TL;DR: IT service management is presented here as the operating layer for access requests, incident handling, change control, and service delivery metrics, with Zluri arguing that automation improves speed and consistency across those workflows. The real governance issue is that ITSM can accelerate approvals without fixing entitlement sprawl, stale access, or weak lifecycle controls.
At a glance
What this is: This is a primer on IT service management that frames access requests, change handling, and service metrics as process problems with identity implications.
Why it matters: It matters because IAM, NHI, and human access programmes all depend on the same lifecycle controls, and ITSM can only help if those controls are explicit.
By the numbers:
- ITSM automation can manage the same process 10x more efficiently than a manual method involving multiple steps.
👉 Read Zluri's guide to ITSM access management and service delivery
Context
IT service management is a workflow discipline for organizing, approving, and resolving IT requests. In identity programmes, the key question is not whether ticketing works, but whether the workflow enforces correct access decisions for human users, service accounts, and other non-human identities.
When access requests move through ITSM without strong governance, speed can outrun accountability. That matters for IAM teams because the same approval machinery that handles employee access can also mask privilege creep, stale entitlements, and weak offboarding if lifecycle ownership is unclear.
Key questions
Q: How should security teams use ITSM for access requests without weakening governance?
A: Treat ITSM as the workflow layer, not the authority layer. Every approval should reference a named owner, a valid business reason, and a planned revocation point. That keeps service speed from overriding access control and makes the ticket system support IAM decisions instead of replacing them.
Q: Why do ITSM workflows often create access creep?
A: They are usually optimised for speed, not entitlement hygiene. If role changes, temporary access, and exception approvals do not automatically trigger removal or review, the organisation keeps granting access without reliably taking it away. Over time, that creates accumulated privilege and weakens least privilege.
Q: How do you know if ITSM is actually improving identity governance?
A: Look beyond ticket closure time. Effective governance shows up when access is granted with clear ownership, removed on role change, and recertified on a regular cycle. If approvals are fast but stale accounts and excess privileges keep rising, the workflow is efficient but not secure.
Q: What is the difference between ITSM efficiency and access governance quality?
A: Efficiency measures how quickly requests move. Governance quality measures whether the resulting access is appropriate, temporary when needed, and removed when no longer justified. A team can meet every SLA and still overprovision users if the underlying decision criteria are weak.
Technical breakdown
Service request management and access approvals
Service request management routes employee requests into a queue, then prioritizes and approves them according to policy. In identity terms, that queue becomes the decision point for granting access to applications, data, or systems. The technical risk is not the ticket itself, but the quality of the approval logic behind it. If request metadata is incomplete, approvers lack context, or workflows are too generic, the organisation can automate bad decisions just as efficiently as good ones. For IAM and NHI programmes, ITSM should be the control surface where entitlement intent, owner approval, and access duration are made explicit.
Practical implication: tie every access request to a named owner, a clear business reason, and a defined revocation path.
Change management and mid-lifecycle access
Change management in ITSM is meant to handle role changes, transfers, and responsibility shifts. That matters because access is rarely static: people change jobs, contractors change scope, and service identities change purpose. The technical failure mode is lifecycle drift, where access created for one role quietly remains after the role changes. In human IAM, this creates excess privilege. In NHI governance, the same pattern appears when service credentials persist after an integration or workload changes. ITSM is therefore not just a support function; it is a lifecycle signal generator for entitlement updates and removals.
Practical implication: connect role-change events to access removal, not just new access provisioning.
ITSM metrics as governance indicators
Resolution time, first-call resolution, SLA breach rate, and user satisfaction are commonly treated as service metrics. For identity leaders, they also reveal whether approval workflows are operationally sound or merely fast. A short resolution time can still hide poor access hygiene if requests are over-approved. A low SLA breach rate can still coexist with bad entitlement decisions if the workflow lacks review depth. The useful technical interpretation is that ITSM metrics measure process health, not governance quality, unless they are paired with entitlement recertification, orphaned account cleanup, and access scope validation.
Practical implication: pair ITSM performance metrics with access quality metrics so speed does not outrun control.
NHI Mgmt Group analysis
ITSM is becoming an identity control plane whether teams label it that way or not. The article frames ITSM as a way to streamline access requests, incident handling, and change management. In practice, those are identity decisions disguised as service operations. The discipline matters because approval speed without entitlement governance simply creates a faster path to overprovisioning. Practitioners should treat service management workflows as part of access governance, not as a separate operational layer.
Access request automation is not the same as access governance. The article praises automation for reducing manual handling, but automation only scales the decision logic that already exists. If role mapping is weak or approver context is thin, the organisation automates inconsistency. This is especially relevant for human IAM and NHI lifecycle processes, where the same request pipeline can either enforce least privilege or preserve privilege creep. Practitioners should separate workflow efficiency from control quality.
Change management should be read as lifecycle enforcement, not administrative housekeeping. The strongest identity value in the article sits in its discussion of revoking previous permissions when a role changes. That is the real governance anchor. Without it, ITSM becomes a provisioning engine with no reliable offboarding or entitlement correction. The implication is simple: lifecycle events must drive access reduction as rigorously as they drive access grants.
Resolution metrics can create a false sense of control unless entitlement outcomes are measured too. A team can meet ticket SLAs while still approving excessive access, missing stale permissions, or leaving orphaned entitlements in place. That is a classic governance blind spot because operational success gets confused with security success. The practitioner test is whether the workflow improves decision quality, not just decision speed.
Identity teams should treat ITSM as a control dependency across human and non-human access. The article’s request, change, and monitoring patterns are equally relevant to employee access and service identities. The difference is that NHI processes often need tighter lifecycle rules because non-human access is persistent, machine-scaled, and easy to forget. Practitioners should align ITSM with access governance, offboarding, and recertification so the same workflow does not create unmanaged access at scale.
From our research:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to NHI Lifecycle Management Guide.
- For practitioners trying to close the lifecycle gap, Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs is the next place to test how request, rotation, and offboarding controls should fit together.
What this signals
Access workflow efficiency will keep improving, but governance maturity will not improve automatically. If an organisation treats ITSM as a queue optimisation exercise, it will likely speed up provisioning while leaving entitlement ownership unresolved. The practical signal is that identity teams need to measure removal, recertification, and exception closure with the same discipline they apply to ticket velocity, especially for NIST Cybersecurity Framework 2.0 alignment.
Identity lifecycle is the real pressure point hidden inside service management. The article’s lifecycle discussion maps directly to a broader control gap: access is often granted more reliably than it is removed. That is why service-account governance, offboarding, and role-change handling should be treated as one programme, not three separate ones. For NHI programmes, the relevant anchor is the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.
Service management teams should expect identity work to migrate into every request path. Once access, change, and incident handling are all mediated through ITSM, the ticketing layer becomes part of the control stack. That makes entitlement quality, not just approval speed, the metric that matters. The governance test is whether the workflow can support least privilege without turning every request into a manual exception.
For practitioners
- Map access requests to entitlement ownership Require every request to resolve to a named owner, a business justification, and a revocation condition before approval. That prevents ITSM queues from becoming blind approval factories and gives auditors a clear accountability chain.
- Link role changes to access reduction Use change management events to trigger removal of outdated permissions, not just provisioning of new ones. This is the cleanest way to stop privilege creep when people move roles or systems change purpose.
- Separate service metrics from governance metrics Track resolution time and SLA breach rate alongside entitlement recertification, orphaned account cleanup, and access scope validation. Fast ticket handling should never be treated as evidence of secure access decisions.
- Extend ITSM workflows to NHI lifecycle events Use the same request and change model for service accounts, API keys, and other machine identities. Pair provisioning with expiry, rotation, and offboarding so non-human access does not outlive its purpose.
Key takeaways
- ITSM is not just an operations layer, because every access request and change event carries identity governance consequences.
- Process speed can improve while entitlement quality deteriorates, which means SLA success is not evidence of secure access control.
- The strongest control outcome comes from linking request handling, lifecycle change, and offboarding so access is both timely and reversible.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access approvals and role changes map to least-privilege enforcement. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Lifecycle and revocation gaps affect service accounts and API keys too. |
| NIST Zero Trust (SP 800-207) | SP 800-207 | Continuous verification depends on timely entitlement review and revocation. |
Tie ITSM approvals to least-privilege checks and remove access when roles change.
Key terms
- Service Request Management: Service request management is the ITSM process for receiving, triaging, approving, and fulfilling routine requests. In identity programmes, it becomes the mechanism that decides who gets access to what, for how long, and under whose approval. Poor design turns it into a fast path to overprovisioning.
- Change Management: Change management is the controlled process used to manage role shifts, service changes, and operational updates. In identity governance, it is the trigger point where access should be added, reduced, or removed based on a new business need. If change handling is weak, privilege creep becomes normal.
- Entitlement Governance: Entitlement governance is the discipline of deciding, tracking, and reviewing what access is appropriate for each identity. It applies to people, service accounts, and other non-human identities. The goal is not just granting access efficiently, but proving that every permission remains justified over time.
- Lifecycle Offboarding: Lifecycle offboarding is the formal removal of access when an identity no longer needs it. For human users, that often follows a role change or departure. For non-human identities, it means revoking keys, tokens, and service credentials before they persist beyond the workload or integration they support.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Zluri: Access Management IT Service Management (ITSM): 101 Guide. Read the original.
Published by the NHIMG editorial team on 2025-10-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
