and the gap between "last day" and "fully de-provisioned" is where dormant accounts, lingering tokens, and forgotten third-party access become an open door — sometimes for weeks.

What to watch (metadata only):

  • Time-to-revoke after a termination event — measured per system, not assumed.
  • Authentication or token use after a recorded departure date.
  • Service accounts and API keys tied to the leaver that no one reassigned or rotated.
  • A volume or egress spike in the final days before departure.

The signal: access that outlives the person. The metric that matters is how fast a leaver's footprint actually goes to zero everywhere — and whether anything happened in the window before it did.

Turning the lifecycle into a program

You don't need a surveillance apparatus to cover joiner-mover-leaver. You need three things:

  1. Lifecycle events from your identity provider. Joins, role changes, and terminations are already emitted as metadata. They're the anchors everything else hangs on.
  2. Entitlement change tracking. Treat every grant and revoke as a logged event so accumulation becomes visible over time, not just at a point-in-time audit.
  3. Role/team baselines. Compare each identity's footprint to its role's norm so "too much" and "stale" are detectable automatically.

Notice what's absent: no message reading, no keystroke logging, no per-person scoring. Every signal above comes from the envelope of access, and every one maps to a clear action — trim a joiner's scope, review a mover's accumulation, accelerate a leaver's revocation.

The takeaway

Access risk isn't evenly distributed across time; it clusters at transitions. If your program does nothing else well, make it excellent at the three moments where people join, move, and leave. That's where the door gets propped open — and it's exactly where metadata gives you the clearest view.

Secriiti is built around the lifecycle

Joiner-mover-leaver signals, privilege-creep detection, and off-boarding hygiene are core to Secriiti — all from metadata, all at the team and role level. Request early access.

More reading: Signals over surveillance: a privacy-first approach to insider risk →