HR and IT lifecycle automation exposes the real access control gap

At a glance

What this is: This is an analysis of HR and IT lifecycle automation, showing that manual onboarding, offboarding, and approvals create access delays and revocation gaps.

Why it matters: It matters because lifecycle failures affect human identity governance, but the same process weaknesses also mirror what breaks when teams manage NHIs, service accounts, and autonomous access patterns.

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches.
• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Zluri's article on HR and IT lifecycle automation strategies

Context

HR and IT lifecycle management is the set of processes that creates, changes, and removes access as people join, move, and leave an organisation. In practice, it determines whether identity decisions happen on time or whether access lingers after the business relationship has changed. This article is really about the operational drag that appears when access governance depends on tickets, manual coordination, and disconnected systems.

For IAM teams, the deeper issue is that onboarding and offboarding are not just administrative tasks. They are access control events. When those events are slow or inconsistent, organisations create avoidable exposure across user accounts, SaaS apps, and downstream entitlement reviews, which is why lifecycle design sits at the centre of both productivity and security.

Key questions

Q: How should organisations automate onboarding without losing access control?

A: Start with authoritative HR data, then map it to policy-backed provisioning rules for baseline access. Keep exception handling visible, require app ownership for nonstandard requests, and log every entitlement change centrally. Automation should reduce manual tickets, but it should not remove the evidence trail needed for audit and recertification.

Q: Why do offboarding failures create security risk even when accounts are eventually removed?

A: Because delayed revocation creates a window where access remains valid after the business need has ended. During that window, the user can still act in SaaS apps, shared systems, or delegated workflows. The shorter the delay between exit and revocation, the smaller the residual risk to data and operations.

Q: What do teams get wrong about ticket-based access approval?

A: They often treat the ticket as the control, when the control is really the policy and the ownership behind the approval. If every request must be manually triaged, the queue becomes the bottleneck and governance becomes inconsistent. Better designs delegate routine decisions while preserving records for exceptions and reviews.

Q: Who is accountable when HR and IT access handoffs fail?

A: Accountability should sit with the identity governance process owner, not with whichever team spots the problem last. HR owns source events, IT owns technical enforcement, and application owners own access decisions for their systems. When those responsibilities are not explicit, stale access and provisioning delays become routine.

Technical breakdown

Why manual onboarding creates access delays and entitlement drift

Manual onboarding depends on HR, IT, and application owners exchanging accurate data before access is granted. That introduces a latency problem: the identity exists in one system, but the entitlements needed for work are still being assembled elsewhere. The result is not just inconvenience. It is entitlement drift, where access is delayed, incomplete, or granted inconsistently across tools. In larger environments, the gap widens because each manual approval adds another handoff and another chance for error. Practical implication: reduce dependency on tickets by tying authoritative HR data to automated provisioning rules.

Practical implication: tie authoritative HR data to automated provisioning rules.

Why offboarding failures become a security problem, not just an HR issue

Offboarding is the point where access must be revoked, ownership transferred, and active sessions cut off. If those steps are handled manually, access can outlive employment or role change, especially across SaaS applications and shared business tooling. The security problem is persistence: an identity that should have been retired remains capable of acting. That creates residual access, orphaned licenses, and hidden paths into business systems. Practical implication: treat offboarding as an enforced revocation workflow, not a best-effort checklist.

Practical implication: treat offboarding as an enforced revocation workflow, not a best-effort checklist.

How self-service approval models change the IT ticketing bottleneck

A ticketing-heavy approval model forces every low-risk access request through the same queue, which slows delivery and encourages shadow workarounds. A self-service model can reduce friction if it still preserves clear policy boundaries, app ownership, and auditability. The technical shift is from manual routing to policy-backed delegation, where the approval path is defined up front and changes are recorded centrally. That improves throughput, but only if roles and entitlements are kept current. Practical implication: use policy-driven request routing to remove queue delay without removing governance.

Practical implication: use policy-driven request routing to remove queue delay without removing governance.

NHI Mgmt Group analysis

Lifecycle automation is not a productivity nice-to-have. It is the control plane for access integrity. When HR and IT operate in silos, the organisation does not just move more slowly, it makes identity state less trustworthy. The business consequence is that joiner and leaver events become partially manual exceptions rather than governed transitions. Practitioners should treat lifecycle orchestration as a core identity control, not a workflow convenience.

Manual offboarding creates residual access debt. The article points to a familiar failure mode: access is removed after delay, or not at all, because no single workflow owns the revocation chain. That leaves SaaS licences, group memberships, and delegated permissions live after the relationship has changed. The implication is that accountability for offboarding must sit with a governed process, not with whichever team notices the exit first.

Ticket queues are a governance signal, not just an operations issue. When HR must open tickets to get new hires basic access, the organisation has already lost policy consistency at the boundary between systems of record and systems of action. This creates a dependency on human triage where automation should exist. Practitioners should read rising ticket volume as evidence that identity workflow design, not staffing, is the real constraint.

Identity lifecycle controls must be measured by revocation completeness, not workflow convenience. Faster approvals are useful only if they also preserve auditability and timely removal of stale access. If access can be granted quickly but not removed with equal reliability, the programme has shifted risk rather than reduced it. Practitioners should evaluate lifecycle governance by how cleanly it closes access, not by how smoothly it opens it.

From our research:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.
• For teams building lifecycle controls, the NHI Lifecycle Management Guide shows how provisioning, rotation, and offboarding fit into a governed identity process.

What this signals

Lifecycle latency: the real risk in HR and IT alignment is not just inefficiency, but the creation of unowned access windows where identity state changes faster than governance can absorb them. Teams that still rely on tickets for routine joiner and leaver events will keep producing stale permissions unless they move to authoritative-event-driven workflows and formal ownership models.

Only 5.7% of organisations have full visibility into their service accounts, which is a reminder that the same governance weakness in human lifecycle workflows usually exists somewhere else in the identity estate. If an enterprise cannot cleanly track who should have access, it will struggle to track what should be revoked when that relationship ends. the Ultimate Guide to NHIs remains relevant because lifecycle control is a cross-identity discipline, not a human-only process.

For practitioners

• Map joiner-mover-leaver ownership across HR and IT Define which team owns source data, provisioning triggers, access approvals, and revocation for each system class. Eliminate handoff ambiguity so no offboarding step depends on informal follow-up or a missed ticket.
• Automate access provisioning from authoritative HR events Use the HR system as the source for joiner and mover events, then provision baseline access through policy-backed workflows. Keep app-specific exceptions explicit so automation does not hide entitlement drift.
• Require same-day revocation for leavers and role exits Make revocation an enforced workflow with ownership transfer, group removal, and SaaS deprovisioning in the same process. Validate that the process closes access in the systems that actually matter, not only in the HR record.
• Replace generic approval queues with policy-based routing Route access requests by role, app criticality, and owner rather than by a single shared ticket queue. Preserve audit records so faster approvals do not weaken governance.

Key takeaways

• Manual HR and IT coordination slows identity changes and increases the chance that access state and business state drift apart.
• The strongest risk signal is not the ticket queue itself, but how often leavers, movers, and exceptions leave behind stale access.
• Practitioners should measure lifecycle governance by revocation completeness, ownership clarity, and the quality of authoritative event data.

Key terms

• Joiner-Mover-Leaver Process: The joiner-mover-leaver process is the set of identity lifecycle steps that create, change, and remove access when a person enters, changes role, or exits an organisation. It depends on accurate source data and clear ownership so access changes happen on time and leave no stale entitlements behind.
• Authoritative Source: An authoritative source is the system that the organisation treats as the most trusted record for identity events, such as hiring, role changes, or termination. In lifecycle governance, it should trigger downstream provisioning and revocation, rather than relying on manual interpretation of tickets or email requests.
• Residual Access: Residual access is permission that remains active after the business need for it has ended. It usually appears when revocation is delayed, incomplete, or not connected to the systems where access actually exists, creating avoidable exposure across applications, groups, and delegated workflows.
• Policy-Based Delegation: Policy-based delegation is a governance model where routine access decisions are routed according to predefined rules instead of being handled manually in a generic queue. It can improve speed and consistency, but only when the policy, ownership, and audit trail remain explicit.

Deepen your knowledge

NHI governance, identity lifecycle management, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.

This post draws on content published by Zluri: Lifecycle Management, 3 Strategies to Improve Productivity of HR and IT Teams. Read the original.