TL;DR: Manual ticketing cannot keep pace with SaaS access changes across onboarding, role changes, and offboarding, according to Zluri’s guide to user lifecycle management. The governance issue is not just speed but whether access can be granted, changed, and revoked before privilege drifts beyond reviewable control.
NHIMG editorial — based on content published by Zluri: Access Management, how to manage user access and permissions in SaaS applications
By the numbers:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
Questions worth separating out
Q: How should organisations automate SaaS access requests without losing control?
A: Automate only the parts of the workflow that are policy-backed and attributable to authoritative identity data.
Q: Why do role changes create access risk in SaaS environments?
A: Role changes often leave the old access in place while new access is added, which creates privilege creep.
Q: What breaks when offboarding is handled manually?
A: Manual offboarding often misses one or more connected SaaS applications, especially when the user has accumulated access across teams or departments.
Practitioner guidance
- Tie provisioning to authoritative identity events Use HR or identity source changes to trigger access actions automatically, and verify that onboarding, role change, and offboarding each map to explicit entitlement rules.
- Unify move, add, change, and leave workflows Treat onboarding, mid-lifecycle change, and deprovisioning as one governed lifecycle so that access does not remain active simply because the user state changed in a different system.
- Restrict self-service requests to approved catalogs Limit app requests to applications with documented ownership, approval criteria, and review cadence so that self-service does not become uncontrolled entitlement expansion.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step workflow configuration for onboarding, role change, and offboarding in the Zluri interface
- App catalog and request flow mechanics for employee self-service approvals
- Specific action sequencing for adding tasks, saving playbooks, and scheduling lifecycle changes
- User interface steps for verifying identity and selecting recommended actions across SaaS apps
👉 Read Zluri's guide to managing SaaS access and permissions →
SaaS access permissions in lifecycle workflows: what changes for IAM?
Explore further
Lifecycle automation is now a baseline control for SaaS access governance, not a productivity feature. Manual access tickets cannot keep up with role shifts, app sprawl, and rapid offboarding across modern SaaS estates. The problem is not only throughput, but inconsistent entitlement decisions across HR, IT, and business workflows. Practitioners should treat access lifecycle automation as part of core control design, not a convenience layer.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means lifecycle controls often operate without complete entitlement inventory.
A question worth separating out:
Q: How do access catalogs help IAM teams govern SaaS apps?
A: Access catalogs reduce ad hoc requests by limiting users to pre-approved applications and known request paths. They work best when each app has an owner, an approval rule, and a review cadence. Without those controls, the catalog becomes a faster way to spread inconsistent access rather than a governance layer.
👉 Read our full editorial: SaaS access governance depends on lifecycle automation, not tickets