Joiner-mover-leaver automation: what IAM teams are missing

TL;DR: Automated joiner-mover-leaver processes can grant birthright access on day one, revoke old entitlements when people move, and reduce orphaned accounts, according to SailPoint. The governance challenge is not the workflow itself but the quality of source data, entitlement mapping, and offboarding discipline behind it.

NHIMG editorial — based on content published by SailPoint: Essentials of Joiner-Mover-Leaver Functions

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.

Questions worth separating out

Q: How should security teams implement joiner-mover-leaver automation in IAM?

A: Start with authoritative source data, then define rules for join, move, and leave events that grant, adjust, or revoke entitlements automatically.

Q: Why do mover events create more identity risk than onboarding events?

A: Mover events are riskier because they require two actions at once: granting new access and removing old access.

Q: What breaks when offboarding is not part of lifecycle governance?

A: Accounts, tokens, and entitlements can remain active after the business relationship has ended.

Practitioner guidance

• Map joiner, mover, and leaver triggers to authoritative sources Confirm which systems are allowed to start access changes, then test whether HR, directory, or provisioning data actually reflects the business event before permissions are granted or removed.
• Automate mover revocation as part of the same workflow Design entitlement changes so old-role access is removed at the same time new-role access is granted, rather than queued for later cleanup or manual review.
• Add lifecycle states for temporary and returning identities Use explicit expiry, reactivation, and revalidation rules for contractors, temporary leavers, and rehires so dormant access does not survive the business need.

What's in the full article

SailPoint's full blog covers the operational detail this post intentionally leaves for the source:

• How SailPoint maps HR or directory events into provisioning and revocation workflows
• Examples of birthright access and mover-based entitlement changes in day-to-day IAM operations
• The article's discussion of automation, reporting, and cost savings from JML processing
• How the same lifecycle logic is extended to temporary leavers, contractors, and machine accounts

👉 Read SailPoint's blog on joiner-mover-leaver automation and access lifecycle control →

Joiner-mover-leaver automation: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →