ITSM tools and access governance: why ticketing is not enough

At a glance

What this is: This is a vendor analysis of ITSM tools for 2026, with the key finding that ticketing systems alone do not provide access governance for identity requests.

Why it matters: It matters because IAM, NHI, and human access programmes all fail when provisioning is treated as workflow handling instead of entitlement control, review, and expiry.

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• NHIs outnumber human identities by 25x to 50x in modern enterprises.

👉 Read Zluri's analysis of ITSM tools and access request governance

Context

ITSM tools are designed to route work, track incidents, and standardise service requests. They are not designed to decide entitlement scope, enforce time-bound access, or evaluate whether a requested permission conflicts with an existing identity posture. In practice, that means access requests can be completed inside a ticketing process while the underlying governance problem remains unresolved.

For IAM teams, the important question is not whether requests can be approved faster. It is whether the approval path is tied to policy, entitlement precision, and revocation discipline. That distinction matters across human access, workload identities, and AI-driven access patterns, where a closed ticket does not automatically mean the access decision was sound.

Key questions

Q: How should security teams handle access requests when ITSM tools are already in place?

A: Use ITSM as the intake and routing layer, but move entitlement decisions into a policy-controlled access governance process. The approval should determine the correct role, permission level, and expiry condition before access is provisioned. Otherwise, the organisation measures workflow completion, not access correctness.

Q: Why do ticketing systems fail as access governance controls?

A: Ticketing systems record demand and approvals, but they usually cannot assess whether the requested access is least privilege, whether it conflicts with existing entitlements, or whether it should expire automatically. That makes them useful for tracking work, but weak as the control point for governance.

Q: How do organisations know whether access governance is working?

A: Look for reduced standing privilege, fewer overlapping entitlements, and reliable revocation after the business need ends. If tickets are closing quickly but access remains broad or persistent, the control is only moving requests faster, not governing them better.

Q: What is the difference between ITSM workflow automation and access governance?

A: Workflow automation moves requests through a process. Access governance decides what access is appropriate, validates policy, and ensures the entitlement is limited in scope and duration. The two can work together, but they are not interchangeable.

Technical breakdown

Why ITSM workflows do not equal access governance

ITSM tools manage the movement of requests. Access governance manages the decision about what should be granted, at what level, and for how long. A ticketing workflow can record an approval, but it usually cannot reason about role fit, permission tier, SoD conflicts, or whether the same user already has overlapping access elsewhere. That is why ticket closure often becomes a false signal of control. The operational gap appears when service desks are asked to perform entitlement design through forms and queues. Practical identity control requires policy enforcement at the point of request, not after manual handling.

Practical implication: keep ITSM for routing, but move entitlement decisions into policy-controlled access governance.

Policy-driven provisioning and time-bound access

Policy-driven provisioning means the system evaluates a request against predefined rules before access is issued. Instead of granting generic app access, it can assign the correct license tier, permission set, and expiry window for the task. Time-bound access is especially important because many access requests are project-based, temporary, or narrow in scope. Without expiry, the entitlement can outlive the business need and become standing privilege. In IAM terms, this changes the control from manual provisioning to governed issuance. In NHI programmes, the same logic applies to service credentials that should not persist beyond their operational purpose.

Practical implication: require expiry conditions for temporary access and measure whether entitlements outlive their business purpose.

Auditability is not the same as real-time visibility

An audit trail tells you what happened. Real-time visibility tells you what is still active now. That distinction matters because many ticket-based workflows are good at documenting approvals but weak at showing current access state, active permission level, or policy violations across identities. For security and compliance, the real control question is whether the organisation can answer who has access, at what level, and whether that access still matches policy. Without that, audit evidence may exist while governance drift accumulates quietly. This is a common failure mode in both human access and non-human identity management.

Practical implication: pair ticket logs with live entitlement visibility and periodic access review across identities.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

ITSM-based access handling creates governance theatre when it is treated as the control. Ticketing proves that a request moved through a queue, not that the resulting entitlement was appropriate. The underlying assumption is that workflow completion equals access correctness, and that assumption breaks as soon as access scope, expiry, or role fit matters. Practitioners should treat ticket closure as evidence of process completion, not entitlement assurance.

Standing access is the predictable by-product of workflow-first provisioning. When access is granted through general-purpose service desks, the system tends to preserve whatever was easiest to approve and hardest to revisit. That is how over-permissioning accumulates across human users and non-human identities alike. The practitioner conclusion is simple: if revocation and expiry are not built into issuance, standing privilege becomes the default.

Identity blast radius: the gap between approved access and appropriate access grows when approval systems cannot evaluate permission level. This article exposes a familiar failure mode in enterprise governance, where the approval event is separated from the entitlement decision. Once those two steps are decoupled, the blast radius expands through over-granted licenses, orphaned access, and delayed cleanup. Practitioners should recognise that access control quality depends on entitlement precision, not ticket throughput.

Access governance should be measured by revocation certainty, not request throughput. Faster processing can still leave the organisation with stale access, hidden privilege overlap, and weak SoD enforcement. In other words, a well-run ticket queue can coexist with a poorly governed identity estate. The practitioner takeaway is to inspect whether the control outcome is reduction in standing privilege, not just reduction in ticket volume.

From our research:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• This points readers to Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the lifecycle controls that ITSM ticketing does not replace.

What this signals

ITSM-led access workflows will keep appearing attractive because they reduce visible queue pressure, but queue reduction is not the same as governance maturity. The operational test is whether identity teams can prove that granted access matched policy at issuance and was revoked when the need ended. For non-human identities, that matters because lifecycle drift is where standing privilege becomes normal.

Request-to-entitlement gap: this is the control gap most teams miss when they equate service desk efficiency with security control. If the request process is separate from entitlement precision, the organisation can accelerate approvals while simultaneously widening the identity blast radius. That is a governance problem, not a tooling problem.

Teams building modern access programmes should align service desk workflows with lifecycle controls, using the NHI Lifecycle Management Guide where provisioning and revocation discipline apply to machine identities as well as people. The same logic also supports the NIST Cybersecurity Framework 2.0 focus on govern, protect, and recover outcomes.

For practitioners

• Separate request routing from entitlement decisions Keep the ITSM system as the intake and workflow layer, but require a policy engine to decide license tier, permission scope, and approval path before access is provisioned.
• Enforce expiry on temporary access Make every project-based or exception-based entitlement carry an automatic end condition so access does not persist after the business need ends.
• Review overlapping access across identities Check whether the same person or workload already has standing access in other systems before granting a new entitlement, especially where permissions compound.
• Tie audit evidence to live entitlement state Do not rely on closed tickets alone. Validate current access level, active entitlements, and policy violations against the live directory or governance source of record.

Key takeaways

• ITSM tools can route access requests, but they do not decide whether the resulting entitlement is least privilege, time-bound, or compliant.
• The operational risk is not ticket volume alone, it is that workflow-first provisioning leaves standing privilege and entitlement drift in place.
• Practitioners should separate request handling from access governance, then measure revocation certainty and entitlement precision instead of queue speed.

Key terms

• Access Governance: Access governance is the discipline of deciding who or what should receive access, at what level, and for how long. It goes beyond ticket handling by enforcing policy, documenting accountability, and ensuring entitlements can be reviewed and revoked across human, workload, and other non-human identities.
• Entitlement Precision: Entitlement precision is the practice of granting the exact level of access required for a task, rather than a broad application-level permission. It reduces over-permissioning by matching license tier, role, and duration to business need, which is especially important when access can outlive the original request.
• Standing Privilege: Standing privilege is access that remains active beyond the immediate need for it. In identity programmes, it creates avoidable exposure because permissions stay available after work changes, projects end, or operational conditions shift. The longer privilege stands without review, the more likely it is to widen the blast radius.
• Request-To-Entitlement Gap: The request-to-entitlement gap is the space between approving access and proving that the resulting entitlement was appropriate. It appears when service desk workflows record approval but do not enforce policy, scope, or expiry, leaving the organisation with a process record rather than a reliable control outcome.

Deepen your knowledge

ITSM-driven access governance and entitlement precision are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is still using ticket closure as the main access control signal, this course is a useful next step.

This post draws on content published by Zluri: IT Teams Top 14 IT Service Management Tools (ITSM Tools) in 2026. Read the original.