Notifications
Clear all
Topic starter
08/06/2026 4:43 pm
TL;DR: Manual provisioning, license cleanup, and access-request handoffs do not scale across modern SaaS environments, according to ConductorOne’s analysis of C1 Automations. The operational issue is not just ticket volume but the governance gap created when lifecycle events depend on humans to remember each step.
NHIMG editorial — based on content published by ConductorOne: How to Streamline IT Operations with C1 Automations
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
Questions worth separating out
Q: How should security teams automate access changes for joiners, movers, and leavers?
A: Start with authoritative lifecycle signals from HR and identity systems, then map each event to a specific entitlement action.
Q: Why do dormant accounts create both cost and security risk?
A: Dormant accounts still consume licenses, but the larger issue is that they often retain access long after business need has ended.
Q: What breaks when access reviews depend on manual handoffs?
A: Reviews stall when the owner leaves, changes roles, or simply does not respond.
Practitioner guidance
- Automate lifecycle-triggered access changes Define joiner, mover, and leaver triggers in the identity platform so provisioning, downgrade, and deprovisioning happen from authoritative signals rather than manual requests.
- Convert dormant-account cleanup into policy Set inactivity thresholds by application class, then trigger notification, license downgrade, or full revocation when the threshold is reached.
- Reassign governance tasks on deactivation When a user is deactivated, automatically reassign open access reviews and workflow tasks to the manager, team lead, or delegated owner before the review stalls.
What's in the full article
ConductorOne's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step examples of if/then workflow logic for access changes across applications and user attributes
- Specific automation patterns for usage-based license revocation, task reassignment, and lifecycle events
- Details on how the platform connects identity provider, HR, and app signals to drive actions
- Examples of flexible app-level policy design and webhook-based integration options
👉 Read ConductorOne's blog on automating identity operations for IT teams →
Identity automation for IT teams: are manual access workflows keeping up?
Explore further
08/06/2026 6:30 pm
Manual identity operations create governance drift, not just inefficiency. When lifecycle changes depend on people remembering to act, access remains active after the business need disappears. That is the structural problem behind dormant accounts, delayed deprovisioning, and unfinished review tasks. The implication is that identity programmes should measure how much of lifecycle control still depends on human follow-through.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: Who is accountable when automated access workflows remove or downgrade access incorrectly?
A: Accountability stays with the organisation, not the workflow engine. IT, IAM, and application owners should define the triggering signals, approval logic, exception paths, and rollback steps before automation goes live. If a workflow can change access without a clear owner, it has moved governance risk from humans into the process.
👉 Read our full editorial: Identity automation for IT teams: what manual access still misses
