TL;DR: Automation fails when teams layer it on undocumented, measurement-blind workflows, according to JumpCloud and cited research from S&P Global Market Intelligence, Ernst & Young, Gartner, and McKinsey. The practical lesson is that process standardisation, measurement, and control must come before workflow automation, or inefficiency and exceptions scale instead of shrinking.
At a glance
What this is: This is an analysis of why automation often makes bad IT workflows worse, with a DMAIC-first case for standardising processes before automating them.
Why it matters: It matters because IAM, lifecycle, and access teams often automate onboarding, approvals, and reclamation before the underlying process is measurable and controlled, which can scale operational risk across human and non-human identities.
By the numbers:
- Automation project abandonment rates jumped from 17% to 42% in a single year.
- 30 to 50% of RPA scripts break immediately after deployment.
- 60% of AI initiatives will be abandoned through 2026 due to untrustworthy outputs.
👉 Read JumpCloud's analysis of why broken processes break automation
Context
Automation in identity and IT operations fails most often when teams speed up a process that was never properly defined, measured, or controlled. The result is not just faster execution, but faster propagation of the same hidden gaps across onboarding, approvals, ticket routing, and access changes.
For IAM practitioners, the key question is not whether a workflow can be automated. It is whether the underlying process is stable enough to survive automation without multiplying exceptions, audit gaps, and control failures. That same sequencing discipline applies across human identity lifecycle, NHI governance, and autonomous system access when workflows are poorly structured.
Key questions
Q: What breaks when teams automate an undocumented workflow?
A: Undocumented workflows break because automation removes the human judgement that was compensating for missing inputs, unclear handoffs, and inconsistent approvals. Once that safety net disappears, exceptions become hard failures. The result is usually more rework, more audit gaps, and more operational noise, not less.
Q: Why should process standardisation come before automation in IAM?
A: Process standardisation comes first because automation scales whatever exists, including ambiguity. In IAM, that means onboarding, access requests, and lifecycle changes must have clear triggers, ownership, and success criteria before they are scripted. Otherwise, the automation layer simply makes existing inconsistency faster and harder to recover from.
Q: How do security teams know a workflow is ready for automation?
A: A workflow is ready when the team can define it clearly, measure its current performance, analyse its failure points, and show that exceptions are rare and understood. If the process still depends on tribal knowledge or ad hoc human intervention, automation is premature.
Q: What should teams do when automation starts creating more exceptions?
A: Treat the exceptions as evidence that the underlying process is unstable. Pause expansion, identify which data, handoff, or approval step is failing, and redesign the workflow before adding more automation. A rollback plan and audit trail should be in place before the next deployment.
Technical breakdown
Why automating undocumented workflows scales failure
Automation removes the human safety net that often masks weak process design. In manual operations, people absorb exceptions, fill missing data, and compensate for unclear handoffs. Once a workflow is automated, those compensating behaviours disappear, so incomplete inputs, inconsistent approvals, and fragmented ownership become hard failures instead of manageable delays. This is why script-based automation often performs well in a demo but breaks in production. The mechanism is not the tool itself, but the process debt underneath it. Practical implication: map exception paths and data dependencies before automating any identity or operations workflow.
Practical implication: Map exception paths and data dependencies before automating any identity or operations workflow.
DMAIC and workflow standardisation before automation
DMAIC stands for Define, Measure, Analyze, Improve, and Control. It is useful because it forces teams to establish a baseline, identify root causes, redesign the process, and then lock in monitoring before automating execution. In identity programmes, this means defining onboarding or access changes in measurable terms, measuring handoff delays, analysing where approvals or triggers fail, and only then introducing orchestration. The value is sequencing: automation becomes the last step in process engineering, not the first response to operational pain. Practical implication: treat workflow automation as a control layer built on process maturity, not as a substitute for it.
Practical implication: Treat workflow automation as a control layer built on process maturity, not as a substitute for it.
Control, rollback, and audit history in automated operations
Automation only stays reliable when teams add control mechanisms after deployment. That includes log review, rollback planning, exception handling, and audit history that proves what happened when a workflow misfired. Without those controls, the organisation loses visibility into timing drift, broken triggers, and silent failures that can affect access provisioning or licence reclamation. The control phase is especially important in identity operations because automation mistakes can create security and compliance exposure as well as service disruption. Practical implication: require monitoring and rollback criteria for every automated identity or access workflow.
Practical implication: Require monitoring and rollback criteria for every automated identity or access workflow.
NHI Mgmt Group analysis
Automation exposes process debt before it delivers efficiency. The article’s core lesson is that workflow automation does not fix broken operational design, it makes the break visible at scale. That is why undocumented steps, weak handoffs, and unmeasured exceptions cause so many automation programmes to fail after deployment. For identity teams, the practitioner conclusion is simple: process maturity is the prerequisite, not the by-product, of automation.
Sequencing is the control plane, not the tool choice. The difference between a useful automation programme and a brittle one is whether the organisation can define the target state before it scripts it. DMAIC is valuable here because it forces Define and Measure to happen before Improve. For IAM and lifecycle teams, that means no workflow should be automated until the underlying state, ownership, and success criteria are explicit.
Standardisation is the real scaling mechanism. Automation accelerates whatever exists, including variation. When teams standardise onboarding, access requests, and lifecycle events first, the automation layer can reliably execute instead of improvising around ambiguity. The implication is that the hardest work is usually upstream of the bot or workflow engine, and that is where governance effort belongs.
Identity programmes fail when they confuse speed with control. Faster access provisioning, entitlement changes, or ticket handling can create an illusion of maturity while the process underneath remains fragile. The right question is not how much faster a workflow runs, but whether the organisation can prove the workflow is correct, repeatable, and recoverable. Practitioners should treat control evidence as part of the automation design, not an afterthought.
Process-first automation is becoming a governance baseline across human and non-human identity. The same sequencing problem appears in human onboarding, NHI lifecycle management, and agent-triggered access flows: if the workflow is unclear, automation turns ambiguity into scale. Teams that recognise this will design governance around measurable process readiness rather than around tool adoption alone. Practitioners should align automation with lifecycle discipline across the identity estate.
From our research:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, which shows how often control maturity is overstated.
- For the process-first perspective on non-human identity governance, see Ultimate Guide to NHIs - Lifecycle Processes for Managing NHIs.
What this signals
Process maturity is becoming the real gating factor for automation success. Teams that automate before they standardise will keep discovering that speed magnifies exceptions as quickly as it reduces cycle time. The practical signal is to treat workflow readiness as a governance metric, not an implementation detail, and to use NIST Cybersecurity Framework 2.0 to anchor control, detect, and recover functions around the workflow itself.
Automation debt is now a lifecycle issue, not just an operations issue. Once automation touches onboarding, access changes, or entitlement reclamation, every process weakness becomes an identity control weakness as well. That is why the lifecycle guide matters here: it helps teams distinguish a repeatable identity process from one that merely appears efficient when humans are patching the gaps.
Workflow redesign should precede any scaling plan. The 88.5% non-human IAM maturity gap in our research is a useful warning sign for broader identity programmes: the organisation may be layering execution speed on top of weak governance. The next step is to identify which access and lifecycle workflows can be standardised before they are automated further.
For practitioners
- Define the workflow in measurable terms first. Rewrite each candidate automation into a precise problem statement, a start condition, a success measure, and a failure condition before any tool is configured.
- Measure the current process before redesigning it. Capture handoff delays, exception counts, manual touchpoints, and approval latency so you can prove whether automation improves the workflow or just accelerates noise.
- Analyse root causes, not symptoms. Separate process friction caused by missing data, fragmented ownership, or disconnected triggers from the visible delay that leadership wants fixed.
- Build control and rollback into every automated flow. Require logging, exception handling, and a rollback plan for provisioning, access changes, and lifecycle workflows so failures are visible and recoverable.
- Standardise before you scale across identity domains. Use a consistent workflow design for onboarding, access requests, and entitlement changes so automation does not amplify different local variants of the same process.
Key takeaways
- Automation makes weak workflows fail faster, because it removes the human safety net that previously absorbed exceptions.
- The evidence is consistent across research: abandoned automation, broken scripts, and overstated confidence all point to process debt, not tool deficiency.
- Teams should standardise, measure, and control a workflow before automating it, especially when the workflow touches identity and access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC-01 | Automation failures stem from unclear process ownership and operating context. |
| NIST CSF 2.0 | PR.AC-4 | Identity workflows here affect access control, onboarding, and entitlement changes. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Automation of identity workflows can create unmanaged non-human access paths. |
Define workflow ownership and success criteria before scaling automation across identity operations.
Key terms
- Process debt: Process debt is the accumulation of undocumented steps, inconsistent handoffs, and manual workarounds that make a workflow fragile. In identity operations, it shows up as hidden exceptions, unclear ownership, and poor measurement that automation later amplifies rather than removes.
- Workflow standardisation: Workflow standardisation is the act of defining a repeatable process with clear triggers, inputs, outputs, and ownership before scaling it. For identity teams, it is the step that makes automation reliable because the system is operating on a known pattern, not a local variation.
- Control phase: The control phase is the part of a process discipline where monitoring, logging, rollback, and review keep an improved workflow stable over time. In identity and access programmes, it is what turns a one-time automation into an auditable, recoverable operational control.
- Exception path: An exception path is the route a workflow takes when the normal process cannot complete because data is missing, a rule does not fit, or ownership is unclear. Mature automation design must account for exception paths explicitly, because they are where fragile workflows usually fail first.
What's in the full article
JumpCloud's full blog post covers the operational detail this post intentionally leaves for the source:
- A step-by-step DMAIC application for workflow redesign before automation.
- Practical automation recipes for identity, device, and access operations.
- Scoring models for deciding which workflows are ready to automate.
- Financial modelling guidance for evaluating automation trade-offs.
👉 JumpCloud's full post covers the DMAIC workflow, redesign logic, and automation recipes.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-07-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org