Identity automation for IT teams: what manual access still misses

At a glance

What this is: This is an analysis of identity automation for IT operations, showing how conditional workflows reduce manual work across provisioning, license cleanup, and deprovisioning.

Why it matters: It matters because IT-run access processes underpin NHI, autonomous, and human identity lifecycle controls, and manual handoffs are where governance drift, waste, and revocation failures begin.

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read ConductorOne's blog on automating identity operations for IT teams

Context

Identity operations fail first at the handoff point. When provisioning, license cleanup, and deprovisioning depend on manual action, access changes lag behind real business events and the programme loses consistency across applications, roles, and departments.

The article is really about workflow-driven identity governance, not just IT efficiency. In practice, automation turns lifecycle rules into executable policy, which is relevant wherever teams manage human accounts, service credentials, or other non-human identities that should not persist beyond their purpose.

Key questions

Q: How should security teams automate access changes for joiners, movers, and leavers?

A: Start with authoritative lifecycle signals from HR and identity systems, then map each event to a specific entitlement action. Joiners should receive only the minimum access needed, movers should lose obsolete access before new access is added where possible, and leavers should trigger immediate revocation and task reassignment. The goal is consistent enforcement, not just faster ticket handling.

Q: Why do dormant accounts create both cost and security risk?

A: Dormant accounts still consume licenses, but the larger issue is that they often retain access long after business need has ended. That creates hidden standing privilege, stale entitlements, and a larger recovery problem when offboarding is delayed. If nobody is watching usage, the account can remain active indefinitely.

Q: What breaks when access reviews depend on manual handoffs?

A: Reviews stall when the owner leaves, changes roles, or simply does not respond. That creates incomplete certification, delayed remediation, and unowned access decisions that never close the loop. Manual handoffs also increase the chance that stale tasks and orphaned approvals remain open long after the identity state has changed.

Q: Who is accountable when automated access workflows remove or downgrade access incorrectly?

A: Accountability stays with the organisation, not the workflow engine. IT, IAM, and application owners should define the triggering signals, approval logic, exception paths, and rollback steps before automation goes live. If a workflow can change access without a clear owner, it has moved governance risk from humans into the process.

Technical breakdown

If/then workflow logic for access changes

C1 Automations uses conditional if/then logic to trigger identity actions from events such as inactivity, status changes, or attribute updates. That makes the workflow engine a policy execution layer rather than a ticketing shortcut. The operational value comes from connecting identity provider, HR, and application signals so the same rule can fire consistently across systems. In identity governance terms, this reduces the delay between a state change and the entitlement change that should follow it.

Practical implication: map the exact event conditions that should trigger provisioning, downgrade, or revocation, and make those conditions executable rather than manual.

Usage-based license revocation and dormant accounts

Dormant accounts are a cost issue, but they are also a governance issue because unused access often stays active after the business need has ended. Usage-based automation closes that gap by detecting inactivity, notifying the right party, and then downgrading or removing access if nothing changes. The technical pattern matters because it relies on observed behaviour, not periodic memory or spreadsheet cleanup. That is especially useful in SaaS-heavy environments where orphaned access accumulates quickly.

Practical implication: define inactivity thresholds per application class and tie them to automated license and access actions.

Lifecycle event automation across joiner, mover, and leaver changes

The lifecycle use case extends beyond onboarding. A joiner, mover, or leaver event should update access, licenses, and outstanding tasks in sequence so privilege does not outlive the role that justified it. The article’s model integrates HR and identity data, which is the key architectural point: lifecycle automation is only as accurate as the signals feeding it. Without that linkage, access reviews, deprovisioning, and task reassignment all drift out of sync.

Practical implication: treat HR and identity data as control inputs, not reference data, and verify that role changes actually propagate into downstream access decisions.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Manual identity operations create governance drift, not just inefficiency. When lifecycle changes depend on people remembering to act, access remains active after the business need disappears. That is the structural problem behind dormant accounts, delayed deprovisioning, and unfinished review tasks. The implication is that identity programmes should measure how much of lifecycle control still depends on human follow-through.

Automation changes the control model from periodic action to event-driven enforcement. The important shift is not that tasks happen faster, but that policy can execute when the identity state changes. That matters for joiner-mover-leaver processes, license governance, and access request routing because the control no longer depends on ticket queues or individual ownership. Practitioners should treat the workflow engine as part of the governance plane.

License cleanup is an access governance issue disguised as cost optimisation. Unused SaaS seats often hide standing access that no one has reviewed because the business label is financial rather than security-focused. The same pattern applies to human accounts and, in many environments, non-human identities that linger after their purpose ends. Teams should use license automation to surface entitlement sprawl, not just to reduce spend.

Workflow automation exposes a broader identity principle: if access can outlive the event that justified it, the control model is incomplete. That is true across human, NHI, and lifecycle governance. The challenge is not whether a rule can be written, but whether the organisation can enforce revocation, reassignment, and escalation without manual rescue. Practitioners should redesign access operations around state change, not around ticket completion.

From our research:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• The lifecycle gap sits alongside broader exposure: NHI Lifecycle Management Guide shows how provisioning, rotation, visibility, and offboarding need to be governed as one process.

What this signals

Identity automation is becoming a control-plane issue, not a workflow convenience. Once access changes are tied to authoritative signals, teams can measure whether governance is actually enforced at the point of change. That is the difference between policy on paper and policy in motion, especially in environments where manual cleanup has already outgrown the team’s capacity.

License optimisation will keep converging with entitlement governance. The same automation that removes dormant SaaS seats also reveals which identities are still carrying access they no longer need. For teams managing non-human identities as well as employee access, the question is no longer whether lifecycle automation is useful, but whether the governance model can survive without it.

With 97% of NHIs carrying excessive privileges, per the Ultimate Guide to NHIs, automated lifecycle enforcement becomes a structural requirement, not an efficiency play. The organisations that keep treating access cleanup as an after-hours admin task will continue to accumulate hidden privilege and orphaned ownership.

For practitioners

• Automate lifecycle-triggered access changes Define joiner, mover, and leaver triggers in the identity platform so provisioning, downgrade, and deprovisioning happen from authoritative signals rather than manual requests.
• Convert dormant-account cleanup into policy Set inactivity thresholds by application class, then trigger notification, license downgrade, or full revocation when the threshold is reached.
• Reassign governance tasks on deactivation When a user is deactivated, automatically reassign open access reviews and workflow tasks to the manager, team lead, or delegated owner before the review stalls.
• Connect HR and identity signals directly Use HR status changes and identity provider events as control inputs so role changes, transfers, and exits update downstream entitlements without manual reconciliation.

Key takeaways

• Manual identity operations fail at scale because lifecycle changes outpace human follow-through and leave access behind.
• The evidence across NHI governance shows that offboarding, revocation, and rotation are still too often incomplete or delayed.
• Automation should be treated as enforcement of identity policy, with clear ownership for triggers, exceptions, and rollback.

Key terms

• Identity automation: Identity automation is the use of event-driven workflows to create, modify, or remove access without manual ticket handling. In practice it turns lifecycle policy into executable logic, so joiner, mover, leaver, license, and review actions happen when the authoritative signal changes.
• Lifecycle event: A lifecycle event is a change in an identity’s status that should trigger access action, such as joining, changing roles, or leaving. For governance, the event matters because access should not outlive the condition that justified it, regardless of whether the identity is human or non-human.
• Dormant account: A dormant account is an identity that has not been used within a defined period but still retains active access. The risk is not only wasted licensing. Dormant access often becomes stale standing privilege, which makes offboarding, certification, and incident response harder to execute cleanly.
• Access review task: An access review task is a governance work item that asks an owner to confirm, reject, or adjust entitlements. When automation is absent, these tasks can stall if the owner changes or leaves. In well-governed environments, task ownership must move with the identity state.

Deepen your knowledge

Identity automation for joiner, mover, and leaver workflows is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are trying to replace manual access cleanup with governed lifecycle enforcement, it is a useful next step.

This post draws on content published by ConductorOne: How to Streamline IT Operations with C1 Automations. Read the original.