ITSM tools do not solve access governance in 2026

At a glance

What this is: This is a Zluri article arguing that ITSM platforms are useful for service operations but insufficient for access governance because they move tickets, not entitlement decisions.

Why it matters: It matters because IAM teams need policy-driven access decisions, not just faster approvals, or they will keep creating over-permissioned users and compliance gaps across NHI, autonomous, and human programmes.

By the numbers:

• Zluri says its approach can reduce access request tickets by up to 90%.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.

👉 Read Zluri's analysis of ITSM tools and access governance in 2026

Context

ITSM tools are designed to route work, not decide whether access is appropriate. In practice, that means they can close a request ticket while leaving the underlying entitlement, licence, and segregation-of-duties questions unresolved, which is the core access governance problem for human identities and NHIs alike.

The article’s main claim is that access requests need policy evaluation before approval, not just a queue after submission. That distinction matters because the same workflow gap appears in service accounts, AI agents, and human user access when organisations confuse service management with identity governance.

Key questions

Q: How should security teams handle access requests when ITSM is the front end?

A: Use ITSM as the intake and tracking layer, but route the actual access decision through policy-based entitlement logic. The workflow should evaluate role fit, application risk, segregation of duties, and expiry before any provisioning occurs. That keeps the ticket system useful without turning it into an authorisation engine.

Q: Why do ITSM tools often create over-permissioned users?

A: They were built to manage work items, not entitlements. When a platform cannot distinguish read-only access from admin access, or temporary access from standing access, the easiest outcome is to approve broadly and clean up later. That pattern consistently produces excess privilege and weak audit posture.

Q: What breaks when access expiry is left to manual follow-up?

A: Temporary access tends to persist after the business need ends, especially when teams rely on inbox reminders or ticket closure instead of automated revocation. That leaves orphaned permissions active, expands the attack surface, and makes compliance evidence unreliable because the control depends on memory rather than enforcement.

Q: What is the difference between ITSM for requests and identity governance for access?

A: ITSM manages the service process, while identity governance decides whether, how much, and for how long access should exist. A ticket can confirm that someone asked for access, but it does not prove that the entitlement was appropriate. Governance is the control layer that closes that gap.

Technical breakdown

Why ITSM ticket workflows do not equal access governance

An ITSM platform is optimised for intake, routing, assignment, and closure. Access governance requires a different decision model: entitlement fit, licence tier, policy conflict, segregation of duties, and expiry. When a request is treated as a generic ticket, the system lacks a way to determine whether the user should receive read-only access, full application access, or no access at all. That creates a structural blind spot. The ticket may be processed correctly while the identity decision is still wrong. Practical implication: separate service request handling from entitlement decisioning, because workflow completion is not the same as authorisation.

Practical implication: separate service request handling from entitlement decisioning, because workflow completion is not the same as authorisation.

Policy-driven provisioning and time-bound access

Policy-driven provisioning means the access decision is evaluated against rules before anything is granted. The article describes auto-approval, multi-level approval, or rejection depending on app risk and role fit, plus time-bound access that expires when the need ends. That matters because standing access is where excess privilege accumulates. If access is provisioned at the right level and removed on expiry, the identity surface stays smaller and easier to govern. Practical implication: build expiry and licence scoping into the access workflow itself, not as a manual cleanup task.

Practical implication: build expiry and licence scoping into the access workflow itself, not as a manual cleanup task.

Access intelligence layers for hybrid ITSM environments

The article argues that access governance can sit alongside existing ITSM tooling rather than replacing it. In this pattern, an ITSM approval can trigger provisioning, or an access request can be converted into a ticket when compliance requires a ticketed trail. Architecturally, that means the ITSM remains the service operations record while the access layer holds the entitlement logic and audit state. This is the right split when organisations need continuity with ServiceNow, Jira Service Management, or similar systems without giving them authorisation authority they were never built to provide. Practical implication: preserve ITSM for service operations, but move access decisioning into a policy-aware control layer.

Practical implication: preserve ITSM for service operations, but move access decisioning into a policy-aware control layer.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

ITSM ticketing is not an access control model. The article describes a common governance error: assuming that a managed request queue is the same thing as a managed entitlement decision. That assumption fails because ticket workflows do not evaluate licence scope, policy conflict, or segregation of duties. The implication is that identity teams must treat access approval as a control problem, not a service desk process.

Access requests become riskier when the platform cannot distinguish intent from entitlement. A request for an application is not the same as a request for the correct role, permission set, and expiry window. When the system cannot make that distinction, over-permissioning becomes the default outcome and audit evidence becomes retrospective rather than preventive. Practitioners should read this as a sign that governance must move upstream of ticket closure.

Time-bound provisioning is the named control gap hiding inside routine ITSM flows. The article makes clear that the problem is not ticket speed, but access persistence after the business need ends. That is a lifecycle failure, because the workflow closes while the entitlement remains active. The practitioner takeaway is that lifecycle ownership must sit with identity governance, not with general service management.

Access intelligence layer: The article’s core concept is that access decisioning needs a dedicated policy layer between request intake and provisioning. That layer exists to evaluate app risk, role fit, and expiry before a ticket is ever treated as an approval. For practitioners, the key move is to stop expecting ITSM platforms to infer authorisation intent from a service request.

From our research:

• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
• That same survey found that 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
• For a control model perspective, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for lifecycle patterns that ITSM alone does not cover.

What this signals

Access governance is converging across human, NHI, and autonomous identity programmes. The same structural weakness appears in all three: workflows that record requests without making authoritative entitlement decisions. For teams, that means the next maturity step is not faster ticketing, but stronger control placement around approval, scope, and expiry.

With 19% of organisations already giving AI systems dramatically more access than human employees, the governance problem is no longer limited to human service requests, according to the 2026 Infrastructure Identity Survey. The signal for practitioners is clear: any request flow that cannot enforce scope boundaries will fail harder as autonomous and machine identities multiply.

Access intelligence gap: This is the space where entitlement context, policy evaluation, and lifecycle control have to sit between request intake and provisioning. Organisations that leave that gap inside generic ITSM workflows will continue to confuse service completion with identity safety.

For practitioners

• Split request routing from entitlement decisioning Keep ITSM for intake and tracking, but move licence fit, role fit, and policy evaluation into a separate access control step before provisioning.
• Define approval rules by application risk Set different handling paths for low-risk, high-risk, and segregation-of-duties sensitive apps so the workflow can auto-approve, escalate, or reject consistently.
• Make expiry mandatory for project access Require time-bound access for temporary work so permissions revoke automatically when the project window closes instead of relying on manual cleanup.
• Track active permissions outside the ticket queue Maintain a live view of who has access to which apps, at what permission level, and whether that access still matches policy, rather than using closed tickets as the record.
• Preserve audit evidence across systems If requests originate in ITSM and provisioning happens elsewhere, keep the approval, policy decision, and revocation trail linked so auditors can reconstruct the full control path.

Key takeaways

• ITSM tools can manage requests efficiently, but they do not decide whether an entitlement is appropriate, scoped correctly, or time-bound.
• The operational risk is over-permissioning, because ticket closure can hide standing access, licence waste, and audit gaps.
• The right control pattern is a policy-aware access layer that evaluates entitlement fit before provisioning and revokes access when the need ends.

Key terms

• Access Intelligence Layer: An access intelligence layer is the control plane that evaluates whether a request should become an entitlement, not just whether it should be routed. It adds policy, scope, and expiry logic between request intake and provisioning so identity decisions are governed rather than merely recorded.
• Time-Bound Access: Time-bound access is privilege that automatically ends when the task, project, or approval window ends. It reduces standing access by embedding expiry into the entitlement itself, which is especially important where service desks otherwise leave permissions active after the original need has passed.
• Entitlement Decisioning: Entitlement decisioning is the process of deciding what access a subject should receive, at what level, and for how long. It is different from ticket handling because it turns policy into a control outcome, rather than using workflow closure as the evidence of a safe grant.

Deepen your knowledge

ITSM-led access provisioning and policy-based entitlement control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is trying to separate service management from access governance, it is worth exploring.

This post draws on content published by Zluri: IT Teams Top 14 IT Service Management Tools (ITSM Tools) in 2026. Read the original.