ITOM best practices: what IAM teams should actually govern

TL;DR: IT operations management best practices are framed around CMDBs, automation, planning, alignment, tooling, and continuous improvement, with Zluri positioning its SaaS operations platform as an execution layer for onboarding, offboarding, approvals, and usage visibility. For identity teams, the real issue is that operational efficiency claims only matter when lifecycle governance, access revocation, and entitlement control stay intact.

NHIMG editorial — based on content published by Zluri: IT teams top 6 IT operations management best practices

By the numbers:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should security teams govern access in automated IT operations workflows?

A: Security teams should treat automated IT operations workflows as lifecycle controls that need ownership, exception handling, and regular review.

Q: Why do ITOM platforms create identity governance risk when they centralise workflows?

A: Centralisation can make identity governance stronger only if the entitlement model is accurate and the offboarding logic is complete.

Q: What breaks when deprovisioning is not tied to operational ownership changes?

A: Access persists after the business need has changed, which leaves former users, contractors, or service owners with privileges they no longer require.

Practitioner guidance

• Audit lifecycle handoffs across onboarding and offboarding Trace every access change from request to revocation and confirm that the same workflow closes the loop when a user changes role, leaves, or no longer needs an app.
• Link operational inventory to identity context Use your CMDB or equivalent control plane to record the identity relationships that matter, including app owners, entitlement owners, and dependent business services.
• Measure revocation, not just provisioning speed Track how long access persists after it should be removed, and report that alongside onboarding cycle time and approval throughput.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step ITOM best practice examples for CMDB use, automation, and monitoring in day-to-day operations
• Detailed discussion of how Zluri applies onboarding, offboarding, SaaS approvals, and app-store workflows
• Product-specific guidance on configuring real-time usage tracking and compliance features inside the platform
• Implementation-oriented examples that show how the vendor expects teams to organise operational processes

👉 Read Zluri's ITOM best practices guide for operational workflow detail →

ITOM best practices: what IAM teams should actually govern?

Explore further

View Full Forum →  |  NHI Foundation Course →