Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Joiner-mover-leaver automation: what IAM teams are missing


(@sailpoint)
Reputable Member
Joined: 1 year ago
Posts: 163
Topic starter  

TL;DR: Automated joiner-mover-leaver processes can grant birthright access on day one, revoke old entitlements when people move, and reduce orphaned accounts, according to SailPoint. The governance challenge is not the workflow itself but the quality of source data, entitlement mapping, and offboarding discipline behind it.

NHIMG editorial — based on content published by SailPoint: Essentials of Joiner-Mover-Leaver Functions

By the numbers:

Questions worth separating out

Q: How should security teams implement joiner-mover-leaver automation in IAM?

A: Start with authoritative source data, then define rules for join, move, and leave events that grant, adjust, or revoke entitlements automatically.

Q: Why do mover events create more identity risk than onboarding events?

A: Mover events are riskier because they require two actions at once: granting new access and removing old access.

Q: What breaks when offboarding is not part of lifecycle governance?

A: Accounts, tokens, and entitlements can remain active after the business relationship has ended.

Practitioner guidance

  • Map joiner, mover, and leaver triggers to authoritative sources Confirm which systems are allowed to start access changes, then test whether HR, directory, or provisioning data actually reflects the business event before permissions are granted or removed.
  • Automate mover revocation as part of the same workflow Design entitlement changes so old-role access is removed at the same time new-role access is granted, rather than queued for later cleanup or manual review.
  • Add lifecycle states for temporary and returning identities Use explicit expiry, reactivation, and revalidation rules for contractors, temporary leavers, and rehires so dormant access does not survive the business need.

What's in the full article

SailPoint's full blog covers the operational detail this post intentionally leaves for the source:

  • How SailPoint maps HR or directory events into provisioning and revocation workflows
  • Examples of birthright access and mover-based entitlement changes in day-to-day IAM operations
  • The article's discussion of automation, reporting, and cost savings from JML processing
  • How the same lifecycle logic is extended to temporary leavers, contractors, and machine accounts

👉 Read SailPoint's blog on joiner-mover-leaver automation and access lifecycle control →

Joiner-mover-leaver automation: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

JML is a governance control, not just an automation feature. The article frames automation as a way to cut IT cost and speed access changes, but the deeper point is that JML keeps access aligned with business state. When that control is manual, the organisation is effectively accepting delay as part of the identity model. Practitioner conclusion: if lifecycle change is slow, access risk becomes cumulative.

A few things that frame the scale:

  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

A question worth separating out:

Q: How do lifecycle controls differ for human users and non-human identities?

A: The same governance logic applies, but the execution differs. Human JML is triggered by employment events, while non-human identities need explicit expiry, revocation, and ownership rules. Without that distinction, service accounts and API keys can persist far longer than the human accounts they were modeled after.

👉 Read our full editorial: Joiner-mover-leaver automation defines the next IAM control gap



   
ReplyQuote
Share: