Notifications
Clear all
Topic starter
25/06/2026 1:32 pm
TL;DR: Identity security programmes must meet organisations at different maturity levels, with examples showing faster joiner, mover, leaver processing, shorter certification cycles, and broader access visibility across large enterprises, according to SailPoint. The operational lesson is that lifecycle automation and access governance remain the real determinants of control at scale.
NHIMG editorial — based on content published by SailPoint: The identity security journey, meeting customers where they are
By the numbers:
- It quickly processed 500+ joiners and initiated 250+ leavers through SailPoint Identity Security Cloud, now managing over 100,000 identities in total.
Questions worth separating out
Q: How should security teams automate joiner, mover, and leaver governance?
A: Start by wiring JML decisions to authoritative identity sources such as HR, directory, and application ownership data.
Q: Why do long access certification cycles weaken identity governance?
A: Long cycles weaken governance because access often changes again before the review closes, making the attestation less reflective of actual risk.
Q: What breaks when identity data is split across multiple tools?
A: Split identity data creates conflicting versions of who has access, why it exists, and whether it should still be active.
Practitioner guidance
- Map JML triggers to authoritative upstream systems Connect joiner, mover, and leaver events to the HR and directory records that actually define employment status and role change.
- Compress certification cycles to match operational change Set review cadences based on how quickly access changes in practice, then measure whether managers can complete attestations before the entitlement picture shifts again.
- Consolidate entitlement evidence into one access record Use one authoritative identity record for provisioning, requests, certifications, and analytics so auditors and managers are not reconciling conflicting access views.
What's in the full article
SailPoint's full blog covers the operational detail this post intentionally leaves for the source:
- Customer-specific deployment examples showing how different organisations phased in identity automation
- Implementation support practices used during cutover, performance assessment, and scale validation
- Workflow detail for certifications, access requests, and request centre usage across live environments
- Examples of how lifecycle management, access modelling, compliance, and analytics fit into one operating model
👉 Read SailPoint's blog on identity security journeys and lifecycle automation →
Identity security journeys: where lifecycle automation is still breaking down?
Explore further
25/06/2026 3:34 pm
Lifecycle automation is the control boundary that separates identity governance from process theatre. Manual joiner, mover, and leaver handling creates a lag between business change and access change, which is where risk accumulates. When HR, core systems, and application teams update independently, identity state becomes inconsistent and reviews lose evidentiary value. The practitioner conclusion is straightforward: if lifecycle events are not machine-enforced, the programme cannot reliably govern access.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who should own offboarding when access spans many applications?
A: Ownership should sit with the identity governance team, but execution must be tied to the business event that ends access, such as departure, role change, or contract end. When many applications are involved, the key is to centralise revocation logic so no account survives simply because one system was not updated.
👉 Read our full editorial: Identity security journeys still hinge on lifecycle automation
