TL;DR: About 50 IT tickets per week were redirected and access-request handling improved by linking requestors directly to approvers, while keeping audit trails and least privilege in place, according to Lumos. The real issue is not ticket volume but whether access governance can stay accountable as approval paths become more distributed.
At a glance
What this is: Lumos describes how it uses its own platform to streamline access requests and user access reviews through self-service, direct approvals, and automation.
Why it matters: This matters because IAM teams are being asked to reduce friction without weakening access accountability, which affects NHI, human access, and delegated approval models alike.
By the numbers:
- The Lumos AppStore has helped us redirect ~50 IT tickets per week, significantly reducing IT ticket volume.
👉 Read Lumos's blog on self-service access requests and user access reviews
Context
Access governance is supposed to decide who gets what access, who approves it, and how that decision is recorded. In practice, most teams still rely on ticket queues, manual handoffs, and approval chains that create delay without improving control. This article is about self-service access governance and how Lumos uses its own platform to reduce friction while preserving auditability.
For IAM and IGA teams, the important question is not whether self-service is faster. It is whether the approval model still proves accountability when requestors and approvers interact directly and IT steps back from the middle. That tension applies across human access, delegated application ownership, and non-human identity governance where lifecycle and review discipline must remain visible.
Key questions
Q: How should security teams design self-service access requests without losing accountability?
A: Security teams should route requests directly to the true entitlement owner, preserve the approver’s identity and decision history, and ensure every grant is recorded in an auditable workflow. Self-service works when it shortens the path to a decision, not when it removes the control evidence needed to explain who approved what and why.
Q: Why do access reviews often fail to reduce privilege creep?
A: Access reviews fail when they end with attestation instead of entitlement change. If a reviewer confirms access but the system does not remove, narrow, or reassign it, the review becomes paperwork. Effective reviews link each decision to a concrete action so the access state actually changes after the review closes.
Q: What do IAM teams get wrong about direct approvals?
A: Teams often assume direct approvals are automatically cleaner than IT-mediated approval chains. In reality, direct approval only improves governance if the approver is authoritative, reassignment is controlled, and the workflow preserves evidence. Without those controls, the organisation has simply moved the bottleneck without improving decision quality.
Q: How can organisations tell whether self-service access governance is working?
A: Look for faster request handling, fewer manual tickets, and stronger evidence quality at the same time. If the workflow is working, reviewers can see who approved access, exceptions are rare and documented, and entitlement changes follow review outcomes. Speed alone is not success if governance records are incomplete or stale.
Technical breakdown
Self-service access request routing
Self-service access request routing replaces a central ticket desk with a workflow that maps a requester to the correct app owner or business approver. In this model, the control point moves from manual IT handling to policy-driven routing, notification, and decision capture. The access request is still governed, but the operational path is shorter and more transparent. The security value depends on whether the approval target is authoritative and whether the system preserves a durable record of the decision, the approver, and the entitlement granted.
Practical implication: make sure self-service routing cannot bypass the real entitlement owner.
Direct approvals and accountability trails
Direct approval models work when the approver is the person or role that actually owns the entitlement, not a proxy in the IT queue. The mechanism depends on transparent identity mapping, approval visibility, and a recorded chain of responsibility that can survive audit review. If an approver can be reassigned or overridden, the system must preserve why that happened and who accepted the risk. Without that evidence, self-service becomes faster but not necessarily safer.
Practical implication: preserve approver identity, reassignment history, and approval timestamps in every workflow.
Access reviews at scale
User access reviews become operationally useful only when reviewers can see current entitlements, business context, and exceptions in one place. A review system that merely asks for periodic attestation will not correct privilege creep unless it connects review outcomes to removal, reassignment, or escalation actions. Scale matters here because the value of automation is not the review itself but the ability to process many entitlements without losing evidence quality or review completeness.
Practical implication: tie every review outcome to a concrete entitlement change, not just attestation.
NHI Mgmt Group analysis
Self-service access governance is only useful when it preserves the control evidence that ticket queues used to hide. The article shows a familiar tradeoff: less IT friction, more distributed ownership, and a stronger need for recorded decision paths. That is not a product story, it is an identity governance pattern. Practitioners should treat the workflow as a control surface, not a convenience layer.
Access reviews fail when they become an attestation exercise instead of a remediation mechanism. The article emphasises reviews at scale, but scale only matters if the review result changes the entitlement state. This is where many IAM programmes lose their edge: a review can be complete on paper and still leave the same access in place. The practical conclusion is that governance must be measured by entitlement outcomes, not completion rates.
Delegated approval models reduce bottlenecks, but they also redistribute accountability outside the central IAM team. That shift is often desirable, yet it creates a governance dependency on app owners who may not share the same urgency or process discipline as IT. The field implication is that self-service access should be designed as distributed governance with central policy, not decentralised exception handling.
Role-based approval paths need continuous entitlement hygiene, or self-service simply accelerates privilege creep. The article’s promise of faster access only holds if approvals are aligned to least privilege, current ownership, and timely review. Without that, every efficiency gain increases the chance that stale entitlements move faster through the organisation. Practitioners should treat approval automation as a scaling mechanism for governance, not a substitute for it.
From our research:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means many access workflows still operate without a complete inventory of who or what holds privilege.
- For a broader view of lifecycle control, see NHI Lifecycle Management Guide, which covers provisioning, rotation, and offboarding discipline across identity types.
What this signals
Access governance is moving from central ticket handling to distributed approval ownership. That shift reduces friction, but it also means IAM leaders need stronger policy mapping and better evidence capture than a shared inbox ever required. The programme signal is clear: self-service succeeds only when ownership, approval, and remediation are linked end to end.
With 97% of NHIs carrying excessive privileges, according to Ultimate Guide to NHIs, any access model that scales by delegation must be paired with tighter entitlement hygiene. Otherwise, the organisation risks accelerating the same privilege drift it is trying to eliminate.
Approval automation is becoming a governance architecture choice, not just an operations improvement. Teams should expect closer scrutiny on whether review outcomes actually change entitlements, and whether delegated approvals remain auditable when ownership shifts away from IT.
For practitioners
- Map every self-service path to a real entitlement owner. Document which app owner, business approver, or delegated role is authoritative for each entitlement, and remove any workflow path that sends decisions to IT by default when IT is not the decision maker.
- Require approval evidence that survives audit. Capture who approved, who was reassigned, what entitlement was requested, and what context informed the decision, so the workflow can be reconstructed during review or incident investigation.
- Connect access reviews to entitlement change. Treat review completion as incomplete until the outcome is applied, whether that means removal, reduction, escalation, or documented exception handling.
- Measure ticket reduction against control quality. Track whether fewer IT tickets is accompanied by better review completion, cleaner approval records, and lower exception rates, rather than assuming operational speed equals stronger governance.
Key takeaways
- Self-service access governance reduces friction only when it preserves authoritative approval and audit evidence.
- The core risk is not ticket volume, but entitlement drift when review workflows stop short of remediation.
- IAM teams should treat delegated approvals and access reviews as a control architecture that must prove accountability, not merely speed.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Access governance depends on controlling entitlement scope and review outcomes. |
| NIST CSF 2.0 | PR.AC-1 | Identity and access management is central to approval routing and auditability. |
| NIST Zero Trust (SP 800-207) | AC-6 | Least privilege and continuous verification underpin distributed access decisions. |
Link every access request and review to an entitlement owner and enforce scope-limited approval.
Key terms
- Self-Service Access Governance: A model where users request access through an interface that routes decisions to the correct approver without forcing IT to mediate every step. The security requirement is not only speed, but preserved accountability, evidence, and entitlement control throughout the workflow.
- Access Review: A governance process where a reviewer validates whether a user or account should keep existing access. The review is only effective when the outcome changes the entitlement state, not when it merely records an attestation that access was considered.
- Delegated Approval: An approval model that assigns decision authority to the role or person closest to the entitlement instead of a central IT queue. It improves responsiveness only when authority, reassignment, and evidence capture are controlled tightly enough to withstand audit scrutiny.
What's in the full article
Lumos's full blog post covers the operational detail this post intentionally leaves for the source:
- How the internal AppStore experience is structured for request submission and approval handling
- The exact workflow changes that helped redirect roughly 50 IT tickets per week
- How Lumos handles override and reassignment when an approver is unavailable
- The internal operating model for user access reviews and how it scales across the organisation
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2025-09-24.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org