Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

ASDA’s identity overhaul: what it means for lifecycle governance


(@sailpoint)
Reputable Member
Joined: 1 year ago
Posts: 163
Topic starter  

TL;DR: ASDA’s move to rebuild identity after its separation from Walmart shows how fast onboarding, cleaner data, and stronger lifecycle processes become operational requirements when a retailer must manage 138,000 users and 6,000 contractors across cloud-based systems, according to SailPoint. The deeper lesson is that identity programmes fail when they are treated as tooling projects instead of business change and governance programmes.

NHIMG editorial — based on content published by SailPoint: ASDA reveals how SailPoint supported the supermarket to build a new, nationwide identity security program

By the numbers:

Questions worth separating out

Q: How should organisations manage contractor access differently from employee access?

A: They should not create a weaker parallel process unless there is a clear legal or operational reason.

Q: Why does identity data quality matter so much in IAM programmes?

A: Because every provisioning, certification, and role-mapping decision depends on accurate identity data.

Q: When should organisations prioritise change control in identity projects?

A: From the start. Identity programmes fail when teams try to make software fit a bad process, because users, managers, and approvers then work around the control model. Change control should cover training, communication, release discipline, and operational readiness whenever identity workflows change.

Practitioner guidance

  • Map every identity flow to a named owner Document who owns joiner, mover, leaver, and contractor changes across HR, IAM, and service teams so no identity attribute sits in an unresolved handoff.
  • Measure onboarding speed as a control metric Track the time from employment event to usable access for short-term staff, contractors, and frontline workers, then separate delays caused by process, data, and approvals.
  • Clean identity data before expanding automation Reconcile multiple source systems into a single trusted identity dataset before using role mining, AI-assisted onboarding, or access certification at scale.

What's in the full article

SailPoint's full blog covers the operational detail this post intentionally leaves for the source:

  • How ASDA structured its identity reset after separating from Walmart and why that mattered for governance
  • The practical steps used to align Workday, SailPoint, and ServiceNow for request and lifecycle handling
  • The contractor-management approach behind SailPoint's Non-Employee Risk Management deployment
  • The specific lessons Simon Langley highlighted on data ownership, business change management, and partner selection

👉 Read SailPoint’s ASDA identity transformation story →

ASDA’s identity overhaul: what it means for lifecycle governance?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Identity transformation programmes fail when lifecycle ownership is fragmented. ASDA’s experience shows that even when the target state is clear, the governance problem is who owns the identity record, the access request, and the change process at each stage. That fragmentation creates inconsistent controls across employees and contractors. The practitioner conclusion is that lifecycle accountability must be designed before the tooling is expanded.

A few things that frame the scale:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

A question worth separating out:

Q: What should IAM teams do before using AI for role mining?

A: They should first stabilise the identity data set and confirm who owns each source and attribute. AI can accelerate analysis, but it cannot fix inconsistent inputs. If the underlying model is messy, role mining will amplify the noise instead of simplifying governance.

👉 Read our full editorial: ASDA’s identity overhaul shows why lifecycle governance still matters



   
ReplyQuote
Share: