TL;DR: Mid-sized companies often struggle with manual Joiner-Mover-Leaver processes that delay onboarding, accumulate excess access, and leave orphan accounts behind, according to OpenIAM. The operational problem is less about headcount than about lifecycle governance that cannot keep pace with role changes, SaaS sprawl, and offboarding.
NHIMG editorial — based on content published by OpenIAM: The Identity Lifecycle Problem in Mid-Sized Companies
Questions worth separating out
Q: How should organisations automate joiner, mover, and leaver access changes?
A: Use the HR system or another authoritative source as the trigger for provisioning, entitlement updates, and deprovisioning.
Q: Why does manual identity lifecycle management create so much access creep?
A: Manual lifecycle management creates access creep because people keep adding new permissions while removals are delayed, forgotten, or never requested.
Q: What breaks when leaver offboarding only disables the primary directory account?
A: Downstream access remains active in SaaS apps, VPNs, privileged tools, shared accounts, and databases.
Practitioner guidance
- Define role-based birthright access Map core job families to baseline permissions from the HR source of truth, then provision those entitlements automatically when a joiner event occurs.
- Recalculate entitlements on mover events Trigger access review and entitlement recalculation whenever role, department, manager, or location changes.
- Automate full leaver deprovisioning Use one termination event to disable accounts, revoke sessions and tokens, and remove access from SaaS, VPN, privileged tools, databases, and shared resources.
What's in the full article
OpenIAM's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step JML workflow examples for joiner, mover, and leaver events in a mid-sized environment
- Practical onboarding and offboarding flow patterns that connect HR updates to downstream application actions
- Implementation detail on birthright access, attribute-based updates, and deprovisioning across connected systems
- OpenIAM's own product framing for automating lifecycle events without manual ticket handling
👉 Read OpenIAM's guide to Joiner-Mover-Leaver identity lifecycle management →
Identity lifecycle management in mid-sized firms: where does JML fail?
Explore further
Manual identity lifecycle is a governance debt problem, not an efficiency problem. The article correctly shows that lean IT teams do not fail because they lack competence, but because tickets, Slack requests, and fragmented app administration cannot sustain accurate JML control at scale. That pattern is visible wherever access changes faster than humans can reconcile them, which is why lifecycle governance is now a security control, not just an HR workflow. Practitioners should treat lifecycle maturity as a baseline requirement, not a back-office optimisation.
A few things that frame the scale:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who is accountable when lifecycle access removals fail?
A: Accountability usually sits across HR, IAM, IT operations, and application owners because lifecycle control depends on both authoritative events and downstream enforcement. Frameworks such as the NIST Cybersecurity Framework 2.0 reinforce that access governance must be owned, monitored, and auditable across the whole environment.
👉 Read our full editorial: Identity lifecycle maturity is the real mid-market IAM gap