Notifications
Clear all
Topic starter
09/06/2026 11:44 pm
TL;DR: ITSM platforms can route and approve access requests, but they do not determine least-privilege scope, time-bound entitlement, or segregation-of-duties risk, according to Zluri. The governance gap is not speed, it is that ticketing alone cannot decide what access should exist, for how long, or at what permission level.
NHIMG editorial — based on content published by Zluri: IT Teams Top 14 IT Service Management Tools (ITSM Tools) in 2026
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
Questions worth separating out
Q: How should security teams handle access requests when ITSM tools are already in place?
A: Use ITSM as the intake and routing layer, but move entitlement decisions into a policy-controlled access governance process.
Q: Why do ticketing systems fail as access governance controls?
A: Ticketing systems record demand and approvals, but they usually cannot assess whether the requested access is least privilege, whether it conflicts with existing entitlements, or whether it should expire automatically.
Q: How do organisations know whether access governance is working?
A: Look for reduced standing privilege, fewer overlapping entitlements, and reliable revocation after the business need ends.
Practitioner guidance
- Separate request routing from entitlement decisions Keep the ITSM system as the intake and workflow layer, but require a policy engine to decide license tier, permission scope, and approval path before access is provisioned.
- Enforce expiry on temporary access Make every project-based or exception-based entitlement carry an automatic end condition so access does not persist after the business need ends.
- Review overlapping access across identities Check whether the same person or workload already has standing access in other systems before granting a new entitlement, especially where permissions compound.
What's in the full article
Zluri's full blog post covers the operational detail this post intentionally leaves for the source:
- A side-by-side walkthrough of how its access requests workflow differs from standard ITSM ticket handling
- Examples of policy-driven approval rules for auto-approval, multi-level sign-off, and rejection paths
- The access provisioning and revocation logic behind time-bound entitlement handling
- Product-specific audit log fields and reporting views for compliance review
👉 Read Zluri's analysis of ITSM tools and access request governance →
ITSM tools and access requests: what IAM teams are missing?
Explore further
10/06/2026 2:12 am
ITSM-based access handling creates governance theatre when it is treated as the control. Ticketing proves that a request moved through a queue, not that the resulting entitlement was appropriate. The underlying assumption is that workflow completion equals access correctness, and that assumption breaks as soon as access scope, expiry, or role fit matters. Practitioners should treat ticket closure as evidence of process completion, not entitlement assurance.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
A question worth separating out:
Q: What is the difference between ITSM workflow automation and access governance?
A: Workflow automation moves requests through a process. Access governance decides what access is appropriate, validates policy, and ensures the entitlement is limited in scope and duration. The two can work together, but they are not interchangeable.
👉 Read our full editorial: ITSM tools and access governance: why ticketing is not enough
