TL;DR: Ticketing, reporting, automation, and self-service differ across ITSM workflows in Zluri’s comparison of Jira and Zendesk, while its alternative-app-request example points to broader access governance concerns for SaaS operations, according to Zluri. The real issue is not help desk choice alone, but how request handling, approval logic, and auditability shape identity control.
At a glance
What this is: This comparison looks at Jira and Zendesk for IT service management and uses app-request workflows to show where access governance becomes part of the decision.
Why it matters: It matters because ITSM tooling increasingly touches access decisions, so IAM, IGA, and SaaS governance teams need to understand where ticketing ends and identity control begins.
👉 Read Zluri's comparison of Jira and Zendesk for ITSM and app requests
Context
IT service management is the operating layer where requests, incidents, approvals, and follow-up actions are coordinated. In practice, that layer often becomes a control point for access decisions, especially when service desk workflows are tied to SaaS request handling, audit trails, and approvals.
This is not just a tooling preference debate. When ITSM platforms are used to route app requests or track approvals, they influence identity governance across human access, service access, and SaaS entitlement reviews. That makes the distinction between workflow convenience and governed access control material for IAM and IGA teams.
Key questions
Q: How should security teams govern app requests that start in an ITSM tool?
A: Security teams should treat app requests as identity transactions, not as generic help desk tickets. Each request needs a defined approver, policy basis, and downstream provisioning record. If the ITSM tool is the first step in access delivery, it must preserve enough evidence for audit, review, and exception handling.
Q: When does self-service app access create more risk than it reduces?
A: Self-service access becomes risky when the catalog expands faster than policy, ownership, and review. If users can request software without clear entitlement controls, the organisation gains speed but loses visibility. The risk rises further when low-friction requests bypass meaningful approval or post-access review.
Q: What do IAM and IGA teams get wrong about ITSM automation?
A: They often assume automation is the same as governance. In reality, routing and notifications only speed up workflow unless the system records who approved access, under what policy, and what change was made. Without that evidence, automation can mask weak control rather than strengthen it.
Q: How do you decide whether Jira or Zendesk is the better fit for access workflows?
A: Choose the platform that best supports your access governance process, not just your ticket volume. If request handling needs role-based routing, approval traceability, and operational evidence for audits, the better fit is the one that can preserve those controls consistently across the request lifecycle.
Technical breakdown
Ticket workflows as access control proxies
ITSM tools often become the front door for access requests, even when they are not identity systems themselves. A ticket can function as an approval record, a routing trigger, and an audit artifact, but only if the process behind it is consistently defined. The technical distinction is whether the tool merely records a request or enforces a governed approval path with role checks, segregation of duties, and downstream provisioning logic. In many organisations, that boundary is blurred, which creates control gaps between service desk operations and identity governance.
Practical implication: map which ITSM fields actually drive access decisions and validate that approvals, provisioning, and audit evidence stay aligned.
Self-service portals and entitlement sprawl
Self-service request portals reduce friction, but they also increase the risk that access becomes easier to request than to govern. When app catalogs expose approved software, the real control question is whether catalog visibility reflects policy, risk scoring, and entitlement ownership. Without that discipline, the portal becomes a convenience layer that can accelerate entitlement sprawl. This is especially relevant when employee app stores, ticket routing, and procurement workflows sit in the same operational path.
Practical implication: tie app catalogs to entitlement policy and review which requests can move straight through without manual governance.
Automation, routing, and auditability
Automation in ITSM is useful only when it preserves decision traceability. Rule-based routing can speed up assignment and follow-up, but identity teams need to know what was approved, by whom, under which policy, and what system executed the change. If the workflow does not retain clear evidence of the decision chain, then automation can improve throughput while weakening reviewability. For IAM and IGA teams, that is the core technical risk in treating ITSM automation as a substitute for access governance.
Practical implication: verify that automated ticket routing still produces immutable approval records and downstream access logs.
NHI Mgmt Group analysis
ITSM is now part of the identity control plane, not just the support stack. Once app requests, approvals, and follow-up actions flow through service management tooling, the distinction between help desk operations and access governance collapses. That makes the tool choice relevant to IAM, IGA, and SaaS governance programmes, especially where request fulfilment has real entitlement consequences. Practitioners should treat ITSM workflows as governed identity events, not administrative noise.
The real governance gap is request convenience without entitlement accountability. A self-service app catalog can improve speed, but speed does not equal control unless the catalog is tied to ownership, policy, and review. When employees can request software faster than the organisation can validate need, the programme shifts from governed access to managed sprawl. The implication is that catalog design and entitlement policy have to be co-managed.
Workflow automation only helps when the approval chain is still auditable. Automated assignment, routing, and notifications are operationally valuable, but they do not replace evidence of who authorised access and why. If those records are weak, identity governance loses its ability to prove control effectiveness. For practitioners, the question is not whether automation exists, but whether it preserves decision integrity end to end.
ITSM selection should be driven by the access governance model you already need. If the organisation depends on the service desk to approve SaaS access, the platform must support the control depth that identity teams require. That includes traceable approvals, role-aware routing, and clear separation between request handling and provisioning. Practitioners should choose based on governance fit, not ticket volume alone.
From our research:
- 4.6% of all public GitHub repositories contain at least one hardcoded secret, according to State of Secrets Sprawl 2025.
- 15% of commit authors have leaked at least one secret in their contribution history, showing how quickly access exposure can spread across everyday developer workflows.
- For lifecycle and access governance context, read NHI Lifecycle Management Guide for a closer look at provisioning, rotation, and offboarding.
What this signals
Request tooling is becoming a governance surface. When ITSM platforms handle app access, the practical risk is not just ticket backlog but entitlement drift. Teams that rely on service desk workflows should validate that request routing, approval ownership, and audit evidence line up before the process becomes the de facto control.
With 15% of commit authors having leaked at least one secret in their contribution history, according to State of Secrets Sprawl 2025, identity teams should expect governance gaps to show up first in operational workflows, not in formal policy documents.
If app request flows also feed procurement and SaaS onboarding, the programme needs tighter policy boundaries around who can approve, who can buy, and who can provision. That is where access governance either stays coherent or starts to fragment.
For practitioners
- Map ITSM tickets to identity events Identify which request types create access changes, who approves them, and which downstream systems execute them. Treat those tickets as governed identity records and verify they can support audit, recertification, and exception handling.
- Separate convenience from entitlement approval Review self-service app catalogs to ensure visible apps are policy-approved, ownership is assigned, and high-risk requests still require meaningful review before provisioning.
- Test automation for evidence retention Check whether routing rules, notifications, and bulk actions preserve the approval chain and produce logs that can be tied back to a specific decision and actor.
- Align procurement and SaaS approval paths If app requests can trigger procurement, define where risk review ends and purchasing begins so that commercial workflows do not bypass access governance requirements.
Key takeaways
- ITSM platforms can become part of the access control path when app requests and approvals drive provisioning decisions.
- The governance risk is not ticketing itself, but weak accountability when self-service and automation outpace entitlement policy.
- Identity teams should choose and configure ITSM tools based on approval traceability, audit evidence, and policy enforcement, not interface convenience alone.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access approvals in ITSM map to least-privilege governance and reviewability. |
| NIST Zero Trust (SP 800-207) | PR.AC | Request workflows should preserve continuous access validation and policy enforcement. |
| OWASP Non-Human Identity Top 10 | NHI-01 | App request processes can expose non-human and service credentials if governance is weak. |
Use ZTA access principles to ensure request routing never bypasses policy checks or evidence capture.
Key terms
- It Service Management: IT service management is the process layer used to receive, route, resolve, and record technology-related requests and incidents. In identity programmes, it often becomes the operational channel for access requests, approval tracking, and audit evidence, which makes its workflow design relevant to governance.
- Entitlement Sprawl: Entitlement sprawl is the uncontrolled growth of access rights, applications, or permissions beyond what policy or business need justifies. It usually appears when self-service, automation, or weak ownership makes access easier to grant than to review, revoke, or rationalise.
- Approval Traceability: Approval traceability is the ability to prove who approved an access change, when it happened, and what policy or justification supported the decision. It matters because automation and routing are not enough on their own unless the organisation can reconstruct the full decision chain later.
Deepen your knowledge
NHI governance, machine identity security, and identity lifecycle management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or operational governance in your organisation, it is worth exploring.
This post draws on content published by Zluri: IT Teams Zendesk Vs Jira: Which Is The Better ITSM Tool. Read the original.
Published by the NHIMG editorial team on 2025-10-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
