Access requests and least privilege: what IAM teams are missing

TL;DR: ITIL service request management standardizes access and routine change handling through logged, approved, and fulfilled workflows, reducing delays and operational friction according to Zluri. For IAM teams, the key issue is that request fulfilment is also an access governance control, so approval design, verification, and follow-up determine whether least privilege is actually enforced.

NHIMG editorial — based on content published by Zluri: Access Management ITIL Service Request Management: A 101 Guide

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

Questions worth separating out

Q: How should security teams govern access requests in ITIL workflows?

A: Treat access requests as identity governance events, not just service desk tasks.

Q: Why do service request workflows create privilege creep?

A: Privilege creep appears when approvals are broad, fulfilment is automated, and nobody checks whether the granted access is still needed.

Q: What breaks when access requests are approved only by role?

A: Role-only approval is too coarse for modern identity environments because it ignores task scope, data sensitivity, and duration.

Practitioner guidance

• Define identity-changing requests separately Split service requests that change access, credentials, or entitlements from requests that only restore service or answer questions.
• Tighten approval criteria around scope and duration Require approvers to validate what access is needed, for how long, and whether the entitlement should expire automatically.
• Add post-fulfilment verification to every sensitive request Confirm that granted access works as intended, remains limited to the approved scope, and is removed when the task or need ends.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step service request handling flow from initiation through closure
• Example access-request fulfilment steps for standard software and permission changes
• Automation-oriented workflow guidance for teams reducing manual ticket handling
• Platform-specific context on Zluri's access request capabilities

👉 Read Zluri's guide to ITIL service request management and access control →

Access requests and least privilege: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →