TL;DR: Pick n Pay says manual access requests in its legacy identity stack consumed significant time and effort, and the company moved to automated identity and access management workflows with SailPoint IdentityNow, according to SailPoint. The lesson is broader than one retailer: access handling that depends on manual coordination does not scale cleanly across modern identity programmes.
At a glance
What this is: SailPoint's blog describes how Pick n Pay moved from manual access requests to automated identity and access management processes.
Why it matters: It matters because manual access handling creates delay, inconsistency, and governance drag for NHI, autonomous, and human identity programmes alike.
👉 Read SailPoint's blog on Pick n Pay's identity and access automation story
Context
Manual access request handling is a governance bottleneck, not just an operations problem. When approvals, provisioning, and fulfilment depend on human handoffs, identity programmes lose consistency and auditability. In this case, the issue sits squarely in human IAM and lifecycle governance, where slow request flows often become the hidden reason teams delay broader access modernisation.
The article frames Pick n Pay's move as an internal simplification exercise, but the underlying pattern is common across identity programmes. Once access decisions rely on manual effort, entitlement drift, review fatigue, and support overhead tend to rise together. That is why IAM teams should read this as a governance signal, not only a workflow story.
Key questions
Q: How should teams reduce manual access request workload without weakening IAM governance?
A: Start by standardising the most common access paths and assigning clear entitlement owners, then automate only the workflows that already have defined approval logic. Manual work should fall first where demand is repetitive and policy is stable. The goal is not automation for its own sake, but fewer inconsistent decisions and better audit evidence.
Q: Why do manual access request processes create governance risk?
A: Manual processes increase the chance of inconsistent approvals, slow fulfilment, and weak audit trails. When access decisions are handled through tickets or emails, the organisation often cannot prove that the same criteria were applied every time. That makes manual handling a control weakness, not just an operational burden.
Q: What should identity teams measure after automating access requests?
A: Measure request turnaround time, repeat request volume, approval consistency, and the number of exceptions still handled outside the workflow. If automation is working, these signals should show less rework and fewer ad hoc escalations. If they do not, the policy design underneath the workflow is probably still unstable.
Q: How do access request workflows relate to lifecycle governance?
A: Access requests are only one part of lifecycle governance. Joiner-mover-leaver controls, recertification, and ownership reviews determine whether access stays appropriate after it is granted. If those controls are missing, automation may speed up provisioning without fixing privilege creep or stale access.
Technical breakdown
Why manual access request workflows break down at scale
Manual access requests create a queue-based control model. Every request depends on a person to interpret, approve, provision, and confirm the change, which introduces delay and inconsistency. Over time, the control itself becomes harder to audit because the process lives across tickets, emails, and disconnected approvals. In identity governance terms, the issue is not merely speed. It is that the control boundary is spread across humans and systems that do not enforce the same decision logic every time.
Practical implication: replace ad hoc request handling with centrally governed workflows that enforce the same entitlement logic every time.
How automation changes identity and access management operations
Automation shifts access from manually executed tasks to policy-driven fulfilment. That does not remove governance requirements, but it makes them repeatable. In a mature IAM programme, automation supports consistent provisioning, cleaner audit trails, and lower operational load on application owners and service desks. The key is to automate the workflow without losing oversight of who can request, approve, and receive access. Automation is a control amplifier only when the policy underneath it is well defined.
Practical implication: map each high-volume access process to a policy rule and define clear approval paths before automating it.
NHI Mgmt Group analysis
Manual access administration is an identity governance debt, not an efficiency issue. When requests depend on people to move work between systems, governance becomes slower, less consistent, and harder to evidence. That matters because access control is only as reliable as the process that applies it, and manual handling makes that process variable. Practitioners should treat manual request volume as a measure of governance debt, not just service desk pressure.
Automation improves repeatability, but only if the approval model is already sound. Moving from manual fulfilment to automated workflows does not fix weak entitlement design, unclear ownership, or poorly defined request criteria. It simply makes the underlying logic execute faster. For identity teams, the real question is whether the policy being automated actually reflects current access risk and business need.
Identity lifecycle control is the missing backdrop in many access modernisation efforts. Access request efficiency is one part of the problem, but joiner-mover-leaver discipline, recertification, and application ownership determine whether automation produces better governance or merely faster mistakes. The implication is that lifecycle governance should be designed before workflow automation is scaled.
For human identity programmes, this is a reminder that service quality and control quality are linked. Users experience IAM through request friction, but security outcomes depend on whether the workflow accurately enforces policy. Pick n Pay's example shows a familiar pattern: organisations often modernise access handling first because that is where pain is visible, then discover the deeper governance work still has to be done.
From our research:
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- For a broader lifecycle view, NHI Lifecycle Management Guide shows how provisioning, rotation, and offboarding should be governed once access handling is automated.
What this signals
Manual access handling is usually a symptom of deeper lifecycle weakness. When organisations rely on people to interpret and route access requests, they often also struggle with ownership, recertification, and offboarding discipline. The practical signal for readers is to watch whether automation is reducing exception handling or merely moving the same old approvals into a new tool chain.
Identity teams should treat request automation as an early maturity marker, not the finish line. The real test is whether the programme can combine fast fulfilment with clear ownership, consistent policy, and reviewable entitlements. For teams building out lifecycle governance, the next step is to connect workflow automation to NHI Lifecycle Management Guide principles rather than letting fulfilment become the only measure of success.
Access drift becomes easier to miss when request volume falls but entitlement design stays unchanged. A lower ticket count can hide the fact that roles are still poorly structured or that exceptions are still being granted outside policy. That is why practitioners should pair automation with governance metrics, including approval consistency and stale-access review outcomes, rather than relying on operational speed alone.
For practitioners
- Map manual access queues to policy-backed workflows Inventory the access requests that still depend on email, ticket chasing, or spreadsheet approvals, then convert the highest-volume paths into governed workflows with explicit approval criteria.
- Define entitlement ownership before automation Assign named owners for applications and access roles so automated fulfilment has a clear decision source and review point.
- Use access request volume as a governance signal Track which applications generate the most manual requests, because repeated demand usually indicates weak entitlement design, poor role coverage, or unclear request standards.
- Align automation with lifecycle controls Pair request automation with joiner-mover-leaver checks and periodic recertification so speed gains do not outpace governance.
Key takeaways
- Manual access requests are a governance bottleneck because they make entitlement decisions inconsistent and hard to evidence.
- Automation helps only when approval logic, ownership, and lifecycle controls are already defined.
- Identity teams should measure request reduction alongside review quality, exception handling, and stale-access control.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access permissions should be managed consistently, not through ad hoc manual requests. |
| NIST SP 800-63 | Human access flows depend on reliable identity proofing, authentication, and session governance. | |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous verification instead of trust built into manual exception handling. |
Map recurring access requests to governed approval logic and review whether entitlements stay least-privilege.
Key terms
- Identity And Access Management: Identity and Access Management is the discipline of controlling who or what can access systems, data, and applications. It combines authentication, authorisation, provisioning, and review so access is granted consistently and can be governed over time.
- Lifecycle Governance: Lifecycle governance is the set of controls that manage access from onboarding through changes and offboarding. It covers joiner-mover-leaver processes, recertification, ownership, and removal of access when it is no longer needed, whether the identity is human, machine, or autonomous.
- Access Workflow Automation: Access workflow automation is the use of policy-driven systems to route, approve, and provision access with less manual intervention. The control value depends on whether the underlying approval criteria, ownership, and audit trail are well defined before automation is introduced.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by SailPoint: Pick n Pay and SailPoint - Growing Together in a Co-Innovative Partnership. Read the original.
Published by the NHIMG editorial team on 2025-12-10.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
