Notifications
Clear all
Topic starter
12/06/2026 9:02 pm
TL;DR: Manual onboarding and ticket-based provisioning slow IT teams, create errors, and leave access setup inconsistent across departments, according to Zluri’s guide to user lifecycle management. The deeper issue is that workflow automation can speed delivery, but it does not by itself solve governance, entitlement design, or offboarding discipline.
NHIMG editorial — based on content published by Zluri: Optimizing User Provisioning for New Employees
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
Questions worth separating out
Q: How should security teams automate user provisioning without creating excessive access?
A: Use automation to standardise execution, not to define access policy.
Q: Why do onboarding workflows often create entitlement sprawl?
A: They speed up the grant process before organisations have fully standardised roles, app ownership, and exception handling.
Q: What do teams get wrong about user lifecycle automation?
A: They often focus on account creation and ignore the rest of the lifecycle.
Practitioner guidance
- Map onboarding workflows to role-based entitlement models Before scaling automation, define which app bundles are valid for each role, department, and location.
- Separate recommendation from approval Treat contextual app suggestions as decision support only.
- Extend the same workflow discipline to offboarding Link provisioning templates to removal tasks so the access model supports joiners, movers, and leavers.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step onboarding workflow configuration inside the platform
- Examples of contextual app recommendations for role-based provisioning
- Playbook creation steps for repeatable new-hire setup
- In-app suggestion behaviour for channel assignment and welcome actions
👉 Read Zluri's guide to user provisioning for new employees →
User provisioning automation: what IAM teams are missing?
Explore further
12/06/2026 10:51 pm
Automated onboarding is only useful when the entitlement model is already trustworthy. Zluri’s guide shows how much friction manual provisioning creates, but the real governance test is whether automation is faithfully executing a well-governed role model. If role definitions are loose, app recommendations broad, and exceptions informal, the platform scales inconsistency rather than control. Practitioners should treat automation as an execution layer, not an access-policy substitute.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
A question worth separating out:
Q: How do organisations keep onboarding automation aligned with least privilege?
A: Define minimum viable access for each role, then test playbooks against that baseline before deployment. Any entitlement that cannot be justified by the role should be removed or made conditional. Least privilege only holds when the template is reviewed as tightly as the workflow is automated.
👉 Read our full editorial: User provisioning automation exposes the real IGA gap
