Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

IT ticketing systems and access requests: where governance slips


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: IT ticketing systems centralize support requests, track approvals, and automate routing, with 83% of organizations using formal systems to manage support efficiently according to Zluri. For identity teams, the real test is whether ticket workflows can preserve accountability without turning access requests into unmanaged privilege creation.

NHIMG editorial — based on content published by Zluri: Access Management IT Ticketing System: All You Need To Know

By the numbers:

Questions worth separating out

Q: How should organisations govern access requests that start in an IT ticketing system?

A: Treat the ticket as an identity control record, not a support note.

Q: Why do ticketing-based access workflows create governance risk?

A: Because they can prove that work was completed without proving that access was properly authorised.

Q: What breaks when self-service portals provision access without lifecycle controls?

A: The organization gains speed but loses entitlement discipline.

Practitioner guidance

  • Require structured access request evidence Make approver identity, business justification, target application, and expiry date mandatory fields for every access-related ticket so the workflow can support audit and lifecycle review.
  • Separate routing from authorization Use automated assignment and SLA timers for speed, but keep entitlement approval tied to policy checks and named reviewers rather than generic queue handling.
  • Tie self-service to revocation logic Connect request portals to expiry, ownership, and offboarding processes so access granted through tickets can also be removed through the same governance path.

What's in the full article

Zluri's full blog post covers the operational detail this post intentionally leaves for the source:

  • Detailed walkthrough of ticket fields and workflow components used for access request handling.
  • Step-by-step implementation strategies for routing, SLA management, and support-team training.
  • Specific self-service and auto-provisioning examples for reducing manual access handling.
  • Examples of how the platform ties approvals to compliance outcomes and service desk efficiency.

👉 Read Zluri's guide to IT ticketing system design for access requests →

IT ticketing systems and access requests: where governance slips?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

IT ticketing has become an access governance control, not just a support workflow. Once a ticket can trigger account creation, app assignment, or approval capture, it sits inside the identity control plane. That means ticket quality determines whether the organization can prove who requested access, who approved it, and whether the entitlement was actually justified. Practitioners should treat ticket design as a governance requirement, not an operations preference.

A few things that frame the scale:

  • 96% of organizations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.

A question worth separating out:

Q: Who is accountable when an access request is approved through a ticket but later turns out to be inappropriate?

A: Accountability should rest with the approver, the workflow owner, and the system owner together. The ticketing system must record who approved the request, what policy justified it, and whether the entitlement was later reviewed or revoked.

👉 Read our full editorial: IT ticketing systems reveal where access governance breaks down



   
ReplyQuote
Share: