IT ticketing systems and access requests: where governance slips

TL;DR: IT ticketing systems centralize support requests, track approvals, and automate routing, with 83% of organizations using formal systems to manage support efficiently according to Zluri. For identity teams, the real test is whether ticket workflows can preserve accountability without turning access requests into unmanaged privilege creation.

NHIMG editorial — based on content published by Zluri: Access Management IT Ticketing System: All You Need To Know

By the numbers:

• 96% of organizations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

Questions worth separating out

Q: How should organisations govern access requests that start in an IT ticketing system?

A: Treat the ticket as an identity control record, not a support note.

Q: Why do ticketing-based access workflows create governance risk?

A: Because they can prove that work was completed without proving that access was properly authorised.

Q: What breaks when self-service portals provision access without lifecycle controls?

A: The organization gains speed but loses entitlement discipline.

Practitioner guidance

• Require structured access request evidence Make approver identity, business justification, target application, and expiry date mandatory fields for every access-related ticket so the workflow can support audit and lifecycle review.
• Separate routing from authorization Use automated assignment and SLA timers for speed, but keep entitlement approval tied to policy checks and named reviewers rather than generic queue handling.
• Tie self-service to revocation logic Connect request portals to expiry, ownership, and offboarding processes so access granted through tickets can also be removed through the same governance path.

What's in the full article

Zluri's full blog post covers the operational detail this post intentionally leaves for the source:

• Detailed walkthrough of ticket fields and workflow components used for access request handling.
• Step-by-step implementation strategies for routing, SLA management, and support-team training.
• Specific self-service and auto-provisioning examples for reducing manual access handling.
• Examples of how the platform ties approvals to compliance outcomes and service desk efficiency.

👉 Read Zluri's guide to IT ticketing system design for access requests →

IT ticketing systems and access requests: where governance slips?

Explore further

View Full Forum →  |  NHI Foundation Course →