Somebody Owns the Lifecycle of Every Identity on Your Campus. Or Nobody Does.

Somebody Owns the Lifecycle of Every Identity on Your Campus. Or Nobody Does.

A faculty member at a state system retires in March. Her account stays alive through April, May, and most of June. In late spring, her credentials surface on a forum where student records are being sold by the gigabyte. By the time the institution figures out she was the door, the door has been open for nearly three months and the buyer has already moved on to the next listing.

Nobody fired the account. Not because anybody refused. Because nobody's name was on the line that said "fire the account." HR ran a separation. The directory team waited for a ticket. The ticket never came. And the load-bearing human in the middle, the one who would have caught it on any other Tuesday, was buried in semester closeout.

That story is from a documented 2026 case in the higher-ed identity report I'll cite in the references. It is not exotic. It is the third or fourth variant of the same story I've heard this year, and the structural shape of it shows up in every other receipt that landed on my desk last week. The Canvas breach. The Department of Education turning on real-time fraud detection inside the FAFSA. A ransomware deployment by a terminated administrator who kept his access for seventy-two days. They are not separate stories. They are the same story, told in four different rooms.

The identity got created or kept alive without a clear institutional authority owning the lifecycle of that identity.

The Canvas Door Was Marked "Free For Teachers"

Between April 30 and May 7, the ShinyHunters group walked out of Instructure with data on 275 million users across 8,809 educational institutions. The claimed haul was 3.65 terabytes. The entry vector was not a zero-day in the learning platform. It was the Free-For-Teacher program, which let any educator on the planet self-provision a Canvas account with no institutional authority involved in confirming that the educator was, in fact, an educator at the institution they claimed.

That account, once created, sits inside the same federated ecosystem as the accounts your registrar carefully provisions from the system of record. The Department of Education issued a Technology Security Alert on May 12, updated May 29. Harvard's Canvas instance went dark while the dust was settling. Instructure revoked privileged credentials, rotated internal keys, and temporarily shut down the Free-For-Teacher program.

The CIO question is not "is Canvas safe." The CIO question is the one I want you carrying into your next budget meeting: how many other vendor platforms are creating identities your institution never authorized, and federating those identities into systems you own?

If you cannot answer that by Friday, you have a Canvas-shaped hole somewhere in your stack that you have not found yet. Vendor self-service account creation is the same structural pattern as a faculty retirement that never triggers a deprovisioning workflow. An identity exists. Nobody at your institution decided it should. Nobody at your institution will decide when it shouldn't.

The Feds Stopped Trusting You to Verify Identity at the Gate

On April 26, the Department of Education turned on real-time identity fraud detection inside the FAFSA form itself, with an update pushed May 29. This sits on top of the Fall 2025 requirement that institutions verify FAFSA applicants either in person or via live video against an unexpired government photo ID, with NIST IAL2-compliant third-party verification accepted as an alternative.

Read that sequence carefully. The federal government did not build real-time fraud detection inside FAFSA because they wanted a new product feature. They built it because they did not trust institutions to hit IAL2 on the timeline the institutions had been given. The Department flagged nearly 150,000 suspect FAFSA identities. California reported almost one in three college applications as fraudulent in 2024. One college received fifty fake FAFSA submissions in two seconds.

NIST 800-63-4 at IAL2 requires Presentation Attack Detection and Injection Attack Detection, with proof through accredited lab certification. If your campus verification is still knowledge-based questions and a driver's-license image upload, you are not IAL2 compliant. You are pre-compliant. And Federal Student Aid is going to figure that out faster than your auditor will, because the real-time detection layer is already running and your application stream is already being scored.

The structural pattern is identical to Canvas. An identity got created without an institutional authority validating it. The federal government is now doing the validation work your institution was supposed to do, because they ran the math on what would happen if they waited. That is a confidence vote, and the score is zero.

The Faculty Offboarding Problem Nobody Wants in the Room

I write about the student lifecycle and CIOs nod. I write about the workforce lifecycle and the room gets quiet, because acknowledging the workforce side means HR and IT have to sit at the same table and answer the question neither of them wants to own: who fires the account when the person leaves?

The documented 2026 cases are not subtle. A terminated IT administrator kept access for seventy-two days, then deployed ransomware. A retired faculty member kept LMS and student-record access for nearly three months, then sold the data. An adjunct kept financial-system access for forty-five days and initiated a quarter-million dollars in unauthorized wire transfers. Auditors dinged Eastern Connecticut State University for inadequate vetting in IT access control. Saint Augustine's audits revealed internal control failures and protocol breaches in the same territory.

Forrester puts manual provisioning at six to eight hours per employee. Gartner estimates twenty to thirty percent IT labor savings from automation. Those numbers are real, and they are the wrong frame. The seventy-two day window is not an efficiency problem. It is the absence of an HR-to-directory contract with a service-level agreement and a name on it.

I have said this before and I'll say it again because the receipts keep arriving: until the HR-to-IT contract for separation exists with a named owner and a measured SLA, the load-bearing human is still doing the work. And she is going to miss one. That is not a character flaw. That is what happens when an operational obligation lives in nobody's job description.

The Self-Healing Piece That Would Let You Sleep, and Why Nobody Has Shipped It

In March, UT Austin's CIO published a "self-healing campus" concept anchored in their UT.AI platform, framing identity and data controls as substrate rather than overlay. The pieces to build this exist in the market right now. Okta's Identity Security Posture Management detects unmanaged local accounts and pipes them into Workflows for automated remediation. Saviynt and CrowdStrike both position posture management as continuous assessment with prioritized remediation. Cerby markets self-healing automation that relearns lifecycle actions when applications change.

What does not exist in the public record is a higher-ed deployment of a closed-loop ILM system that detects a lifecycle misstate and corrects it without a human ticket. Not one. I have been looking for nine months.

The reason is not technical. The reason is that nobody wants to be the CIO whose self-healing workflow accidentally locked the provost out of email at 2 AM during board week. So we keep humans in the loop, and we keep paying the sixty to seventy-two day price, and we tell ourselves that the human is a control rather than a single point of failure.

This is prediction four on my standing record, and I want to be wrong about it. Somebody is going to ship closed-loop ILM in 2027. The question is whether it will be a higher-ed-native vendor that understands the student lifecycle is not the employee lifecycle, or a corporate-IT import that misses the academic context and gets ripped out two years later. I have a strong preference. Most of you can guess it.

Ray's Corner

Here is what I keep coming back to. Every story this week, the Canvas breach, the FAFSA fraud-detection rollout, the seventy-two day ransomware window, every one of them has the same structural shape. An identity got created or kept alive without a clear institutional authority owning the lifecycle of that identity. Canvas let teachers self-provision. FAFSA let bots self-apply. HR let faculty separate without firing the account. And departments are letting AI agents inherit human credentials, which is the next chapter of this same book.

The receipts I have been gathering for two years all point at the same missing piece, and it is not a product. It is a contract. An institutional contract that names the owner of every identity on your campus, human and machine, and the trigger that ends it.

When I built Login Manager at the University of Advancing Technology, the thing that made it work was not the code. It was that the registrar, HR, and IT had agreed in writing on who created the identity, who modified it, and who killed it. We wrote that on a whiteboard one afternoon in 1998. The whiteboard is what made the software possible. Most of the institutions I talk to in 2026 have a more sophisticated identity platform than we did, and no whiteboard.

If somebody on your campus owns the lifecycle of every identity, ILM is the thing that lets you sleep at night. If nobody owns it, ILM is the thing that lets you not know what woke up. Pick one. The receipts are not going to wait.

Take the Next Step

• Primary: Run the ILM assessment. We will walk your team through the lifecycle map, name the owners, and find the Canvas-shaped holes before somebody else does.

• Secondary: Subscribe to the QuickLaunch column. Wednesday mornings, sharp, no demo pitches.

References

• Technical Advisory: ShinyHunters Breach of Instructure Canvas LMS - Bitdefender Business Insights.
• Canvas E-Learning Platform Breached by Cybercriminals - DataBreachToday.
• Technology Security Alert: Ongoing Cybersecurity Incident Involving Canvas LMS (Updated May 29, 2026) - Federal Student Aid Partner Connect./
• Harvard Canvas Site Goes Down After University Listed in Breach - The Harvard Crimson.
• FAFSA Real-Time Fraud Detection (Updated May 29, 2026) - Federal Student Aid Partner Connect.
• Significant Actions to Prevent Fraud through Identity Verification - Federal Student Aid Partner Connect.
• NIST SP 800-63-4 Digital Identity Guidelines - National Institute of Standards and Technology.
• How Ghost Students Are Stealing Financial Aid - Socure.
• 2026 State of Identity and Cybersecurity in Higher Education - UberEther.
• Audit Dings Eastern Connecticut State University for Insecure IT - Government Technology.
• Simplifying Onboarding and Offboarding Processes in Higher Education - QuickLaunch.
• The Self-Healing Campus Concept - UT Austin CIO.
• Okta Identity Security Posture Management and Workflows: Automated Detection and Remediation - Okta.
• Modernizing Identity Lifecycle Management - Cerby.

*Raymond Todd Blackwood is the President of QuickLaunch and writes about identity, agentic AI, and the messy reality of higher-ed IT. #ItsExistential