AES case study shows why lifecycle identity security still matters

At a glance

What this is: AES describes how centralised identity security and workflow automation reduced global onboarding and offboarding from days to under 4 hours.

Why it matters: That matters because lifecycle delays, manual approvals, and inconsistent deprovisioning create access risk across NHI, human, and contractor programmes.

By the numbers:

• 30% of organizations have still not started their identity security journeys.

👉 Read SailPoint's blog on AES identity lifecycle automation and compliance

Context

Identity security breaks down when onboarding, role changes, and offboarding are handled through manual, region-specific approval paths instead of a single governed lifecycle. In environments with employees, contractors, and service access all moving at different speeds, the access problem is not just who gets access, but how quickly it is removed when it is no longer needed.

AES is positioned as a lifecycle automation example rather than a product story. The relevant question for identity teams is whether the same operating model can support least privilege, audit readiness, and timely revocation without relying on manual intervention or local process variance.

Key questions

Q: How should organisations manage joiner-mover-leaver processes across employees and contractors?

A: They should use a single lifecycle model that applies the same governance rules to employees, contractors, and contingent workers, while still allowing role-specific entitlements. The key is authoritative triggers, consistent approvals, and automatic removal when access is no longer justified. Separate regional processes usually create delays, exceptions, and weaker audit evidence.

Q: Why does deprovisioning matter as much as provisioning in identity programmes?

A: Because access that is granted correctly can still become a security issue if it is not removed when the business relationship changes. Deprovisioning closes the exposure window, prevents privilege creep, and creates the evidence needed for audit and incident review. Without it, lifecycle control is incomplete.

Q: What do security teams get wrong about automated identity workflows?

A: They often treat automation as a speed project rather than a governance control. Automated workflows only reduce risk when they are tied to authoritative lifecycle data, enforce least privilege, and preserve records of who received access and why. Otherwise, they can simply make bad processes happen faster.

Q: How do teams know if identity lifecycle management is actually working?

A: Look for short time-to-provision and time-to-revoke, low numbers of manual exceptions, and audit trails that clearly show access was granted and removed for a documented reason. If access changes depend on local workarounds or delayed approvals, the lifecycle control is not working as intended.

Technical breakdown

End-to-end identity lifecycle management across workforce types

End-to-end lifecycle management means the same governance model controls joiner, mover, and leaver events for employees, contingent workers, and contractors. The operational challenge is not simply provisioning accounts, but keeping entitlement assignment, review, and removal aligned with changes in employment status and business role. When those steps are fragmented across regional teams, identity state drifts away from actual need. Centralised workflows reduce that drift by making access decisions and revocation events part of one managed process rather than separate local procedures.

Practical implication: map every workforce identity type to one lifecycle process and remove region-specific provisioning exceptions.

Provisioning and deprovisioning workflows with ServiceNow and Workday

Provisioning workflows connect HR or service records to access action so new identities receive the right resources without manual ticket handling. Deprovisioning reverses that flow by revoking access and removing accounts when the user leaves or no longer needs them. In AES’s example, integration with Workday and ServiceNow is what turns lifecycle change into an enforceable identity event. The technical point is that access control becomes event-driven, but still governed by lifecycle policy, rather than left to ad hoc operator judgment.

Practical implication: tie identity provisioning and removal to authoritative lifecycle systems so access changes are triggered, not manually chased.

Least privilege and audit evidence in the same control path

Least privilege is only durable when access can be adjusted as roles change and when evidence of that adjustment is retained. AES highlights audit trails and reports from provisioning and deprovisioning events, which matters because governance teams need proof that access was granted for a reason and removed when that reason ended. This is the control path that links entitlement hygiene to compliance. Without that record, organisations can still automate, but they cannot reliably demonstrate control effectiveness during audit or incident review.

Practical implication: capture provisioning and deprovisioning logs as governance evidence, not just operational history.

NHI Mgmt Group analysis

Standardised lifecycle control is now the baseline, not the maturity goal. The AES example shows that manual, region-specific access handling creates predictable delay and inconsistency across workforce populations. Once organisations centralise identity lifecycle management, the conversation moves from whether to automate to whether exceptions are still justified. Practitioners should treat fragmented onboarding and offboarding as a control defect, not an operating preference.

Audit readiness depends on lifecycle traceability, not just policy intent. AES points to detailed provisioning and deprovisioning records as part of compliance support, which reflects a broader governance truth: access control is only defensible when teams can reconstruct who changed what, when, and why. That is especially relevant where contractors and contingent workers cycle rapidly through access states. Practitioners should tie entitlement governance to evidence generation from the start.

Identity lifecycle management is the shared control plane across human and non-human access. The same joiner, mover, and leaver discipline applies whether the subject is an employee, a contractor, or a service identity. The practical difference is not the governance model but the speed and volume of state changes, which is why centralised lifecycle orchestration matters across IAM and NHI programmes. Practitioners should align all identity types to one lifecycle policy baseline.

Lifecycle delay is a hidden access exposure window, and the industry still underestimates it. When access creation takes days, teams often accept stale entitlements and temporary exceptions as normal. That creates a governance gap between approved access and actual need, especially in fast-moving environments where role changes happen before revocation catches up. Practitioners should measure time-to-revoke with the same seriousness as time-to-provision.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why lifecycle automation without inventory discipline still leaves blind spots according to the same guide.
• For a broader control baseline, see NHI Lifecycle Management Guide for the lifecycle practices that make provisioning and revocation measurable.

What this signals

Lifecycle automation is becoming a governance requirement rather than an efficiency upgrade. The AES pattern shows that identity programmes can no longer rely on regional queues and manual approvals if they want consistent control across workforce types. For teams running mixed human and non-human estates, the bigger signal is that lifecycle policy and workflow design now determine whether access remains aligned with actual business need.

Time-to-revoke should be treated as a security metric, not an operations metric. If organisations can measure provisioning speed, they can also measure how long risk persists after an exit or role change. That is the point where lifecycle governance intersects with auditability, and where a central identity programme starts to influence exposure rather than merely documenting it.

For practitioners

• Centralise joiner-mover-leaver handling Move employee, contractor, and contingent worker access changes into one governed workflow so regional variation does not determine entitlement quality. Use the same approval and revocation rules wherever possible.
• Bind access changes to authoritative systems Connect provisioning and deprovisioning to HR and service records such as Workday and ServiceNow so lifecycle events trigger identity action automatically rather than through manual ticket chasing.
• Measure time-to-revoke as a control metric Track how long access remains active after a role change or exit event, then compare that figure with your provisioning SLA and audit evidence requirements.
• Preserve entitlement evidence for audit use Keep provisioning and deprovisioning logs in a form that allows reviewers to reconstruct the full access decision chain during compliance checks or incident investigations.

Key takeaways

• AES illustrates that fragmented lifecycle processes create avoidable identity risk across workforce populations.
• The strongest evidence here is operational: access creation and removal can move from days to under 4 hours when workflows are centralised.
• Identity teams should measure revocation speed and evidence quality with the same discipline they apply to access request fulfilment.

Key terms

• Identity lifecycle management: Identity lifecycle management is the governed process for creating, changing, reviewing, and removing access as roles and business relationships change. In practice, it links authoritative source data to access decisions so entitlements stay aligned with need and can be revoked cleanly when the relationship ends.
• Deprovisioning: Deprovisioning is the controlled removal of accounts, entitlements, and access paths when they are no longer required. It is a security control as much as an administrative step, because delayed revocation leaves active access in place after the business need has ended.
• Least privilege: Least privilege means granting only the access needed for a specific role or task, then reducing or removing it when circumstances change. In lifecycle programmes, it depends on timely entitlement adjustment, not just careful initial approval, because stale access becomes excessive access over time.

Deepen your knowledge

NHI governance, identity lifecycle management, secrets management, and workload identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.

This post draws on content published by SailPoint: AES wins CSO Award for transformative identity security. Read the original.