TL;DR: General Motors describes how it is using identity security to reduce certification fatigue, automate joiner mover leaver processes, support a remote workforce, and apply risk-based approvals as it modernises for electrification and autonomy, according to SailPoint. The central lesson is that identity governance has to absorb scale, speed, and operational change rather than treat them as exceptions.
NHIMG editorial — based on content published by SailPoint: General Motors takes us on a ride with identity security
Questions worth separating out
Q: How should organisations reduce certification fatigue in IAM programmes?
A: Start by reducing the number of items that enter review.
Q: When do risk-based approvals improve identity governance?
A: They work best when entitlement data is clean, ownership is defined, and access patterns are well understood.
Q: What do identity teams get wrong about automation in access governance?
A: They often treat automation as a substitute for governance rather than a way to make governance scalable.
Practitioner guidance
- Automate repetitive joiner mover leaver tasks Use workflow automation to standardise routine provisioning, entitlement changes, and deprovisioning so reviewers focus on exceptions and high-risk access rather than every transaction.
- Reduce certification fatigue by narrowing the review set Limit access recertification to material entitlements, privileged roles, and unusual access paths, and retire broad review cycles that generate low-value approvals.
- Build risk-based approval rules from governed data Define approval logic using trusted role, system, and business context data, then test the rules against real requests before moving them into production.
What's in the full article
SailPoint's full blog covers the operational detail this post intentionally leaves for the source:
- Tray Wyman’s direct commentary on GM’s identity programme priorities and operating model.
- The specific ways SailPoint frames automated approvals and lifecycle workflows for enterprise IAM.
- The video discussion of how GM is adapting identity governance to support electrification and vehicle autonomy.
👉 Read SailPoint's blog on General Motors' identity security approach →
General Motors identity security: what automation changes for IAM teams?
Explore further
Automation is not a convenience layer in identity governance, it is the only way large enterprises avoid review collapse. When access volumes rise, manual certification becomes a bottleneck that weakens control quality as much as it slows operations. The important point is not that automation is faster, but that it keeps governance decisions reviewable at enterprise scale. Practitioners should treat manual-only governance as a structural limit, not a preferred operating model.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to the Ultimate Guide to NHIs.
A question worth separating out:
Q: How can IAM teams support remote work without weakening access control?
A: Use identity as the primary control plane, with access decisions driven by role, business need, and risk rather than physical location. That lets teams support distributed work while keeping approvals auditable and consistent across systems and geographies.
👉 Read our full editorial: General Motors and identity security: automation, certification, and scale