TL;DR: Access request management becomes a control problem when requests arrive through email, chat, and tickets, because prioritisation, approvals, and auditability break down across the workflow, according to Zluri. The governance issue is not volume alone, but the lack of structured identity decisioning for human and non-human access.
NHIMG editorial — based on content published by Zluri: 4 ways to master request management for IT teams
Questions worth separating out
Q: How should security teams govern access requests without creating excessive approval friction?
A: Security teams should centralise requests, define deterministic approval rules for low-risk entitlements, and reserve manual review for exceptions.
Q: What breaks when access requests are handled through email and chat?
A: What breaks is evidence, consistency, and accountability.
Q: How do teams know if access request automation is actually working?
A: Automation is working when standard requests move faster, exception rates stay controlled, and approvers spend time on genuinely risky cases rather than repetitive approvals.
Practitioner guidance
- Centralise access request intake Route all access requests through a single system of record so approvals, status, and exceptions are visible in one place instead of being split across email, chat, and ad hoc follow-up.
- Define policy-based approval paths Map requests to role, application sensitivity, and business impact so routine approvals can be preauthorised while high-risk requests still require human review.
- Constrain self-service to governed catalogues Limit user choice to approved applications, license tiers, and request durations so the portal narrows demand instead of broadening entitlement risk.
What's in the full article
Zluri's full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step walkthrough of the App Catalog & Access Request user flow for employees and approvers.
- The specific approval rule examples tied to job role and seniority levels inside the platform.
- How the self-service portal surfaces application usage, desktop agent status, and browser agent visibility.
- The article's product-specific explanation of SaaS optimisation and app catalog tracking.
👉 Read Zluri's article on access request management and approval workflows →
Access request workflows: what IAM teams need to fix first?
Explore further
Access request management is an identity governance control, not an IT convenience layer. The article frames request handling as operational efficiency, but the deeper issue is policy enforcement at the point of demand. Once access requests move across disconnected channels, organisations lose consistency in approval, revocation, and audit evidence. The practitioner conclusion is that request intake must be treated as part of the identity control plane, not as a helpdesk afterthought.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, a gap that shows how quickly access governance loses track of non-human credentials.
A question worth separating out:
Q: Who should own access request governance in an IAM programme?
A: Access request governance should be owned jointly by IAM, application owners, and business approvers, with clear policy definitions and revocation authority. IAM should control the workflow design and evidence model, while business stakeholders should own the access decision criteria. Without that split, requests drift into local convenience decisions instead of governed access management.
👉 Read our full editorial: Access request management exposes the governance gap in IT teams