TL;DR: ITSM practices can improve service quality, efficiency, and self-service, but Zluri’s analysis also shows they only work when approval flows, access requests, and provisioning are tightly governed. The deeper issue is that service management becomes an identity control problem as soon as tickets drive access decisions.
At a glance
What this is: This is an ITSM best-practices article that argues service management improves operations when it is aligned to business goals, measured with KPIs, customized to users, automated with self-service, and supported by a capable ITSM tool.
Why it matters: It matters to IAM, IGA, and service desk teams because every app request, approval, provisioning step, and deprovisioning workflow is also an access governance decision.
By the numbers:
- Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
👉 Read Zluri's ITSM best practices article for service management and access workflow detail
Context
ITSM is the operating layer where service requests, approvals, incident handling, and change control meet identity governance. In practice, that means every app request, password reset, provisioning step, and deprovisioning action has an access decision hidden inside it, whether the organisation treats it that way or not.
Zluri’s article frames ITSM as a way to improve service quality, efficiency, collaboration, risk management, and performance measurement. For IAM and IGA teams, the important point is that ITSM only delivers those outcomes when request fulfilment and entitlement governance are aligned, otherwise the service desk simply becomes a faster path to bad access decisions.
The article’s starting position is typical for organisations trying to modernise support operations without rethinking identity workflows. That is exactly where governance gaps appear first: in approvals, visibility, and lifecycle handling rather than in the tool itself.
Key questions
Q: How should security teams govern self-service access in ITSM workflows?
A: Treat self-service as a governed access path, not a convenience layer. Require entitlement rules, app ownership checks, and audit logging before any request can create access or assign a licence. If those controls are missing, users may get speed, but the organisation inherits unmanaged privilege and poor accountability.
Q: Why do ITSM tools often create identity governance gaps?
A: They are usually designed to move tickets, not to enforce ownership, expiry, or recertification. When request fulfilment is separated from identity state, access can be granted without a reliable control record. That creates stale entitlements, unclear accountability, and weak deprovisioning follow-through.
Q: What breaks when service requests are not tied to access approvals?
A: The workflow loses its control point and becomes a fast route to privilege sprawl. Users, managers, or support staff may approve access inconsistently, and no one can later prove why the entitlement exists or when it should be removed. That is where unmanaged access starts.
Q: How do organisations measure whether ITSM is improving identity governance?
A: Use access-focused metrics alongside service metrics. Track approval latency, exception rates, orphaned access, and deprovisioning completion, then compare those numbers with ticket throughput and uptime. If the process is fast but leaves stale access behind, it is optimising service delivery at the expense of governance.
Technical breakdown
ITSM strategy and identity governance alignment
An ITSM strategy defines how services are prioritised, delivered, and improved. In identity terms, that strategy only works if service requests map to entitlement rules, ownership, and lifecycle states. Without that mapping, a ticket becomes a standalone instruction instead of a governed access event. The article’s emphasis on aligning ITSM with business goals is therefore also an access governance problem: which services are critical, who may approve them, and how risk is measured after fulfilment. That alignment matters because service delivery speed can easily outrun control consistency when identity data is fragmented.
Practical implication: tie every service workflow to an entitlement owner, approval rule, and recertification path before automating fulfilment.
Self-service and automated provisioning control points
Self-service reduces operational load by letting users request common services without manual IT intervention. The technical question is not whether automation is useful, but where it sits in the control chain. If the workflow can grant access, assign licenses, or create accounts, then the self-service layer is effectively an identity decision engine. That requires policy checks, approval logic, and auditability, not just convenience. In IAM programmes, the risk is allowing streamlined requests to bypass ownership validation or deprovisioning discipline. Automation without governance simply compresses the time to make the same mistakes.
Practical implication: enforce policy checks and logging inside self-service flows so automation cannot bypass approval, ownership, or removal controls.
KPIs for service management and access outcomes
The article uses KPIs to show whether ITSM is meeting business objectives. For identity teams, useful KPIs must include more than ticket volume or response time. They should measure approval latency, orphaned access rate, recertification completion, and the percentage of requests that result in exceptions. Those metrics reveal whether the service model is reducing friction without expanding privilege. A fast process can still be a weak one if it consistently creates unowned access or leaves stale entitlements in place. Measurement is the only way to tell operational efficiency from governance drift.
Practical implication: add access-safety KPIs to ITSM dashboards, not just service SLAs, so speed does not mask privilege creep.
NHI Mgmt Group analysis
ITSM is an identity governance surface, not just an operations discipline. The article treats service management as a way to improve speed, quality, and customer satisfaction, but the underlying control plane is access. Every request, approval, and fulfilment step changes who or what can do what inside the environment. That means ITSM maturity should be judged partly by how well it preserves ownership, auditability, and lifecycle control across services. Practitioners should stop treating service desk design and identity design as separate conversations.
Self-service only improves security when the workflow carries policy with it. The article correctly points to automation as a way to reduce repetitive work, but self-service without entitlement guardrails just moves approval risk earlier in the user journey. The issue is not whether users can request access quickly, but whether the request is evaluated against business role, app owner, and lifecycle state before fulfilment. Practitioners should treat self-service as governed orchestration, not convenience automation.
Approval latency debt: when ITSM processes are slow, users and teams work around them, and shadow access practices grow around the official workflow. The article’s focus on reducing waiting time is directionally right, but the real governance risk is that long queues create unmanaged alternatives. That pattern shows up in manual grants, informal approvals, and duplicate accounts. The implication is that access governance must be designed to be fast enough that people do not create a parallel process.
Performance metrics need to expose access risk, not just service throughput. The article argues for KPIs, but most service metrics miss the governance outcomes that matter most to IAM and IGA teams. A process can be fast and still be unsafe if it repeatedly issues over-broad access or fails to remove it. Practitioners should measure entitlement accuracy, deprovisioning closure, and exception rates alongside availability and response time.
ITSM tooling becomes decisive only when it can enforce identity state transitions. The article positions the ITSM tool as the practical enabler of better service delivery, which is true only if the platform can preserve ownership, approvals, and audit trails across the request lifecycle. Tool selection should therefore be driven by whether it can express who approved what, when access should expire, and how removal is verified. Practitioners should evaluate tools on governance enforcement, not ticket handling alone.
From our research:
- Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption, according to The 2026 Infrastructure Identity Survey.
- From our research: Organisations that describe themselves as confident in their AI deployment actually experience a 72% security incident rate, compared to 33% for those who remain cautious, according to The 2026 Infrastructure Identity Survey.
- From our research: Read the NHI Lifecycle Management Guide for the provisioning, rotation, and offboarding controls that service workflows must preserve.
What this signals
Approval latency debt: ITSM programmes that optimise for speed without identity controls usually create a shadow governance layer outside the formal workflow. The practical signal is not just ticket backlog, but the growth of informal approvals, duplicate requests, and access exceptions that never make it into the record.
With 70% of organisations granting AI systems more access than they would give a human employee performing the exact same job, per The 2026 Infrastructure Identity Survey, the broader lesson is that access decisions are already drifting beyond human-paced governance. ITSM teams should expect the same drift whenever automation is allowed to outpace policy.
Programme owners should watch for service-management metrics that look healthy while identity outcomes deteriorate. A low ticket queue can hide poor entitlement hygiene, especially when self-service, delegated approvals, and automated fulfilment are not tied back to lifecycle closure and periodic review.
For practitioners
- Map service requests to identity decisions Classify every common request as a provisioning, change, or deprovisioning event, then assign an owner and approval rule to each path. This prevents the service desk from becoming a generic access oracle.
- Build policy checks into self-service workflows Require role validation, app ownership, and exception logging before a request can create access or assign a license. If the workflow cannot enforce those checks, it should not be allowed to fulfil the request automatically.
- Add identity outcomes to ITSM KPI dashboards Track approval latency, orphaned access, exception frequency, and removal completion alongside incident and availability metrics. That makes service performance accountable to governance, not just operational speed.
Key takeaways
- ITSM becomes an identity control surface the moment service requests can create, modify, or remove access.
- Speed metrics alone are not enough, because a fast service workflow can still leave stale entitlements and weak accountability behind.
- Practitioners should align self-service, approvals, and provisioning with explicit identity ownership and removal controls.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | ITSM approvals and fulfilment directly affect access control consistency. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Automated provisioning and self-service can create unmanaged non-human access. |
| NIST Zero Trust (SP 800-207) | SP 800-207 | Zero trust requires continuous verification even when access is requested through ITSM. |
Ensure ITSM fulfilment still passes through policy-based verification and least privilege.
Key terms
- It service management: IT service management is the set of policies, processes, and procedures used to design, deliver, manage, and improve technology services. In identity programmes, it also becomes the operational path through which access is requested, approved, fulfilled, and later removed.
- Self-service access: Self-service access lets users request common services or entitlements without waiting for manual IT handling. In governance terms, it only remains safe when the workflow still enforces policy checks, approval rules, audit logging, and expiry logic before access is granted.
- Approval workflow: An approval workflow is the control sequence used to decide whether a request may proceed. For identity and access management, it should identify the approver, validate entitlement ownership, and preserve a record that explains why access was granted and when it should end.
- Orphaned access: Orphaned access is entitlement that no longer has a valid owner, business purpose, or lifecycle trigger to remove it. It is a common governance failure in service-heavy environments because access can outlive the request that created it and remain active indefinitely.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Zluri: Best Practices 5 ITSM Best Practices for Organizations. Read the original.
Published by the NHIMG editorial team on 2025-10-04.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
