No-Shows in Identity Lifecycle: Closing the Gap Before It Becomes a Security Risk

A no-show refers to a situation where a user (employee, contractor, intern, or partner) is provisioned in advance in the identity and access management system (IAM) with accounts, access, and entitlements already set up, but they never actually begin using them.

Risk: This leaves active accounts without an owner, creating a potential security gap (dormant identities with valid credentials or access).

Some of the situations where a new hire fails to show up are:

• Never starts work.
• Rejects the offer after onboarding is triggered.
• Fails background check or doesn’t clear onboarding requirements.
• Abandons contract before the official start date.

It’s essential to address the no-show scenarios for the following reasons:

• Dormant Identity Risk: Creates an orphaned account that attackers could exploit.
• License Waste: SaaS licenses are consumed by users who never log in.
• Audit Issue: Auditors will flag “accounts created for users who never started.”

Service Desk Impact

The No-Show scenario has a direct impact on the Service Desk team, because they’re often the ones who get pulled in when IAM automation isn’t entirely in place or when there are process gaps. Some areas where impact is:

Operational Delays

• Time wasted provisioning, imaging devices, and setting up accounts that are never used.
• Diverts resources from serving actual employees and urgent requests.

Audit & Compliance Pressure

• If auditors find active no-show accounts, Service Desk may get urgent requests to prove when/why they were disabled.
• Requires log collection and justification.

Unnecessary Provisioning Requests

• Service Desk may receive tickets to troubleshoot access for accounts that should never have existed.
• Example: IT sets up laptop, email, and app licenses for a user who never arrives.

No-shows create extra tickets, wasted effort, and audit headaches for Service Desk teams. With proper IAM automation, Service Desk can be freed from cleanup work and focus on actual user support instead of fixing identity lifecycle gaps.

No-Show workflow

During the workflow implementation, you need to consider the timeframe to deactivate the account after no-show (24 or 48 hours), and also consider time zones if you are implementing it for a global organization ( AMER, APAC, EMEA).

Implementing a No-Show Lifecycle Handling depends on the organization’s goals, but a typical workflow is as follows:

1. HR Event: User record created in HR system (e.g., Workday).
2. IAM Provisioning: Identity automatically created in IDM/Okta; birthright access assigned.
3. No-Show Detection: HR flags the employee as “Did Not Start” or the background check fails.
4. Automatic Remediation: a) Deactivate or delete the identity in IDM. b)Revoke all downstream app accounts via SCIM/connector. c )Reclaim licenses. d)Preserve minimal audit record (archived identity).
5. Audit Trail: Documented evidence that no access remained active

How to Handle No-Shows in Okta

Okta can help mitigate the risk of no-shows by automating deactivation and cleanup:

1. Upstream HR/Source-of-Truth Integration: Connect Okta Universal Directory to your HR system (e.g., Workday, SuccessFactors, BambooHR). If HR marks the hire as “Canceled” or never moves them to “Active,” Okta will: Automatically suspend or deactivate the account. Block login and deprovision downstream apps (Slack, Teams, AWS, etc.).
2. Lifecycle State Rules in Okta: Use Lifecycle states like Staged → Active → Suspended → Deactivated. Keep new users in Staged until they log in or HR confirms their first day. If the start date passes without activity → auto-suspend or delete.
3. Access Request & Approvals: Delay provisioning of sensitive entitlements until first login or manager confirmation. This ensures no unused privileged access is left open.
4. Automation with Okta Workflows: Build a “No-Show Rule” in Okta Workflows: If a user has not logged in by X days after start date → auto-suspend account and notify IAM team. Optionally, create an audit log entry or ticket in ServiceNow/Jira for tracking.

A no-show is when a user account is provisioned, but the person never starts. In Okta, you can manage this using HR-driven lifecycle states, delayed activation, and automated suspension/deprovisioning via Okta Workflows to eliminate orphaned accounts and reduce risk.

Gabriel Magarino

Gabriel Magarino – Senior Security Manager | IAM Evangelist - Experienced leader with over 20 years in the IT and cybersecurity industry, specializing in Identity & Access Management. Expert in Okta, One Identity, SailPoint (IdentityIQ & IdentityNow), OneLogin, Delinea, and CyberArk. Passionate about exploring IAM and emerging technologies, coaching, and training IAM teams. Holds a Master’s in Computer Science and multiple certifications, including Okta Professional & Administration, One Identity Architect & Instructor, SailPoint Identity Now, ITIL, Scrum Master, among others. Currently pursuing a PhD with a focus on Computer Science and Artificial Intelligence.