Hershey’s identity security migration shows the limits of legacy IGA

At a glance

What this is: Hershey replaced a legacy identity governance platform after operational drag, deprovisioning issues, and scaling limits made the old model unsustainable.

Why it matters: IAM teams should read this as a lifecycle governance story, because the same failure modes that break human joiner-mover-leaver processes also undermine non-human identity and machine access control.

By the numbers:

• Hershey's team often faced backlogs of 400 to 600 tickets in the queue.

👉 Read SailPoint's blog on Hershey's identity security modernisation

Context

Identity governance breaks down when the operating model no longer matches the scale of the business. In this case, the issue was not a new threat or a novel attack technique, but the growing gap between a 2004-era IGA platform and the reality of modern joiner-mover-leaver operations across human and machine identities.

Hershey's migration shows a familiar pattern for IAM leaders: once deprovisioning, password synchronisation, and application onboarding become manual backlog work, the identity programme becomes a service desk function instead of a control plane. That is a lifecycle problem first, a tooling problem second.

The article is also a reminder that human identity governance and non-human identity governance fail in similar ways when source data is poor, ownership is unclear, and access changes cannot be executed consistently across the application estate.

Key questions

Q: How should security teams modernise a failing identity governance platform?

A: Start by identifying which lifecycle steps create the most manual effort, then separate operational backlog from governance design flaws. A modernisation effort should prioritise joiner-mover-leaver accuracy, deprovisioning reliability, connector quality, and source data hygiene before expanding feature scope. If the process still depends on tickets and spreadsheets, the control model has not been modernised.

Q: Why do outdated IGA systems create access risk even without a breach?

A: Outdated IGA systems create risk when they cannot keep pace with access changes, because delayed provisioning and revocation leave users over-entitled for longer than intended. That gap increases audit exposure, privilege creep, and the chance that access remains active after a business change. The risk is structural, not just operational.

Q: What do identity teams get wrong about deprovisioning?

A: Teams often treat deprovisioning as a ticket closure instead of a control outcome. The real question is whether access was removed from every relevant system, including groups, apps, and downstream entitlements. If fulfilment depends on manual steps or inconsistent connectors, deprovisioning may appear complete while access still exists.

Q: How should organisations decide whether to automate lifecycle provisioning?

A: Automate only after the underlying role model, source data, and ownership model are stable enough to support consistent decisions. If HR records, app ownership, or entitlement naming are still inconsistent, automation will scale errors faster than the team can correct them. Governance quality must come before workflow speed.

Technical breakdown

Why legacy IGA collapses under lifecycle volume

Legacy identity governance platforms usually fail when they were designed for a smaller application estate, fewer ownership changes, and slower provisioning cycles. In Hershey's case, the platform had become maintenance-heavy, needed weekly reboots, and struggled with password synchronisation and deprovisioning. That combination turns identity governance into exception handling rather than policy enforcement. Once the queue starts growing faster than the team can clear it, access changes become delayed, brittle, and dependent on manual intervention. Practical implication: treat backlog growth as a control failure, not just an operations issue.

Practical implication: measure queue depth, provisioning latency, and failed deprovisioning events as control health signals.

How HR data quality shapes identity security outcomes

Identity security depends on the quality of the source system that drives lifecycle decisions, especially HR for joiner-mover-leaver processes. Hershey explicitly worked with HR to document processes more accurately, including those in international offices and manufacturing plants. That matters because access governance only works when role assignment, start dates, transfers, and leavers are reflected cleanly in the authoritative source. If the upstream data is inconsistent, the downstream control logic will be inconsistent too. Practical implication: verify that HR, application, and IAM ownership models align before automating lifecycle actions.

Practical implication: validate source data quality before expanding automated lifecycle provisioning.

Why provisioning and deprovisioning must be application-aware

Provisioning is not just account creation. It is the mapping of business roles to application-specific entitlements, deprovisioning is the revocation of those entitlements when access should end. Hershey's note about preferring Active Directory groups or APIs instead of CSVs and manual fulfilment shows how weak handoffs create inconsistency. Every manual path increases the chance that access removal is late, partial, or missed entirely. In a broad application estate, those inconsistencies accumulate into privilege creep and audit problems. Practical implication: standardise connectors and entitlement paths before scaling the next wave of onboarding.

Practical implication: eliminate manual fulfilment paths that weaken revocation reliability.

NHI Mgmt Group analysis

Legacy IGA failure is usually a lifecycle failure before it is a platform failure. Hershey's experience shows what happens when joiner-mover-leaver execution, password synchronisation, and deprovisioning are forced through a system that no longer matches operational scale. The result is not just user friction. It is a governance model that cannot reliably express who should have access, when access should end, or who owns the change. Practitioners should read this as a warning that lifecycle control quality degrades before the platform formally breaks.

Source data quality is the hidden control plane behind identity security. Hershey had to tighten its partnership with HR and document processes more carefully because identity decisions depend on upstream accuracy. If HR events, application ownership, and naming conventions are messy, no amount of workflow automation will produce clean lifecycle outcomes. That applies to human identities and to non-human identities alike: authoritative data is the difference between governed access and accumulated exceptions. Practitioners should audit source data before they automate more entitlement flow.

Manual fulfilment creates entitlement drift faster than most teams can detect. The article's preference for Active Directory groups and API-based connector paths over CSVs and manual fulfilment captures a familiar failure mode. Manual handling slows revocation, increases inconsistency, and makes it harder to prove that access was removed everywhere it should have been. In practice, the drift is often invisible until a review, audit, or incident exposes it. Practitioners should eliminate manual handoffs wherever access state changes.

Role modelling is the missing discipline in many identity programmes. Hershey's own lesson that role modelling would have been a huge win points to a wider governance gap. Without stable role design, every access request becomes a bespoke decision, which scales poorly and weakens recertification quality. Role modelling does not just streamline provisioning; it makes entitlement decisions auditable and repeatable across business units and applications. Practitioners should treat role design as a governance control, not a documentation exercise.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• Another finding from our research shows that only 5.7% of organisations have full visibility into their service accounts, which is why identity inventory remains a first-order governance problem.
• For a broader control baseline, compare this with NIST Cybersecurity Framework 2.0 to frame identity governance inside a wider detect and protect programme.

What this signals

Identity programmes that still rely on manual fulfilment are already carrying hidden operational debt. Hershey's migration is a useful signal because many IAM teams still absorb process failures as ticket backlog rather than as control degradation. The next stage for most programmes is not more workflow complexity, but cleaner ownership, better authoritative data, and fewer exception paths across lifecycle operations. Teams that do not address this will keep paying for identity work twice, once in people and again in risk.

Lifecycle governance is becoming the common language across human, machine, and future autonomous identity programmes. The same discipline that fixes joiner-mover-leaver quality for employees also governs service accounts, API-driven access, and machine identities. Once teams recognise that pattern, they can align IAM, IGA, and NHI ownership models instead of treating each as a separate programme. That is where identity operations start to become defensible at scale.

Role design is the next control maturity step for organisations that have already solved basic provisioning. If access still has to be assembled request by request, the programme has not yet reached repeatable governance. Structured roles, cleaner source data, and connector-driven fulfilment reduce exception handling and improve auditability, which is the real measure of progress for mature identity teams.

For practitioners

• Map lifecycle bottlenecks to control failures Track where joiner-mover-leaver requests pile up, where deprovisioning stalls, and which applications require manual intervention. Use that evidence to separate platform instability from broken governance design.
• Clean authoritative source data before expanding automation Validate HR records, naming standards, ownership fields, and application mappings before adding more automated provisioning. If the source data is inconsistent, automation will scale the inconsistency.
• Replace CSV and manual fulfilment paths with connector-based flows Prioritise Active Directory groups, APIs, or equivalent connector mechanisms for provisioning and deprovisioning. Manual fulfilment should be treated as an exception path, not the operating model.
• Build and maintain role models for repeatable access decisions Document common access patterns by function, location, and application set so that entitlement changes can be governed consistently. Revisit role models when organisations merge, restructure, or add new applications.

Key takeaways

• This case shows that identity security fails when lifecycle execution, source data, and application ownership drift apart.
• The scale problem was real, with 45,000 identities, 230 applications, and ticket backlogs reaching 600 items.
• The practical fix is not just a new tool, but cleaner role design, stronger source data, and removal of manual fulfilment paths.

Key terms

• Identity governance and administration: Identity governance and administration is the set of controls used to decide who or what should have access, prove that access is appropriate, and remove it when it is no longer needed. In practice, it combines workflows, approvals, lifecycle automation, and audit evidence across systems and identities.
• Joiner-mover-leaver process: The joiner-mover-leaver process manages access as people enter, change role, and leave an organisation. It is only effective when the authoritative source data is accurate and downstream systems can provision and revoke access consistently, without depending on manual fulfilment or scattered exceptions.
• Deprovisioning: Deprovisioning is the removal of access when an identity no longer needs it. For mature programmes, it means revoking privileges across every relevant system, not just closing a request. Weak deprovisioning is one of the clearest signs that identity governance has drifted.
• Role modelling: Role modelling is the practice of grouping common access patterns into repeatable roles so that entitlement decisions are consistent and auditable. It reduces request-by-request exceptions, improves provisioning speed, and makes certification and review processes easier to govern at scale.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by SailPoint: Sweet success: How Hershey modernized its identity security with SailPoint. Read the original.