Connect
Updated on March 24, 2026
The Joiner-Mover-Leaver framework for non-human identities is a structured approach for managing an agent’s identity lifecycle. It mirrors the governance process you already use for human employees. From the moment an agent is created in the Joiner phase to its changes in operational scope during the Mover phase and its eventual decommissioning in the Leaver phase, the framework ensures permissions stay perfectly accurate.
Applying this structure prevents the accumulation of zombie identities. A zombie identity is a lingering machine account that is no longer used but still holds active system permissions. By systematically provisioning, certifying, and revoking access, you keep your attack surface incredibly small.
You also gain clear visibility into exactly which human sponsor is accountable for each automated process. This accountability is the primary defense against security debt in modern agentic fleets. It streamlines your IT workflows, improves compliance readiness, and reduces redundant software expenses.
Technical Architecture and Core Logic
Building a proper governance structure for non-human entities requires specific technical mechanisms. The architecture relies on three core pillars to manage the identity lifecycle securely and at scale.
Automated Provisioning
When a new automated process requires access, the system must generate its credentials without manual configuration. Your team achieves this using Infrastructure as Code (IaC) to create the agent’s identity and permissions automatically during the Joiner phase. This technical approach ensures every new non-human identity follows the principle of least privilege from day one. It also logs the creation event automatically to support future compliance audits and minimize helpdesk inquiries.
Access Certification
Continuous oversight is critical for maintaining a secure environment. Access certification is a periodic human-led review to ensure the agent still needs its assigned permissions. Typically, the human sponsor associated with the non-human identity conducts this review. They verify the scope of access, confirm the automation is still actively contributing to business operations, and flag any necessary changes. This proactive step eliminates unused permissions, reinforces clear accountability, and provides verifiable proof of governance for regulators.
De-provisioning
Every machine identity must have a definitive end of life. De-provisioning involves the total removal of all access, tokens, and records once an agent reaches its Leaver phase. Automated de-provisioning ensures no inactive credentials remain in your cloud or on-premises systems. Wiping these credentials promptly protects your organization from threat actors seeking to exploit forgotten service accounts. It also helps you optimize costs by cleanly severing ties with paid third-party integrations that are no longer in use.
Mechanism and Workflow: The Agent Journey
Understanding the distinct lifecycle phases helps your team implement highly effective governance policies. The workflow breaks down the specific events that trigger identity updates across your systems.
Joiner: Creating the Agent
A developer needs a new service account to integrate two cloud applications. They register a new agent through your central IT management platform. The system automatically creates a unique non-human identity and immediately links it to a human sponsor. Connecting the machine identity to a responsible owner ensures a specific individual is always accountable for its actions and permissions.
Mover: Adapting to New Risk Profiles
As projects mature, the underlying infrastructure often changes. An agent might move from a restricted testing environment into full production deployment. During this Mover phase, its permissions are updated to match the new risk profile. The IT system automatically revokes the old testing access and grants the appropriate production rights. This dynamic adjustment keeps privileges tightly aligned with current business needs while successfully preventing privilege creep.
Leaver: Erasing the Digital Footprint
When a service is retired, the associated machine identities must also disappear. The project ends and the JML process triggers an automatic wipe of all API keys. The system then terminates the non-human identity in the identity and access management system. This automated cleanup process removes the risk of dormant accounts entirely and keeps your overall IT ecosystem running efficiently.
Securing Agentic Fleets Against Security Debt
Managing the massive volume of service accounts and automated agents requires a deliberate strategy. Treating non-human identities with the same strategic rigor as human employees is an incredibly effective way to eliminate security debt. When you implement a comprehensive identity lifecycle, you protect your environment from unmonitored access and drastically simplify your compliance audits.
Begin by mapping your existing machine accounts and assigning a clear human sponsor to each one. From there, you can establish automated provisioning rules and enforce strict access certification schedules. Taking control of your agentic fleet today ensures your hybrid infrastructure remains agile, cost-optimized, and secure for years to come.
Key Terms Appendix
To help your team align on governance strategies, here are the essential definitions related to managing non-human access:
- Identity Lifecycle: The entire span of time a digital identity exists, from creation to deletion.
- Zombie Identity: A lingering machine account that is no longer used but still has active permissions.
- Provisioning: The process of setting up IT infrastructure or identities to grant necessary access rights.
- Human Sponsor: The person responsible for the actions and existence of a non-human entity.
