Automation cut BJ’s access tickets by 80%, but governance matters

At a glance

What this is: BJ’s Wholesale Club describes using identity automation to streamline access processes and cut manual access tickets by 80%.

Why it matters: This matters because IAM teams can improve NHI, autonomous, and human lifecycle governance by reducing manual processing, but only if automation is backed by clear offboarding, review, and privilege controls.

By the numbers:

• BJ’s Wholesale Club reduced manual access ticket count by 80% through automation, according to SailPoint.

👉 Read SailPoint's blog on BJ's identity automation and access ticket reduction

Context

Identity automation is often presented as a productivity win, but the governance question is simpler: does it actually improve control over access across the full lifecycle? In this case, the primary keyword is identity security, and the core issue is how automation changes onboarding, offboarding, and routine access handling for employees.

BJ’s Wholesale Club uses the example to show that manual ticket handling can be reduced when identity workflows are automated. That is a useful operational signal for IAM teams, but it does not remove the need for lifecycle governance, access reviews, or privilege discipline.

For practitioners, the relevant test is whether automation shortens the time between a change in employment status and a corresponding access change. If it does, it lowers risk; if it only speeds up approvals without improving governance, it simply moves the bottleneck elsewhere.

Key questions

Q: How should security teams automate onboarding and offboarding without losing control?

A: Security teams should automate onboarding and offboarding by tying workflow triggers to authoritative identity events, approved role models, and explicit revocation logic. The goal is not to remove governance, but to make policy execution repeatable. Automation should shorten processing time while preserving evidence, ownership, and exception handling across applications and entitlements.

Q: Why does access automation improve IAM programmes only when governance is already defined?

A: Access automation improves IAM programmes when the underlying roles, approvals, and revocation rules are already clear. If the policy model is weak, automation only accelerates bad decisions. The strongest programmes use automation to enforce lifecycle rules consistently and to reduce delays between a change in status and a change in access.

Q: What breaks when organisations automate ticket handling but not entitlement design?

A: When organisations automate ticket handling without fixing entitlement design, they scale the speed of access decisions while leaving overprovisioning, exceptions, and stale access intact. The process looks efficient, but risk remains embedded in the roles and approval paths. True improvement comes from aligning automation with a tighter access model.

Q: Who is accountable when automated access changes fail an audit or create privilege drift?

A: Accountability stays with the IAM, IGA, and application owners who define the policy and approve the workflow design. Automation executes the process, but it does not own the decision. If audit evidence is missing or access drift appears, the control gap is in governance design, not in the mere use of automation.

Technical breakdown

How identity workflow automation reduces access ticket volume

Identity workflow automation removes repetitive manual steps from common access tasks such as onboarding, offboarding, and routine entitlement changes. Instead of routing every request through a human ticket queue, predefined workflows can trigger approvals, provision accounts, and deprovision access based on identity lifecycle events. The technical value is not just speed. It is consistency, because the same policy executes the same way every time. That reduces delay, inconsistency, and the chance that access lingers after a role change.

Practical implication: map your highest-volume access tasks to workflow automation first, then measure whether the process actually shortens time-to-revoke and time-to-provision.

Why onboarding and offboarding are the highest-value lifecycle points

Onboarding and offboarding are the points where identity governance is most exposed to human delay. During onboarding, teams need access ready without overprovisioning. During offboarding, access must be removed quickly enough that former users cannot continue to reach systems. Automation helps because it ties identity state to policy execution rather than waiting for manual follow-up. That makes lifecycle control more reliable, especially when teams or systems are distributed across business units.

Practical implication: treat onboarding and offboarding as priority workflows and validate that termination events trigger revocation, not just account closure requests.

What automation does not solve in identity security

Automation can accelerate access handling, but it does not decide whether the access model is correct. If roles are too broad, approvals are weak, or exceptions are permanent, automated workflows simply issue bad access faster. Identity security still depends on governance, entitlement design, and periodic review. In other words, automation is an execution layer. It is not a substitute for deciding who should have access, for how long, and under what conditions.

Practical implication: review role design and exception handling before expanding automation, otherwise you will scale entitlement sprawl instead of control.

NHI Mgmt Group analysis

Automation improves identity operations only when lifecycle policy is already sound. BJ’s example shows the operational upside of reducing manual ticket handling, but the deeper lesson is governance related: faster workflows are valuable only when provisioning and deprovisioning rules are already well defined. Automation can reduce friction, yet it can also hide weak entitlement design if teams mistake speed for control. Practitioners should view automation as an enforcement mechanism, not a governance substitute.

Access ticket reduction is a useful efficiency metric, but it is not a security outcome by itself. An 80% drop in manual tickets says the process moved, not necessarily that access risk fell in all cases. Identity programmes should measure whether automation reduces stale access, shortens offboarding time, and improves policy consistency. The important question is whether the same change would hold under audit pressure and exception handling.

Identity lifecycle automation matters most where human delay creates control drift. Onboarding and offboarding are the moments when access either aligns with policy or drifts away from it. BJ’s use case reinforces that lifecycle workflows are where IAM, IGA, and PAM programmes intersect most directly. The practitioner takeaway is to automate the lifecycle first, then prove that the controls behind it still reflect actual role and privilege boundaries.

Workflow automation is the operational layer of identity governance, not the governance model itself. Organisations often automate the ticket, not the entitlement decision, and that leaves the underlying access model untouched. That distinction matters across human identity and NHI programmes alike. Whether the subject is an employee, service account, or agent, automation only works when the policy engine, ownership model, and revocation rules are already clear.

Lifecycle discipline is what makes identity automation defensible at scale. When manual handling dominates, access decisions become inconsistent and slow. When lifecycle rules are codified, automation can enforce them repeatedly without adding administrative drag. The practitioner conclusion is straightforward: the value is in making the policy executable, not in automating a broken process.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• For a broader lifecycle view, NHI Lifecycle Management Guide shows how provisioning, rotation, and offboarding need to work together.

What this signals

Automation is becoming the execution layer for identity governance, but the governance model still has to decide who gets access, when it is removed, and how exceptions are controlled. Lifecycle compression: the shorter the time between a status change and an access change, the less room there is for stale privilege to persist. That is why identity programmes should connect workflow automation to measurable revocation outcomes, not just ticket reduction.

The operational signal for IAM leaders is that manual queues are no longer the right place to measure progress. If access is being automated, the real question is whether entitlement decisions are becoming more accurate and easier to audit. The NHI Lifecycle Management Guide is a useful reference when teams need to align lifecycle policy with automation.

For broader governance alignment, the NIST Cybersecurity Framework 2.0 remains relevant because identity automation only has value when it supports protect, detect, and respond functions rather than masking unresolved access design issues. In practice, organisations with automated workflows still need strong evidence of access removal, exception handling, and ownership.

For practitioners

• Automate the highest-volume lifecycle tasks first Start with onboarding and offboarding workflows that currently depend on manual tickets. Measure how long it takes to provision access, revoke access, and close exceptions after a status change.
• Validate revocation, not just provisioning Confirm that deprovisioning actually removes access from applications, groups, and downstream entitlements instead of only closing the front-end request record.
• Review role design before expanding automation Check whether automated workflows are issuing overly broad access because roles and approval paths were never tightened. Fix the policy model before increasing volume.
• Use automation to support auditability Capture who approved each lifecycle change, what policy triggered it, and what access was removed so access reviews can rely on evidence rather than ticket history.

Key takeaways

• Automation reduces identity friction, but it only improves security when onboarding and offboarding rules are already defined.
• An 80% reduction in manual access tickets is an efficiency gain, not proof that privilege risk has been eliminated.
• The control that matters is not the ticket queue, but whether automated lifecycle workflows actually remove stale access and preserve audit evidence.

Key terms

• Identity workflow automation: Identity workflow automation is the use of policy-driven processes to handle recurring access tasks without manual ticket handling. It can provision, modify, or revoke access based on lifecycle events, but it only improves security when the underlying entitlement rules and approvals are already well designed.
• Offboarding: Offboarding is the process of removing access when a user, contractor, or other identity no longer needs it. In identity governance, offboarding is a control point, not an administrative formality, because delayed revocation is one of the most common ways access persists beyond its intended purpose.
• Lifecycle governance: Lifecycle governance is the discipline of managing access from joiner to mover to leaver events so privileges match current need. It spans provisioning, approval, review, and revocation, and it matters because automation only becomes defensible when those policy decisions are consistently enforced.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by SailPoint: BJ’s Wholesale Club Delivers Savings and Automation with Identity Security. Read the original.