TL;DR: IT operations management best practices are framed around CMDBs, automation, planning, alignment, tooling, and continuous improvement, with Zluri positioning its SaaS operations platform as an execution layer for onboarding, offboarding, approvals, and usage visibility. For identity teams, the real issue is that operational efficiency claims only matter when lifecycle governance, access revocation, and entitlement control stay intact.
NHIMG editorial — based on content published by Zluri: IT teams top 6 IT operations management best practices
By the numbers:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should security teams govern access in automated IT operations workflows?
A: Security teams should treat automated IT operations workflows as lifecycle controls that need ownership, exception handling, and regular review.
Q: Why do ITOM platforms create identity governance risk when they centralise workflows?
A: Centralisation can make identity governance stronger only if the entitlement model is accurate and the offboarding logic is complete.
Q: What breaks when deprovisioning is not tied to operational ownership changes?
A: Access persists after the business need has changed, which leaves former users, contractors, or service owners with privileges they no longer require.
Practitioner guidance
- Audit lifecycle handoffs across onboarding and offboarding Trace every access change from request to revocation and confirm that the same workflow closes the loop when a user changes role, leaves, or no longer needs an app.
- Link operational inventory to identity context Use your CMDB or equivalent control plane to record the identity relationships that matter, including app owners, entitlement owners, and dependent business services.
- Measure revocation, not just provisioning speed Track how long access persists after it should be removed, and report that alongside onboarding cycle time and approval throughput.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step ITOM best practice examples for CMDB use, automation, and monitoring in day-to-day operations
- Detailed discussion of how Zluri applies onboarding, offboarding, SaaS approvals, and app-store workflows
- Product-specific guidance on configuring real-time usage tracking and compliance features inside the platform
- Implementation-oriented examples that show how the vendor expects teams to organise operational processes
👉 Read Zluri's ITOM best practices guide for operational workflow detail →
ITOM best practices: what IAM teams should actually govern?
Explore further
Operational efficiency becomes a governance risk when access workflows outrun review workflows. The article treats automation as a way to reduce error and save time, but identity programmes can invert that benefit when provisioning becomes faster than certification. That creates a control imbalance in which access is granted and redistributed continuously while review remains periodic. Practitioners should treat operational speed as a governance variable, not just a productivity metric.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which is why lifecycle control remains a weak point in many environments.
A question worth separating out:
Q: Who should be accountable for access decisions inside an IT operations model?
A: Accountability should sit with both the operational owner and the identity governance owner, because one controls the workflow and the other controls entitlement correctness. If either is missing, approvals become procedural rather than accountable, and access review loses meaning. Clear ownership is the control that keeps efficiency from becoming drift.
👉 Read our full editorial: IT operations management best practices through an identity lens