TL;DR: A trigger-condition-action workflow model for onboarding, offboarding, access reviews, and license management across SaaS apps is described by Josys, and a study found that 89% of former employees still retained access to at least one application from a previous employer. The governance gap is not the lack of automation, but the lack of reliable lifecycle closure across dozens of disconnected systems.
NHIMG editorial — based on content published by Josys: End-to-End Access Management Using Josys Workflows
By the numbers:
- 89% of former employees still retain access to at least one application from their previous employer.
Questions worth separating out
Q: How should security teams automate SaaS onboarding and offboarding without losing control?
A: Security teams should anchor automation to authoritative lifecycle events, then require each workflow to prove that access changed in every downstream application.
Q: Why do former employees still keep access after offboarding in many organisations?
A: Former employees keep access because offboarding is often treated as a task list instead of a closed lifecycle control.
Q: How do organisations know whether access review processes are actually working?
A: Access reviews are working only if reviewer decisions reliably produce downstream entitlement changes.
Practitioner guidance
- Bind workflow triggers to authoritative lifecycle events Use HR, directory, and ITSM events as the only approved triggers for onboarding, mover, and leaver workflows, and document which source of truth owns each decision.
- Wire offboarding to confirmed revocation outcomes Do not treat a completed workflow as proof of deprovisioning.
- Use shadow account discovery as a lifecycle exception queue Treat unmanaged accounts and apps as unresolved lifecycle cases, not just hygiene findings.
What's in the full article
Josys' full blog post covers the operational detail this post intentionally leaves for the source:
- The exact trigger-condition-action workflow structure used to automate access changes across SaaS apps
- The list of ready-to-use use case templates for onboarding, offboarding, shadow user management, and access reviews
- The integration path for webhooks, manual triggers, Jira tickets, emails, and HTTP requests into one workflow
- The platform-specific detail behind its native integrations and AI integration builder
👉 Read Josys' blog post on end-to-end access management workflows →
SaaS lifecycle workflows: what IAM teams need to tighten?
Explore further
Workflow automation is not lifecycle governance unless every identity event closes cleanly. The article describes automation for joiner, mover, and leaver tasks, but the governance question is whether access truly ends when the workflow says it should. In SaaS environments, the same entitlement can exist in directories, app consoles, and manual exceptions, so incomplete closure is the real failure mode. Practitioners should judge the control by whether it removes residual access, not by whether it reduces ticket volume.
A few things that frame the scale:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who is accountable when a leaver still has SaaS access after offboarding?
A: Accountability sits with the organisation that owns the lifecycle process, not with the departing employee. In practice, that means HR, IAM, IT operations, and application owners must each own a defined part of revocation and confirmation. If no one owns the final closure check, residual access becomes a predictable outcome.
👉 Read our full editorial: End-to-end access management workflows expose SaaS lifecycle gaps