Identity compliance requirements Reference guide Last updated August 2025

Identity requirements

Ready to simplify access management?

We'd love to help you get to more maintainable access controls

Lifecycle management

Identity lifecycle management governs how access is handled throughout an employee's relationship with an organization. This includes three primary scenarios: joiners (new employees), movers (role, team, or department changes), and leavers (departing employees).

User provisioning ("joiners")

User provisioning establishes initial access for new users joining the organization. Once a user is verified, their account is created, and they are given temporary credentials for their accounts. A user is granted inherent entitlements (or "birthright entitlements") that all users in the organization should have, and may also be granted specific permissions based on their role, job function or responsibilities.

There may be separate processes or requirements for contractors, vendors, or interns.

Common compliance requirements

  • Process for user identity verification
  • Process for account provisioning
  • Time-based restrictions for completing provisioning tasks
  • Requirements for temporary initial passwords, e.g., must be random
  • Documentation of inherent entitlements
  • Process for assigning inherent entitlements
  • Documentation of roles and permissions
  • Process for assigning roles or permissions to employees, possibly requiring approvals

Access modifications ("movers")

Access modification processes handle permission changes when users change functions, teams, or roles within an organization. This could refer to changing teams or managers, but also to promotions and international relocations, as well as temporary reassignments. This could also include larger organizational changes like reorgs, or mergers and acquisitions.

Common compliance requirements

  • Process for changing roles or permissions assigned to employees, possibly requiring approvals
  • Time-based restrictions for completing access changes
  • Reviews of permissions after role changes, to compare continual access against business needs
  • Process for removing unnecessary access from previous roles

Access terminations ("leavers")

Access termination ensures proper removal of access when users depart the organization or no longer require access. Processes could differ for a regrettable leave (an employee quits) vs. a termination (an employee is fired or laid off). Processes could also differ between employees vs. contractors.

This may also apply when users take an extended absence when they should not be working, e.g., during parental leave.

Common compliance requirements

  • Process for account deactivation and/or deprovisioning
  • Maximum time to remove access after termination
  • Maximum time to remove access after high-risk termination, i.e. after termination
  • Verification of successful access removal
  • Regular identification and removal of dormant accounts

Access certification and reviews

Even though access should be reviewed when users joins, move, or leave the organization, access needs may drift over time and no longer align with job responsibilities. Regular validation of access rights and usage through structured review processes is meant to mitigate this risk.

These processes are known as access review campaigns, access certifications, or user access reviews (UARs). These campaigns review all access at a point in time or over a period of time, and are run periodically.

Common compliance requirements

  • Scope of campaign, e.g., specific systems or types of access
  • Frequency of campaign, e.g., quarterly
  • Process and timeline for campaign, including approval requirements
  • Requirements for evidence collection
  • Review of active accounts
  • Review of access usage
  • Review of privileged access
  • Process and timeline for remediation
  • Process for managing exceptions

Contractor and vendor management

Managing the access of external users, such as contractors and vendors, may require additional controls beyond the standard employee lifecycle processes.

Common compliance requirements

  • Enhanced documentation and evidence requirements
  • Review of continued business need
  • Review of access usage
  • Enhanced logging and monitoring
  • Integration with vendor management processes, such as removal of access based on vendor contract termination dates

Service account management

Non-human identities and accounts used for system operations, services, and applications also need to be managed through a lifecycle, so that they are not over-provisioned and their access is removed when it is no longer needed. These service accounts could include API keys or OAuth tokens and correspond to internal services, third-party services, and AI agents.

Common compliance requirements

  • Inventory of service accounts
  • Ownership and responsibility for the management of service accounts
  • Review of purpose and need of service accounts
  • Review of usage of service accounts
  • Inclusion of service accounts in lifecycle management processes