Notifications
Clear all
Topic starter
09/06/2026 11:46 pm
TL;DR: ITSM tools can route tickets and automate service workflows, but they still do not understand access scope, license fit, policy conflicts, or expiry, so organisations end up approving requests without real governance according to Zluri. That gap matters because access management is a control problem, not a ticketing problem.
NHIMG editorial — based on content published by Zluri: IT Teams Top 14 IT Service Management Tools (ITSM Tools) in 2026
By the numbers:
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.
Questions worth separating out
Q: How should security teams handle access requests when ITSM is the front end?
A: Use ITSM as the intake and tracking layer, but route the actual access decision through policy-based entitlement logic.
Q: Why do ITSM tools often create over-permissioned users?
A: They were built to manage work items, not entitlements.
Q: What breaks when access expiry is left to manual follow-up?
A: Temporary access tends to persist after the business need ends, especially when teams rely on inbox reminders or ticket closure instead of automated revocation.
Practitioner guidance
- Split request routing from entitlement decisioning Keep ITSM for intake and tracking, but move licence fit, role fit, and policy evaluation into a separate access control step before provisioning.
- Define approval rules by application risk Set different handling paths for low-risk, high-risk, and segregation-of-duties sensitive apps so the workflow can auto-approve, escalate, or reject consistently.
- Make expiry mandatory for project access Require time-bound access for temporary work so permissions revoke automatically when the project window closes instead of relying on manual cleanup.
What's in the full article
Zluri's full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step request flow examples showing how policy evaluation changes approval outcomes for different app types.
- The specific provisioning logic used to assign the right licence tier and permission level after approval.
- Details on how the access layer integrates with existing ITSM tools such as ServiceNow and Jira Service Management.
- Audit trail fields and reporting outputs that support SOC 2, ISO 27001, and internal review.
👉 Read Zluri's analysis of ITSM tools and access governance in 2026 →
ITSM tools and access requests: where governance breaks down?
Explore further
10/06/2026 2:14 am
ITSM ticketing is not an access control model. The article describes a common governance error: assuming that a managed request queue is the same thing as a managed entitlement decision. That assumption fails because ticket workflows do not evaluate licence scope, policy conflict, or segregation of duties. The implication is that identity teams must treat access approval as a control problem, not a service desk process.
A few things that frame the scale:
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
- That same survey found that 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
A question worth separating out:
Q: What is the difference between ITSM for requests and identity governance for access?
A: ITSM manages the service process, while identity governance decides whether, how much, and for how long access should exist. A ticket can confirm that someone asked for access, but it does not prove that the entitlement was appropriate. Governance is the control layer that closes that gap.
👉 Read our full editorial: ITSM tools do not solve access governance in 2026
