TL;DR: Automation can speed onboarding, mid-life access changes, and offboarding, but it also shifts identity governance from manual ticket handling to lifecycle control across apps, roles, and deprovisioning, according to Zluri. The main issue is not task speed alone, but whether access changes are consistently applied across the full identity surface.
NHIMG editorial — based on content published by Zluri: Automation How to Automate IT Tasks
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- Only 5.7% of organisations have full visibility into their service accounts.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
Questions worth separating out
Q: How should security teams automate onboarding without losing access governance?
A: Security teams should automate onboarding only after defining which apps, roles, and entitlements each job function should receive.
Q: Why does automated offboarding still leave security risk behind?
A: Automated offboarding still leaves risk when it only removes access from a primary directory or SSO layer.
Q: What breaks when access request automation is built on weak role models?
A: When role models are weak, access request automation speeds up inconsistent decisions rather than enforcing policy.
Practitioner guidance
- Map automation to all downstream access points Inventory every application, group, and local account that a joiner, mover, or leaver workflow must touch.
- Separate access request speed from governance quality Review whether your access catalog and approval rules enforce real role policy or simply reduce friction.
- Prove offboarding with closure evidence Require evidence that access was removed from every in-scope system before a lifecycle event is treated as complete.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- The step-by-step onboarding and offboarding workflows used to automate account changes across employee lifecycles.
- The app catalog and approval workflow details that show how request automation is intended to reduce ticket friction.
- The specific ways automated deprovisioning is described for SaaS access, not just central identity layers.
- The user-facing workflow and no-code approval flow examples that matter if you are implementing this pattern in production.
👉 Read Zluri's article on automating IT tasks and identity lifecycle workflows →
IT automation and identity lifecycle control: what IAM teams miss?
Explore further
Identity automation is only useful when it closes the entire lifecycle, not when it merely speeds up the first hop. This article frames automation as a way to remove manual work from onboarding and offboarding, but the governance test is whether every downstream entitlement is actually changed. In IAM and IGA terms, the control is only real when joiner, mover, and leaver events produce verifiable state changes across all apps. Practitioners should treat workflow completion and access completion as two different outcomes.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: Who is accountable when automated lifecycle workflows fail to remove access?
A: Accountability sits with the identity, application, and control owners who accepted automation as proof of governance. If lifecycle workflows do not produce revocation evidence, the organisation cannot claim that access was fully removed or that offboarding completed successfully.
👉 Read our full editorial: IT automation and identity lifecycle control: what changes for IAM