Notifications
Clear all
Topic starter
25/06/2026 3:17 pm
TL;DR: Manual provisioning leaves new hires waiting, ex-employees overexposed, and auditors chasing logs, while automated provisioning ties access changes to HR events and policy rules across the identity lifecycle, according to SecurEnds. The real issue is not speed alone but preventing access drift as SaaS and hybrid work make joiner-mover-leaver governance harder to manage.
NHIMG editorial — based on content published by SecurEnds: automated provisioning and deprovisioning in IAM
By the numbers:
- 70% of U.S. businesses now use at least one SaaS solution.
- 50% run mission-critical operations on SaaS platforms., orms.
Questions worth separating out
Q: How should security teams implement automated provisioning in SaaS environments?
A: Start with authoritative identity data, then connect HR events to IAM or IGA workflows that grant, modify, and remove access automatically.
Q: Why do manual deprovisioning workflows create more risk than slow onboarding?
A: Because delayed onboarding is inconvenient, but missed deprovisioning leaves active access behind after the business need has ended.
Q: What do teams get wrong about role-based access control in provisioning?
A: They often assume a role catalogue is automatically precise.
Practitioner guidance
- Automate joiner-mover-leaver triggers Connect HR or source-of-truth events to IAM workflows so new hires, role changes, and terminations generate access changes without manual ticket handling.
- Treat deprovisioning as the higher-risk control Track revocation completion, orphaned account cleanup, and exception resolution with the same attention usually given to onboarding speed.
- Tighten role and attribute governance Review RBAC roles and ABAC attributes for stale job codes, broad entitlements, and mismatched contract dates before scaling automation.
What's in the full article
SecurEnds' full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step examples of how HR system events trigger access changes across SaaS applications
- A walk-through of provisioning and deprovisioning workflows tied to onboarding, movers, and offboarding
- Implementation guidance for mapping roles and attributes to access policies in IAM and IGA tooling
- Customer examples showing onboarding time reduction and fewer provisioning errors
👉 Read SecurEnds' analysis of automated provisioning and deprovisioning in IAM →
Automated provisioning in IAM: what teams still miss?
Explore further
25/06/2026 4:43 pm
Automated provisioning is now a governance control, not an efficiency feature. Once access decisions are tied to HR events, the IAM programme is no longer just routing requests. It is enforcing whether identity state matches business state in real time. That matters because manual handling breaks at the exact point where the enterprise depends on it most: role change, offboarding, contractor expiry, and audit evidence generation. The practitioner conclusion is simple: treat lifecycle automation as a core control surface.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to GitGuardian & CyberArk.
A question worth separating out:
Q: Who is accountable when access remains active after an employee leaves?
A: Accountability sits with the organisation that owns the lifecycle process, not with the departing user. HR, IAM, application owners, and security all share responsibility for timely revocation and evidence capture. The control expectation is simple: if access persists after exit, the lifecycle process failed and the organisation owns that failure.
👉 Read our full editorial: Automated provisioning and deprovisioning are now IAM basics
