Notifications
Clear all
Topic starter
10/06/2026 9:09 pm
TL;DR: ITSM tools can route and log access requests, but they do not evaluate entitlement scope, license fit, SoD conflicts, or time-bound access, according to Zluri’s comparison of ITSM workflows and policy-driven provisioning. The governance gap is structural: ticketing speed is not the same thing as access control, especially when over-permissioning and orphaned access are the real risk.
NHIMG editorial — based on content published by Zluri: IT Teams Top 14 IT Service Management Tools (ITSM Tools) in 2026
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
A: Security teams should use ITSM to capture and route the request, then apply a separate policy engine to decide what access is appropriate.
Q: When does faster access approval create more risk than it reduces?
A: Faster approval becomes risky when the request is granted without checking entitlement tier, SoD conflicts, or existing access paths.
Q: What do teams get wrong when they treat self-service request portals as identity governance?
A: They often assume that a clean request experience means the access is properly controlled.
Practitioner guidance
- Separate request intake from authorization decisions Keep ITSM for ticket routing and use a dedicated policy layer to decide whether access should be approved, downgraded, auto-rejected, or time-limited.
- Define entitlement tiers before provisioning Map each high-value application to specific license or permission tiers so the requester gets the minimum viable access, not a generic app grant.
- Make expiry part of the grant Attach automatic expiration to project-based access and review whether the access needs to persist after the task window closes.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- A side-by-side walkthrough of how access requests move through the ITSM workflow versus Zluri's policy-driven provisioning path.
- Specific examples of how app catalogs, auto-approval rules, and time-bound access reduce manual handling in day-to-day operations.
- The way Zluri preserves audit logs for compliance reviews such as SOC 2 and ISO 27001.
- Product-specific integration details for ServiceNow, Jira Service Management, and Freshservice users who need the implementation pattern.
👉 Read Zluri's full comparison of ITSM tools and access request governance →
ITSM access requests: where service desks stop and governance starts?
Explore further
10/06/2026 9:59 pm
ITSM workflows are a routing layer, not an access control model. The vendor’s comparison makes a larger governance point: request intake can be operationally clean while entitlement quality remains unmanaged. That is why ticketing systems often produce visible process order and invisible privilege creep. IAM teams should not confuse service management efficiency with access governance maturity.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: Should organisations prioritise access expiry over faster approvals?
A: Yes, when the access is project-based, elevated, or tied to a temporary business need. Expiry makes access bounded from the start and reduces the need for manual cleanup later. Faster approvals help operations, but expiry is what prevents temporary access from becoming permanent risk.
👉 Read our full editorial: ITSM tools are not identity governance tools for access requests
