Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

JML automation and birthright access: what IAM teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9439
Topic starter  

TL;DR: Automating joiner-mover-leaver workflows, birthright access, and offboarding reduces manual effort and strengthens auditability, according to Lumos. The governance lesson is that lifecycle speed only helps when accountability, visibility, and revocation are built into the process, with its own teams using the platform to centralise approvals, revocation, and user access reviews across HRIS and IdP workflows.

NHIMG editorial — based on content published by Lumos: How Lumos Uses Lumos to Scale IT via Process Automation: Onboarding, Offboarding, and Birthright Access

Questions worth separating out

Q: How should security teams automate joiner-mover-leaver workflows without losing governance?

A: Use authoritative source systems for lifecycle triggers, route approvals to the right owners, and keep every access change tied to an auditable record.

Q: Why do birthright access bundles create risk if they are not maintained?

A: Birthright bundles become risky when they keep granting access after roles, teams, or systems change.

Q: How do organisations know offboarding is actually complete?

A: They know offboarding is complete when the revocation checklist is built from current entitlements, not from an old spreadsheet or onboarding record.

Practitioner guidance

  • Standardise JML triggers on source-of-truth systems Tie provisioning, transfers, and offboarding to HRIS and IdP events so access changes start from authoritative identity records rather than ticket requests.
  • Redesign birthright bundles as living persona policies Review default access packages against current job functions, remove obsolete entitlements, and define exceptions that require explicit approval.
  • Require live entitlement checks before offboarding closure Build the revocation checklist from current application access data at the time of exit or transfer, then verify completion against that live list.

What's in the full article

Lumos's full blog covers the operational detail this post intentionally leaves for the source:

  • Step-by-step examples of how the internal JML workflow routes approvals and revocations through the platform
  • Specific handling of onboarding, offboarding, and mover events across Okta, SaaS apps, and on-prem tools
  • How the team generates dynamic offboarding checklists from live access state instead of static records
  • The internal use of Albus for birthright recommendations and provisioning rule optimisation

👉 Read Lumos's blog on automating onboarding, offboarding, and birthright access →

JML automation and birthright access: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8923
 

Lifecycle automation is now a governance control, not just an IT efficiency play. The article shows that JML workflows are being used to reduce manual queue work, but the deeper shift is that access governance now depends on orchestration quality. When provisioning and revocation are handled through policy-driven workflows, lifecycle design becomes part of security architecture rather than a back-office process. Practitioners should treat automated lifecycle operations as a control plane for identity risk.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which shows how fragile governance becomes when identity inventory is incomplete.

A question worth separating out:

Q: Who should own lifecycle governance across humans, service accounts, and AI agents?

A: Ownership should sit with the teams that can approve, review, and remove access for each identity class, but the governance model should be consistent across all of them. Human identities, service accounts, and AI agents all need clear lifecycle rules, documented owners, and removal evidence. Separate execution, shared policy is the right pattern.

👉 Read our full editorial: Automated JML and birthright access expose identity governance gaps



   
ReplyQuote
Share: