By NHI Mgmt Group Editorial TeamPublished 2025-08-07Domain: Governance & RiskSource: Lumos

TL;DR: Access tickets are being driven by joiner, mover, leaver work, repetitive approvals, and offboarding gaps, according to Lumos, which cites the 2024 Access Productivity report showing 64% of organisations see daily or weekly productivity impact from access issues. The bigger issue is that access review and provisioning processes still assume stable, human-paced decisions in a world of fast-moving identity change.


At a glance

What this is: This is a vendor analysis of how identity lifecycle automation, self-service access, and contextual workflows can reduce IT ticket volume and tighten least-privilege control.

Why it matters: It matters because the same lifecycle pressure that creates ticket backlog also creates access drift, making NHI, human IAM, and emerging agentic governance problems structurally similar.

By the numbers:

👉 Read Lumos's analysis of identity lifecycle automation and ticket reduction


Context

Identity lifecycle work creates most of the operational drag in access management because joiner, mover, and leaver events rarely line up with clean policy logic. When access decisions depend on manual approvals, inherited roles, and scattered context, IT teams end up triaging tickets instead of governing access.

For human IAM and NHI programmes alike, the problem is not only volume. The deeper issue is that access reviews often lack the usage and business context needed to decide whether access should stay in place, which is why lifecycle automation and right-sized roles keep showing up as governance priorities.


Key questions

Q: How should security teams reduce access ticket volume without weakening least privilege?

A: Build access around governed lifecycle flows, then use context-aware roles and self-service approval paths for repeatable requests. Least privilege is preserved when policy evaluates usage, job context, and expiry together, instead of routing every request through a human queue. The goal is fewer tickets because the default entitlement model fits better, not because governance is bypassed.

Q: Why do manual access approvals create ongoing risk in identity programmes?

A: Manual approvals are slow, inconsistent, and often missing the usage context needed to judge whether access is still justified. They also encourage role drift, because people keep access longer than their work requires. In practice, the risk is not only delay. It is persistent over-entitlement that accumulates across users, apps, and lifecycle events.

Q: What do organisations get wrong about self-service access?

A: They treat self-service as a convenience layer instead of a governance control. Self-service only works when policy, logging, expiry, and revocation are tied to the same identity record. Without that linkage, the organisation simply moves the approval burden out of sight while keeping the same underlying access risk.

Q: How can teams tell whether lifecycle automation is actually working?

A: Look for fewer exception tickets, faster offboarding, lower entitlement drift, and clearer ownership of access decisions across systems. If users still wait for basic access or reviewers still lack context, the automation is only partial. Effective lifecycle automation should remove repeated manual decisions, not just speed up ticket handling.


Technical breakdown

Why lifecycle tickets accumulate in identity governance

Ticket backlogs form when provisioning, approvals, and deprovisioning are treated as separate workflows instead of one governed lifecycle. Every role change, app request, and offboarding action introduces a decision point, and if the organisation does not centralise state, IT has to reconstruct context by hand. Access reviews then become retrospective clean-up rather than live governance. In practice, the result is delayed access for users, lingering permissions for leavers, and repeated work for administrators.

Practical implication: map joiner, mover, and leaver steps into a single governed workflow before trying to optimise ticket handling.

How contextual roles reduce permission sprawl

Birthright access usually over-assigns permissions because it assumes a job title alone is enough to define need. Contextual role design uses title, department, location, app usage, and historical access patterns to produce roles that fit the actual work being done. That makes access requests more predictable and reduces the number of exceptions IT must handle. It also improves least-privilege enforcement because the role itself becomes the control, not the approval queue.

Practical implication: rebuild roles around usage and business context, then measure how many requests disappear because the default fit improves.

Why self-service and just-in-time access change the control model

Self-service access works only when policy engines can evaluate entitlement safely without turning every request into a manual review. Just-in-time access reduces standing privilege by granting permissions for a bounded task, while scheduled access handles recurring need without making access permanent. The technical shift is from ticket fulfillment to policy-mediated entitlement, with evidence and expiry attached to each grant. That lowers friction, but only if approvals, logging, and revocation are tied to the same identity record.

Practical implication: reserve manual approval for exceptions and use policy-driven time-bounded access for repeatable requests.



NHI Mgmt Group analysis

Identity backlog is a governance symptom, not an IT service problem: Repetitive access tickets expose the fact that entitlement decisions are still being made too late and too manually. When joiner, mover, and leaver workflows are fragmented, IT ends up acting as the control plane for decisions the identity layer should already know. The implication is that lifecycle governance must be treated as access architecture, not service desk optimisation.

Access reviews without usage context are structurally weak: Access certification only works when reviewers can answer whether the subject still needs the entitlement in question. If the programme cannot surface application usage, role changes, and business context, review cycles become rubber-stamping exercises. Practitioners should recognise this as a signal that the governance model is data-poor, not merely process-heavy.

Right-sized roles are the durable answer to ticket volume: Birthright access creates both operational friction and excess privilege because it overstates what a role should mean. Context-aware RBAC and ABAC reduce exception handling by aligning access to observed need rather than assumed need. That makes least-privilege a design property of the role model, which is where the control belongs.

Autonomy in identity operations should be bounded by lifecycle evidence: The more automation is used to collapse approval loops, the more important it becomes to preserve traceable identity state, task ownership, and revocation evidence. Autonomous workflows do not remove governance obligations, they shift them into policy design and auditability. Practitioners should treat workflow automation as a control dependency, not a shortcut around governance.

From our research:

What this signals

Identity backlog is now a control signal: when access requests keep clustering around joiner, mover, and leaver events, the programme is telling you that entitlement design is lagging the business. Teams should expect more pressure to shift from ticket handling to policy-based lifecycle control, especially where access needs are repetitive and easy to standardise.

Access review quality will become more visible to auditors and operators: if reviewers cannot see usage, ownership, and business context, the process will increasingly look like administrative churn rather than governance. That makes context-rich evidence, not review volume, the metric that matters. The organisation should be able to prove why access stayed, not just that a review happened.

Right-sized access will converge with NHI governance patterns: the same lifecycle logic that reduces human access friction also applies to service accounts and workflow identities. Once organisations recognise that pattern, they can align entitlement policy, expiration rules, and revocation evidence across human and non-human identities instead of managing each in isolation.


For practitioners

  • Consolidate joiner, mover, and leaver workflows Tie HR events, app provisioning, and deprovisioning into one lifecycle path so access state changes are visible before tickets pile up.
  • Replace birthright roles with context-aware access models Use title, department, location, and usage history to narrow default access and reduce the exceptions that force manual review.
  • Move repeat requests into policy-driven self-service Allow approved app requests through Slack, Teams, or an app catalog when policy conditions are met, and keep manual approval for exceptions.
  • Attach evidence to every entitlement decision Record who approved, what context was used, and when access expires so review teams can validate decisions without reconstructing the case from tickets.

Key takeaways

  • Identity ticket backlogs are usually lifecycle failures, not service desk failures, because access state changes are not being governed as one workflow.
  • The practical scale of the problem is already visible in offboarding and secrets persistence, where stale credentials and duplicated access create ongoing operational and security exposure.
  • Teams that want fewer tickets without more risk need context-aware roles, policy-driven self-service, and evidence-bearing lifecycle controls.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Offboarding gaps and stale access align with NHI lifecycle failures.
NIST CSF 2.0PR.AC-1Identity lifecycle automation supports managed access provisioning and removal.
NIST Zero Trust (SP 800-207)AC-4Policy-based entitlement decisions fit zero trust access enforcement.

Audit offboarding and revocation paths so non-human access cannot outlive the business need.


Key terms

  • Identity Lifecycle Automation: Identity lifecycle automation is the use of policy, workflow, and system integration to create, change, and remove access as a person or workload moves through the organisation. It reduces manual ticket handling by making entitlement changes part of governed state transitions rather than ad hoc service requests.
  • Birthright Access: Birthright access is the default set of permissions assigned when a user joins a role, team, or organisation. It is efficient, but it often overestimates actual need and becomes a major source of permission sprawl unless continuously right-sized against usage and business context.
  • Just-In-Time Access: Just-in-time access is a controlled access pattern that grants privileges only when a task requires them and removes them when the task ends. For identity programmes, it is a way to reduce standing privilege while preserving operational speed, provided expiry and audit evidence are built into the workflow.
  • Access Certification: Access certification is the process of reviewing whether an identity should keep a given entitlement. It only works well when reviewers have enough context to judge actual need, because a review without usage, ownership, or business justification tends to become a compliance exercise instead of a governance control.

What's in the full article

Lumos's full blog covers the operational detail this post intentionally leaves for the source:

  • How the Lumos workflow model maps joiner, mover, and leaver events into automated access handling.
  • Examples of self-service app request flows through Slack and Teams that reduce manual ticket routing.
  • Details of the identity AI agent used for role mining and access recommendations.
  • Customer examples that show ticket reduction outcomes and how the automation was implemented.

👉 Lumos's full post covers self-service access, role mining, and lifecycle workflow examples in more operational detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance maturity, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-08-07.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org