TL;DR: Beach Energy says its identity security programme was hampered by overly manual onboarding, offboarding and user management, poor user experience, and limited access visibility before it reworked its approach with SailPoint. The case shows that identity operations become a security control, not an administrative task, as programmes scale.
NHIMG editorial — based on content published by SailPoint: Beach Energy builds sustainable identity security
Questions worth separating out
Q: How should security teams reduce manual effort in identity onboarding and offboarding?
A: Security teams should move common access changes into governed workflows with standard approvals, role mapping, and automatic revocation triggers.
Q: Why does access visibility matter so much in IAM programmes?
A: Access visibility matters because teams cannot govern entitlement risk if they do not know what access exists in the first place.
Q: What do organisations get wrong about manual identity processes?
A: They often treat manual workflows as a temporary operational issue, when in fact those workflows create control debt over time.
Practitioner guidance
- Standardise joiner-mover-leaver workflows Map onboarding, transfer, and offboarding to a single governed workflow so access decisions are repeatable and auditable rather than handled case by case.
- Build an authoritative access inventory Create a current view of who has access, what that access supports, and when it was last reviewed so removals and certifications are based on facts.
- Reduce manual approval bottlenecks Use policy-based approvals for common access paths so IT can grant access rapidly without losing control over entitlement scope and revocation.
What's in the full article
SailPoint's full blog post covers the operational detail this post intentionally leaves for the source:
- Aaron Finnis's direct commentary on why Beach Energy prioritised identity security in its programme
- The business context behind the organisation's onboarding, offboarding, and user management transformation
- The short video interview that expands on Beach Energy's access and compliance priorities
- The source article's own framing of how SailPoint supported the change
👉 Read SailPoint’s blog on Beach Energy’s identity security transformation →
Manual onboarding and offboarding: what IAM teams should fix first?
Explore further
Manual identity operations create lifecycle control debt: Beach Energy’s case shows that onboarding and offboarding become security liabilities when they rely on manual handling. The problem is not only slow execution. It is the accumulation of unchecked access changes that cannot be consistently evidenced, reviewed, or revoked. For identity programmes, this is a governance issue first and an efficiency issue second.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- A separate finding from the same research shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which underlines how quickly access governance breaks down when identity inventory is incomplete.
A question worth separating out:
Q: What frameworks are most relevant to lifecycle-driven identity governance?
A: The NIST Cybersecurity Framework 2.0 is useful for structuring governance, protection, detection, and response, while lifecycle-specific guidance is more effective for provisioning and offboarding design. Teams should use these frameworks to turn identity administration into a repeatable control process rather than a sequence of disconnected tasks.
👉 Read our full editorial: Beach Energy shows why manual identity security breaks at scale