Most access problems aren't really access problems. They're timing problems. Someone joins and waits two days for the right groups. Someone changes teams and keeps the old access for a year. Someone leaves and an account lingers. Each of these is a ticket, a human, and a delay — and every delay is risk.
The system of record should drive provisioning
The fix is to stop treating identity as something the help desk assembles by hand and start treating it as a function of the HR system of record. When HR marks someone hired, moved, or terminated, that event should flow automatically into the directory — Microsoft Entra ID in my case — and produce exactly the right group memberships, application access, and license assignment. No ticket. No interpretation.
Make access correct by default
The goal I aim for is "correct by default." A role and department, combined with a clear mapping to groups and applications, should fully determine someone's baseline access. Exceptions still exist, but they become the rare, reviewed case rather than the norm. The mapping itself becomes the thing you govern, instead of thousands of individual grants.
Offboarding is where the risk hides
Joiner automation gets the attention because it's visible and people feel the speed. But leaver automation is where the real exposure lives. An automated, immediate offboarding — disable, revoke sessions, reassign or preserve data, handle any legal hold — closes the window that manual processes leave open. Build this path first if you can only build one.
Build vs. buy
Commercial identity-governance platforms do this well, and at a certain scale they're the right answer. But they carry six-figure annual costs and significant implementation overhead. For many organizations, a focused integration between the HRIS and the directory delivers the lifecycle automation that actually matters at a fraction of the cost — and you own every line of it. That's the path I've taken, and it's held up.
Originally published at athanasiuswahbah.com by Athanasius Wahbah.
Top comments (0)