They often assume a better service desk automatically means better identity control. In reality, faster ticket handling can increase risk if the process does not enforce least privilege, lifecycle review, and revocation through the authoritative identity system.
Why Security Teams Misread ITSM as Identity Governance
ITSM is designed to move work efficiently, not to serve as the system of record for access decisions. That distinction matters because access governance depends on authoritative identity data, least privilege, and lifecycle enforcement, while service desks are optimised for routing requests and closing tickets. When teams let ticket completion substitute for access control, they create a process that can approve too much, too fast, and with too little review.
This failure pattern shows up clearly in NHI governance discussions as well. NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs stresses that identity lifecycle must remain anchored in control, not convenience, and the same logic applies to human access. The NIST Cybersecurity Framework 2.0 also reinforces that access governance is a risk management function, not a ticketing function.
One useful warning sign is when organisations celebrate faster fulfilment times while still relying on manual approvals, inconsistent role mapping, or delayed revocation. In practice, many security teams encounter over-provisioning only after a request workflow has already normalised excess access.
How Access Governance Breaks Down in Practice
The core mistake is treating the service desk as the control plane. A ticket can document intent, but it does not prove entitlement, enforce policy, or ensure revocation. Effective governance requires the authoritative IAM or identity governance platform to decide what access is allowed, for how long, and under what conditions. The ticket should trigger the workflow, not replace it.
Practitioner guidance usually includes four minimum controls:
- Enforce approvals in the authoritative identity system, not only in ITSM.
- Map requests to RBAC or entitlement rules before fulfilment.
- Require time-bound access for elevated requests, with automatic expiry.
- Reconcile ticket approvals against actual access granted, then verify revocation.
That approach is consistent with NHIMG’s Top 10 NHI Issues, which highlights lifecycle drift, privilege sprawl, and weak rotation as recurring root causes of identity risk. It also aligns with the OWASP Non-Human Identity Top 10, where weak entitlement discipline and poor secret handling repeatedly surface as practical failures.
In mature environments, ITSM should feed identity governance through automation, APIs, and policy checks, while deprovisioning must be validated against the system that actually grants access. These controls tend to break down when access is granted across multiple SaaS platforms with inconsistent ownership, because the ticket workflow cannot reliably observe or revoke every downstream entitlement.
Common Variations and Edge Cases
Tighter access governance often increases friction, requiring organisations to balance faster fulfilment against stronger verification. That tradeoff becomes more visible when teams support contractors, emergency access, shared service accounts, or third-party integrations, where a standard ticket flow may not fit the risk profile.
Current guidance suggests a few common exceptions need explicit handling rather than informal approval:
- Emergency access should be pre-defined, time-boxed, and reviewed after use.
- Privileged access should route through PAM or just-in-time controls, not standard fulfilment queues.
- Recurring requests should be converted into governed entitlement patterns, not repeated manual approvals.
- Offboarding should trigger revocation from the identity source of truth, not await ticket closure.
For audit and governance teams, the critical question is whether the service desk can prove that access was both authorised and removed at the right time. NHIMG’s Ultimate Guide to NHIs — Regulatory and Audit Perspectives is useful here because it frames lifecycle evidence as a control requirement, not a clerical exercise. Where that discipline is missing, the process may still be fast, but it is not governed.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access is granted and reviewed through governed identity controls. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Lifecycle and revocation failures mirror common non-human identity issues. |
| NIST AI RMF | Governance failures in automated decision paths need accountable oversight. |
Tie ITSM requests to authoritative access approval and periodic entitlement review.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
