TL;DR: Automating onboarding through workflow playbooks and app catalogs can speed SaaS access assignment, reduce manual errors, and standardise approvals for new joiners, according to Zluri. The governance issue is not convenience but whether access provisioning, review, and offboarding stay aligned as app sprawl grows.
NHIMG editorial — based on content published by Zluri: Automation How to Automate Onboarding Using Zluri
By the numbers:
- Today an employee of a mid-size company uses more than 100 apps at work.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
Questions worth separating out
Q: How should security teams automate employee onboarding without weakening access control?
A: Use workflow automation only after role definitions, application ownership, and approval boundaries are stable.
Q: Why can onboarding automation create access risk instead of reducing it?
A: It creates risk when the automation scales a bad entitlement model.
Q: What breaks when app catalogs are not kept current?
A: The catalog stops being a control surface and becomes a convenience list.
Practitioner guidance
- Map onboarding playbooks to narrow role definitions Review every workflow that assigns SaaS access and tighten it to role-specific app sets, not broad department templates.
- Make the app catalog the governed source of truth Assign owners to each catalog entry, review the list on a fixed cadence, and retire stale applications or duplicate request paths before users find them.
- Log every automated entitlement decision Capture approver identity, workflow version, app requested, and downstream provisioning result so the access trail can be reconstructed for audit or incident review.
What's in the full article
Zluri's full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step workflow setup for onboarding users into SaaS applications
- How to use playbooks for repeatable app assignment by department or role
- Operational navigation of the onboarding, drafts, recent runs, and automation rules views
- App Catalog and access request flow details for self-service approvals
👉 Read Zluri's guide to automating employee onboarding with workflows and app access →
Employee onboarding automation: what IAM teams need to watch?
Explore further
Onboarding automation is a governance compression problem, not just an efficiency problem. The more access decisions are collapsed into a workflow, the more important the upstream entitlement model becomes. If the role design is weak, automation multiplies the error at machine speed. Practitioners should treat workflow design as policy design, not as a clerical shortcut.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when automated onboarding grants the wrong access?
A: Accountability sits with the identity, application, and business owners who approved the workflow design and the entitlement model it uses. Automation does not remove ownership. If the system grants the wrong access, the organisation should be able to trace the decision back to the playbook, approver, and catalog entry.
👉 Read our full editorial: Automating employee onboarding changes identity governance controls