IT operations management best practices through an identity lens

At a glance

What this is: This is a vendor-authored IT operations management guide that argues standardisation, automation, and monitoring improve operational efficiency and control.

Why it matters: It matters to IAM practitioners because the same operational patterns also govern application access, user lifecycle, and SaaS entitlement sprawl across human and non-human programmes.

By the numbers:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Zluri's ITOM best practices guide for operational workflow detail

Context

IT operations management is the discipline of keeping infrastructure, services, and operational workflows reliable enough for the business to function. In identity programmes, the same logic applies to access workflows, because provisioning, approval, monitoring, and offboarding are operational controls as much as they are governance controls.

The article treats ITOM as a process and tooling problem, but the identity implication is broader. When onboarding, deprovisioning, and approval paths are centralised without strong entitlement governance, the result is not just efficiency. It is faster propagation of access decisions across SaaS, infrastructure, and support tooling.

For IAM, IGA, and PAM teams, the real question is whether operational simplicity is being achieved by reducing control complexity or by hiding it inside a platform layer. That distinction matters most when access is revoked, privileges are reviewed, or a service relationship changes.

Key questions

Q: How should security teams govern access in automated IT operations workflows?

A: Security teams should treat automated IT operations workflows as lifecycle controls that need ownership, exception handling, and regular review. Automation should speed up approved actions, not replace entitlement governance. The key is to verify that onboarding, approvals, and deprovisioning all converge on the same access truth before the workflow scales.

Q: Why do ITOM platforms create identity governance risk when they centralise workflows?

A: Centralisation can make identity governance stronger only if the entitlement model is accurate and the offboarding logic is complete. Otherwise, one platform becomes the fastest way to spread stale access across apps, teams, and service relationships. The risk is not centralisation itself, but unchecked propagation of access decisions.

Q: What breaks when deprovisioning is not tied to operational ownership changes?

A: Access persists after the business need has changed, which leaves former users, contractors, or service owners with privileges they no longer require. That can create orphaned access, audit findings, and unnecessary exposure in SaaS and infrastructure systems. The fix is a revocation path that is triggered by lifecycle events, not memory.

Q: Who should be accountable for access decisions inside an IT operations model?

A: Accountability should sit with both the operational owner and the identity governance owner, because one controls the workflow and the other controls entitlement correctness. If either is missing, approvals become procedural rather than accountable, and access review loses meaning. Clear ownership is the control that keeps efficiency from becoming drift.

Technical breakdown

Centralised CMDBs and identity control planes

A configuration management database is only useful for identity governance if it reflects the relationships between users, apps, service accounts, and privileges, not just the assets themselves. In operational terms, the CMDB becomes a control plane when it can answer who has access, why they have it, and which business service depends on that access. Without that linkage, change management can still be fast while entitlement drift grows unnoticed. The technical failure is usually not missing inventory, but missing identity context across systems.

Practical implication: map identity-relevant relationships into the CMDB or another system of record before using it to drive access and change decisions.

Automation of provisioning and deprovisioning

Automation reduces manual effort, but in identity operations it also increases the blast radius of a bad rule. Automated onboarding, app approval, and deprovisioning workflows are only as good as the lifecycle logic behind them. If access templates are stale or revocation paths are incomplete, automation simply scales the error more quickly. This is why lifecycle governance matters across human accounts and non-human identities alike: the workflow may be shared, but the entitlement consequences are real and immediate.

Practical implication: test lifecycle workflows against edge cases such as role changes, contractor exits, and third-party app access before expanding automation.

Continuous monitoring of service access and usage

Monitoring in ITOM is often framed around uptime and incident response, but identity teams need monitoring that also surfaces unused access, excessive privilege, and orphaned entitlements. Usage telemetry is valuable because it can show when access is provisioned but never exercised, or when a group of accounts retains privilege long after the operational need has passed. The governance weakness is assuming that access remains valid because the system still allows it. That assumption is especially risky in SaaS-heavy environments where access paths multiply quickly.

Practical implication: pair operational monitoring with access review triggers so unused or over-scoped access is not treated as benign.

NHI Mgmt Group analysis

Operational efficiency becomes a governance risk when access workflows outrun review workflows. The article treats automation as a way to reduce error and save time, but identity programmes can invert that benefit when provisioning becomes faster than certification. That creates a control imbalance in which access is granted and redistributed continuously while review remains periodic. Practitioners should treat operational speed as a governance variable, not just a productivity metric.

Centralised ITOM tooling does not eliminate entitlement sprawl, it can concentrate it. When onboarding, approvals, and deprovisioning are routed through one platform, control quality depends on the entitlement model underneath it. If the model is weak, the platform accelerates the spread of access across SaaS and infrastructure. The discipline required is not tool consolidation alone, but lifecycle governance that can prove why each entitlement exists.

Identity lifecycle management is the hidden dependency behind every efficient ITOM workflow. The article’s strongest idea is that day-to-day operations need standardised processes, yet the same standardisation can expose gaps when offboarding, revocation, and exception handling are not equally mature. In practice, access governance must be measured by how quickly it closes the loop after role change, departure, or service retirement. Otherwise, operational maturity becomes an illusion built on persistent permissions.

What looks like IT operations discipline is often access-risk discipline in disguise. Zluri’s emphasis on user lifecycle management, approvals, and usage visibility maps directly to IAM, IGA, and SaaS governance concerns. The field should stop treating ITOM and identity as separate operating models when the control points overlap so heavily. Practitioners should evaluate ITOM through the lens of entitlement accountability, not just service performance.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which is why lifecycle control remains a weak point in many environments.
• That same lifecycle gap is explored in NHI Lifecycle Management Guide, which helps teams connect provisioning, rotation, and offboarding to operating discipline.

What this signals

Identity operations will increasingly be judged by whether they close access loops, not just whether they open them efficiently. The practical shift for programmes is to treat provisioning speed, approval latency, and revocation completion as one governance chain. Teams that can only measure the front half of the chain will miss the access exposure that accumulates after a role change or offboarding event.

The strongest control pattern here is not more automation on its own, but more accountability around the lifecycle state of each entitlement. That means identity and IT operations teams should reconcile workflow logs, app inventory, and ownership records together, then use those signals to drive reviews and recertification.

With 97% of NHIs carrying excessive privileges, according to Ultimate Guide to NHIs, the same operational discipline that reduces SaaS sprawl can also reduce machine access risk. Teams should prepare for a governance model in which operational management and identity management are no longer separable in practice.

For practitioners

• Audit lifecycle handoffs across onboarding and offboarding Trace every access change from request to revocation and confirm that the same workflow closes the loop when a user changes role, leaves, or no longer needs an app. Pay special attention to exceptions that bypass normal deprovisioning logic.
• Link operational inventory to identity context Use your CMDB or equivalent control plane to record the identity relationships that matter, including app owners, entitlement owners, and dependent business services. Without those links, change management cannot reliably tell whether an access change is safe.
• Measure revocation, not just provisioning speed Track how long access persists after it should be removed, and report that alongside onboarding cycle time and approval throughput. A fast provisioning process with slow revocation is a governance failure, not an efficiency gain.

Key takeaways

• IT operations best practices matter to identity teams because the same workflows that improve service delivery also govern access, entitlement, and revocation.
• Automation improves efficiency only when it is paired with lifecycle accountability, or else it scales stale access and approval drift.
• The most useful ITOM programmes expose identity context, not just infrastructure status, so governance can verify who still has access and why.

Key terms

• Configuration Management Database: A configuration management database is a system of record for assets and their relationships across an IT environment. In identity work, its value depends on whether it captures ownership, dependency, and access relationships, not just hardware or software inventory. Used well, it supports change control and accountability.
• Identity Lifecycle Management: Identity lifecycle management is the set of processes used to create, change, review, and remove access as roles and relationships change. It applies to users, service accounts, and other non-human identities. Its purpose is to keep access aligned to current business need, not past entitlement history.
• Entitlement Drift: Entitlement drift is the gradual mismatch between granted access and actual operational need. It happens when provisioning is faster or more frequent than review, revocation, or ownership updates. Over time, drift expands exposure, weakens auditability, and makes access governance look healthier than it is.
• Operational Control Plane: An operational control plane is the layer where workflow, inventory, monitoring, and approval decisions are coordinated. In identity programmes, it becomes effective only when it can connect actions to ownership and lifecycle state. Without that context, it manages activity but not accountability.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: IT teams top 6 IT operations management best practices. Read the original.