Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AES identity lifecycle automation: what IAM teams should take from it


(@sailpoint)
Reputable Member
Joined: 1 year ago
Posts: 163
Topic starter  

TL;DR: AES says it cut global provisioning and deprovisioning from days to under 4 hours by centralising identity controls across employees, contractors, and contingent workers, while using audit trails to support compliance and least privilege. The case shows that fragmented manual lifecycle management remains a material security and governance problem, not just an efficiency issue.

NHIMG editorial — based on content published by SailPoint: AES wins CSO Award for transformative identity security

By the numbers:

Questions worth separating out

Q: How should organisations manage joiner-mover-leaver processes across employees and contractors?

A: They should use a single lifecycle model that applies the same governance rules to employees, contractors, and contingent workers, while still allowing role-specific entitlements.

Q: Why does deprovisioning matter as much as provisioning in identity programmes?

A: Because access that is granted correctly can still become a security issue if it is not removed when the business relationship changes.

Q: What do security teams get wrong about automated identity workflows?

A: They often treat automation as a speed project rather than a governance control.

Practitioner guidance

  • Centralise joiner-mover-leaver handling Move employee, contractor, and contingent worker access changes into one governed workflow so regional variation does not determine entitlement quality.
  • Bind access changes to authoritative systems Connect provisioning and deprovisioning to HR and service records such as Workday and ServiceNow so lifecycle events trigger identity action automatically rather than through manual ticket chasing.
  • Measure time-to-revoke as a control metric Track how long access remains active after a role change or exit event, then compare that figure with your provisioning SLA and audit evidence requirements.

What's in the full article

SailPoint's full blog covers the operational detail this post intentionally leaves for the source:

  • The specific ServiceNow and Workday workflow integration pattern used to automate provisioning and deprovisioning.
  • The before-and-after operating model for regional onboarding and offboarding approvals.
  • The audit trail and reporting details that support compliance readiness.
  • The practical steps used to extend lifecycle management across employees, contractors, and contingent workers.

👉 Read SailPoint's blog on AES identity lifecycle automation and compliance →

AES identity lifecycle automation: what IAM teams should take from it?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Standardised lifecycle control is now the baseline, not the maturity goal. The AES example shows that manual, region-specific access handling creates predictable delay and inconsistency across workforce populations. Once organisations centralise identity lifecycle management, the conversation moves from whether to automate to whether exceptions are still justified. Practitioners should treat fragmented onboarding and offboarding as a control defect, not an operating preference.

A few things that frame the scale:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which is why lifecycle automation without inventory discipline still leaves blind spots according to the same guide.

A question worth separating out:

Q: How do teams know if identity lifecycle management is actually working?

A: Look for short time-to-provision and time-to-revoke, low numbers of manual exceptions, and audit trails that clearly show access was granted and removed for a documented reason. If access changes depend on local workarounds or delayed approvals, the lifecycle control is not working as intended.

👉 Read our full editorial: AES case study shows why lifecycle identity security still matters



   
ReplyQuote
Share: