Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Access requests and IAM governance: what teams miss in ticketing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Access requests still dominate IT support because fragmented approval paths, changing role needs, and manual handling create delay and risk across software access, according to Zluri's overview of IT support requests. The real issue is governance: access workflows reveal where identity controls, review processes, and accountability break down.

NHIMG editorial — based on content published by Zluri: Access Management IT Support Requests - An Overview

Questions worth separating out

Q: How should security teams manage access requests without creating ticketing bottlenecks?

A: Security teams should treat access requests as governed identity events, not simple support tickets.

Q: Why do access requests become a governance risk as organisations scale?

A: Access requests become risky when approval paths multiply faster than policy control.

Q: What do identity teams get wrong about ticketless access workflows?

A: Teams often assume ticketless access is automatically more secure because it is faster.

Practitioner guidance

  • Centralise access request intake Route application, data, and role-based access through one governed intake path so approvals, provisioning, and evidence collection happen in the same workflow.
  • Link access requests to lifecycle events Tie mover and leaver changes to entitlement review so access changes are reconciled when roles, projects, or reporting lines change.
  • Make approval authority explicit Define who can approve which access classes, then enforce those rules in the workflow rather than relying on inbox-based sign-off.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

  • Step-by-step breakdown of the common IT support request categories discussed in the article.
  • The article’s practical examples of password reset, access request, and billing support workflows.
  • Zluri’s own workflow framing for centralising support requests and reducing manual handling.
  • The source’s product-oriented access request discussion for teams evaluating ticketless handling.

👉 Read Zluri's overview of IT support requests and access management →

Access requests and IAM governance: what teams miss in ticketing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Access requests are a lifecycle governance problem before they are a service desk problem. The article treats requests as operational support, but the underlying issue is entitlement control across joiner, mover, and leaver events. When approvals, provisioning, and removal are split across manual channels, the identity programme loses consistency and auditability. Practitioners should treat request handling as part of identity lifecycle design, not as a help desk queue.

A few things that frame the scale:

  • 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which means most identity programmes cannot reliably account for machine access paths.

A question worth separating out:

Q: Who should own access request governance in an IAM programme?

A: Access request governance should sit with identity and access management owners, with clear input from application owners and approvers. Help desks can route and track requests, but they should not define entitlement policy. Ownership matters because the control being enforced is access authority, not case handling.

👉 Read our full editorial: Access requests are an IAM governance problem, not a ticketing one



   
ReplyQuote
Share: