TL;DR: BJ’s Wholesale Club says automation around onboarding and offboarding reduced manual access ticket volume by 80%, improving employee experience and lowering identity risk according to SailPoint. The real lesson is that workflow automation only helps when it is tied to lifecycle governance, not treated as a substitute for access control discipline.
NHIMG editorial — based on content published by SailPoint: BJ’s Wholesale Club Delivers Savings and Automation with Identity Security
Questions worth separating out
Q: How should security teams automate onboarding and offboarding without losing control?
A: Security teams should automate onboarding and offboarding by tying workflow triggers to authoritative identity events, approved role models, and explicit revocation logic.
Q: Why does access automation improve IAM programmes only when governance is already defined?
A: Access automation improves IAM programmes when the underlying roles, approvals, and revocation rules are already clear.
Q: What breaks when organisations automate ticket handling but not entitlement design?
A: When organisations automate ticket handling without fixing entitlement design, they scale the speed of access decisions while leaving overprovisioning, exceptions, and stale access intact.
Practitioner guidance
- Automate the highest-volume lifecycle tasks first Start with onboarding and offboarding workflows that currently depend on manual tickets.
- Validate revocation, not just provisioning Confirm that deprovisioning actually removes access from applications, groups, and downstream entitlements instead of only closing the front-end request record.
- Review role design before expanding automation Check whether automated workflows are issuing overly broad access because roles and approval paths were never tightened.
What's in the full article
SailPoint's full blog covers the operational detail this post intentionally leaves for the source:
- A customer perspective on how onboarding and offboarding automation was introduced in practice.
- The identity security workflow changes that reduced manual access ticket handling across the business.
- A short video walkthrough with the customer voice behind the automation story.
- The business context for why employee experience and risk reduction were linked in the programme.
👉 Read SailPoint's blog on BJ's identity automation and access ticket reduction →
Automated onboarding and offboarding at BJ's: what IAM teams should note?
Explore further
Automation improves identity operations only when lifecycle policy is already sound. BJ’s example shows the operational upside of reducing manual ticket handling, but the deeper lesson is governance related: faster workflows are valuable only when provisioning and deprovisioning rules are already well defined. Automation can reduce friction, yet it can also hide weak entitlement design if teams mistake speed for control. Practitioners should view automation as an enforcement mechanism, not a governance substitute.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who is accountable when automated access changes fail an audit or create privilege drift?
A: Accountability stays with the IAM, IGA, and application owners who define the policy and approve the workflow design. Automation executes the process, but it does not own the decision. If audit evidence is missing or access drift appears, the control gap is in governance design, not in the mere use of automation.
👉 Read our full editorial: Automation cut BJ's access tickets by 80%, but governance matters