AES identity lifecycle automation: what IAM teams should take from it

TL;DR: AES says it cut global provisioning and deprovisioning from days to under 4 hours by centralising identity controls across employees, contractors, and contingent workers, while using audit trails to support compliance and least privilege. The case shows that fragmented manual lifecycle management remains a material security and governance problem, not just an efficiency issue.

NHIMG editorial — based on content published by SailPoint: AES wins CSO Award for transformative identity security

By the numbers:

• 30% of organizations have still not started their identity security journeys.

Questions worth separating out

Q: How should organisations manage joiner-mover-leaver processes across employees and contractors?

A: They should use a single lifecycle model that applies the same governance rules to employees, contractors, and contingent workers, while still allowing role-specific entitlements.

Q: Why does deprovisioning matter as much as provisioning in identity programmes?

A: Because access that is granted correctly can still become a security issue if it is not removed when the business relationship changes.

Q: What do security teams get wrong about automated identity workflows?

A: They often treat automation as a speed project rather than a governance control.

Practitioner guidance

• Centralise joiner-mover-leaver handling Move employee, contractor, and contingent worker access changes into one governed workflow so regional variation does not determine entitlement quality.
• Bind access changes to authoritative systems Connect provisioning and deprovisioning to HR and service records such as Workday and ServiceNow so lifecycle events trigger identity action automatically rather than through manual ticket chasing.
• Measure time-to-revoke as a control metric Track how long access remains active after a role change or exit event, then compare that figure with your provisioning SLA and audit evidence requirements.

What's in the full article

SailPoint's full blog covers the operational detail this post intentionally leaves for the source:

• The specific ServiceNow and Workday workflow integration pattern used to automate provisioning and deprovisioning.
• The before-and-after operating model for regional onboarding and offboarding approvals.
• The audit trail and reporting details that support compliance readiness.
• The practical steps used to extend lifecycle management across employees, contractors, and contingent workers.

👉 Read SailPoint's blog on AES identity lifecycle automation and compliance →

AES identity lifecycle automation: what IAM teams should take from it?

Explore further

View Full Forum →  |  NHI Foundation Course →