TL;DR: General Motors describes how it is using identity security to reduce certification fatigue, automate joiner mover leaver processes, support a remote workforce, and apply risk-based approvals as it modernises for electrification and autonomy, according to SailPoint. The central lesson is that identity governance has to absorb scale, speed, and operational change rather than treat them as exceptions.
At a glance
What this is: This is SailPoint’s short blog on General Motors’ identity security programme, highlighting automation, certification fatigue reduction, and risk-based approvals.
Why it matters: It matters because large enterprises with mixed human and non-human access need governance models that keep pace with workforce change, operational scale, and expanding automation.
👉 Read SailPoint's blog on General Motors' identity security approach
Context
Identity security fails when governance processes cannot keep pace with the volume and variability of access. In a large enterprise, that shows up as certification fatigue, slow joiner mover leaver handling, and approvals that depend too much on manual review.
This GM example is a human IAM and lifecycle story first, but it also points to the broader challenge identity teams face across service accounts, automation, and emerging AI-driven decisioning. The practical question is not whether to automate, but where automation can reduce drag without weakening accountability.
Key questions
Q: How should organisations reduce certification fatigue in IAM programmes?
A: Start by reducing the number of items that enter review. Automate low-risk joiner mover leaver changes, remove duplicate entitlements from recertification cycles, and reserve human approval for privileged, sensitive, or unusual access. The goal is not to eliminate review, but to make it decision-quality again.
Q: When do risk-based approvals improve identity governance?
A: They work best when entitlement data is clean, ownership is defined, and access patterns are well understood. In that environment, the approval engine can route routine access automatically while escalating exceptions. Without those foundations, risk-based approvals can simply automate inconsistency.
Q: What do identity teams get wrong about automation in access governance?
A: They often treat automation as a substitute for governance rather than a way to make governance scalable. Automation still depends on clear policy, accurate entitlement data, and accountable reviewers. If those inputs are weak, faster workflows only amplify bad decisions.
Q: How can IAM teams support remote work without weakening access control?
A: Use identity as the primary control plane, with access decisions driven by role, business need, and risk rather than physical location. That lets teams support distributed work while keeping approvals auditable and consistent across systems and geographies.
Technical breakdown
Joiner mover leaver automation and certification fatigue
Joiner mover leaver automation reduces the number of manual steps required to grant, modify, and remove access as people change roles or leave the organisation. Certification fatigue appears when reviewers are asked to approve too many entitlements too often, which lowers the quality of decisions and encourages rubber-stamping. In mature IAM programmes, automation does not replace governance. It narrows the review set, routes exceptions, and keeps access changes moving at the pace of the business while preserving auditability.
Practical implication: reduce review volume by automating routine access changes and focusing human review on exceptions and high-risk entitlements.
Risk-based approvals in identity governance
Risk-based approval models use contextual signals such as role, system sensitivity, and access pattern to decide whether a request should be auto-approved, escalated, or rejected. This is useful when the environment is too large for uniform manual handling. The control point shifts from approving everything equally to proving that the policy behind each approval path is defensible. Done well, risk-based approvals improve consistency, but they still depend on accurate data, clean role models, and clear ownership.
Practical implication: define approval rules by risk tier, then validate them against real access requests before relying on them for production governance.
Identity governance for remote work and business transformation
Remote work increases the dependence on identity as the primary control plane for access, because network location no longer tells you much about trust. At the same time, business changes such as electrification, new product lines, and broader automation increase the number of systems, collaborators, and access paths that identity teams must govern. The result is a governance problem, not just an authentication problem. Access policy has to remain understandable to reviewers while still flexible enough to support fast operational change.
Practical implication: align identity governance to business transformation programmes so access policy evolves with new operating models instead of lagging behind them.
NHI Mgmt Group analysis
Automation is not a convenience layer in identity governance, it is the only way large enterprises avoid review collapse. When access volumes rise, manual certification becomes a bottleneck that weakens control quality as much as it slows operations. The important point is not that automation is faster, but that it keeps governance decisions reviewable at enterprise scale. Practitioners should treat manual-only governance as a structural limit, not a preferred operating model.
Certification fatigue is a control failure, not a user-behaviour problem. Repeated low-value review tasks train approvers to treat access certification as administrative noise rather than risk decisioning. That degrades the integrity of the entire access review process. The practitioner conclusion is to shrink the review surface and reserve human judgment for exceptions, privileged access, and unusual entitlements.
Risk-based approvals represent the right direction for modern IAM, but only when the underlying access model is clean. If role definitions, ownership, and entitlement data are inconsistent, automated approvals simply accelerate bad decisions. The discipline required here is governance hygiene before policy optimisation. Teams should validate data quality and access patterns before trusting automation at scale.
Business transformation changes the identity problem faster than most governance cycles do. Electrification, autonomy, and hybrid working expand both the number of identities and the complexity of entitlements. That means identity programmes cannot be organised around static operating assumptions. Practitioners need governance that can absorb organisational change without reintroducing manual choke points.
From our research:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- From our research: 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to the Ultimate Guide to NHIs.
- For the governance side of this topic, the NHI Lifecycle Management Guide shows where lifecycle discipline closes the gap between policy intent and access reality.
What this signals
Certification fatigue is the leading indicator that identity governance has outgrown its operating model. When review cycles become too broad, the programme stops distinguishing meaningful risk from administrative churn. Teams should watch for rising approval volume, declining reviewer quality, and long-lived exceptions as signs that governance needs redesign, not another round of reminders.
Risk-based automation changes the IAM operating model only when entitlement data is reliable. If role ownership, business context, or access lineage is incomplete, automation will inherit that weakness at scale. The practical signal is simple: if access decisions cannot be explained clearly after the fact, the approval logic is not ready for wider use.
As identity programmes expand into automation and machine access, lifecycle discipline becomes the common control language across human users, NHIs, and emerging autonomous systems. The more heterogeneous the environment becomes, the more important it is to keep governance rules legible, reviewable, and tied to business accountability.
For practitioners
- Automate repetitive joiner mover leaver tasks Use workflow automation to standardise routine provisioning, entitlement changes, and deprovisioning so reviewers focus on exceptions and high-risk access rather than every transaction.
- Reduce certification fatigue by narrowing the review set Limit access recertification to material entitlements, privileged roles, and unusual access paths, and retire broad review cycles that generate low-value approvals.
- Build risk-based approval rules from governed data Define approval logic using trusted role, system, and business context data, then test the rules against real requests before moving them into production.
- Align identity controls to transformation programmes Review access governance whenever the organisation changes operating model, expands automation, or introduces new business lines so policy does not lag behind execution.
Key takeaways
- General Motors’ example shows that identity security becomes a business enabler only when governance can scale without overwhelming reviewers.
- Certification fatigue and manual access handling are not just inefficiencies, they are signals that the IAM operating model needs redesign.
- Automation should narrow the review surface and improve decision quality, not replace the accountability structure behind access governance.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Access rights management is central to GM's automation and certification approach. |
| NIST CSF 2.0 | PR.AC-4 | Least privilege is the anchor for reducing review noise and approval fatigue. |
| NIST SP 800-63 | Identity proofing and lifecycle controls matter where human access changes are governed. |
Pair strong identity lifecycle processes with governance that keeps access decisions auditable.
Key terms
- Certification Fatigue: Certification fatigue is the loss of attention and judgement that happens when reviewers are asked to approve too many access entitlements too often. Over time, the process becomes box ticking rather than risk management, so the control weakens even if the workflow still exists.
- Joiner Mover Leaver Process: A joiner mover leaver process governs how access is created, changed, and removed as people enter, shift roles, or leave the organisation. It is a lifecycle control, not a single workflow, and its strength depends on timely updates, clear ownership, and accurate entitlement mapping.
- Risk-Based Approval: A risk-based approval is an access decision that changes depending on the sensitivity of the request, the identity involved, and the business context. Instead of treating every request the same, it uses policy and risk signals to decide whether automation, escalation, or rejection is appropriate.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by SailPoint: General Motors takes us on a ride with identity security. Read the original.
Published by the NHIMG editorial team on 2025-12-10.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
