Who Owns Access Lifecycle Management? (And Why the Answer Isn’t Just IT)

Organizations continually struggle with the question: “Who really owns access?” When audit teams are asked, they typically point to IT. IT, in turn, directs the question to HR or sometimes Security. Security often suggests that GRC should play a major role. Meanwhile, compliance teams across the business find themselves frustrated—wondering why access reviews can drag on for months and why leavers often retain access long after they’ve gone. The uncomfortable reality is that no single team owns the full identity lifecycle, yet everyone in the organization should care deeply about it.

Viewing access lifecycle management purely as an IT checklist is one of the most common and costly mistakes organizations make. In truth, access governance touches nearly every part of a modern business: from the moment an employee is hired, through their various role changes, to the day their relationship with the company ends. When these lifecycle transitions are compartmentalized into silos, instead of tackled collaboratively, organizations face more than just process slowdowns. They open themselves to critical risks including security blind spots, failed audits, operational bottlenecks, and ultimately, exposure to insider threats.

So, what is Access Lifecycle Management (ALM) in concrete terms? ALM, also sometimes referred as Identity Lifecycle Management (ILM) and Identity Access Management (IAM) is the systematic, accountable process by which access rights are created, modified, and revoked as individuals progress through their engagement with an organization. It’s much more complex than simply issuing a building access card. Whereas a card is created, updated, and deactivated as someone’s physical access changes, ALM in the digital world involves the orchestration of hundreds—sometimes thousands—of account and entitlement changes across complex hybrid environments.

Access Lifecycle Management foundational stages: Joiner, Mover, and Leaver.

The “Joiner” stage refers to the onboarding of a new individual—be it an employee, contractor, or partner. When someone joins, it’s not just about setting up their email or giving them badge access. Modern organizations must ensure that core HR data feeds downstream systems so accounts are provisioned instantly and with the correct baseline permissions—beginning at day one. This means their Active Directory account, email, SSO profile, and all relevant SaaS applications must be ready to use. If a new hire spends days waiting for IT tickets to be resolved, productivity and morale suffer, and operational friction increases.

Next comes the “Mover” stage, which is when a person changes roles, departments, or projects. Here, ALM must adapt their access rights dynamically—granting permissions needed for a new role while rescinding legacy access from their previous roles. The danger is privilege creep: as individuals shift around the business, they slowly accumulate access to legacy systems, tools, and sensitive data that are no longer required for their current job. This creates a trove of unnecessary, risky permissions—a situation attackers find irresistible, and which often directly violates the core security principle of least privilege.

Finally, the “Leaver” stage addresses what happens when someone exits. Whether the departure is voluntary, a termination, or a long-term leave of absence, the organization must fully and immediately revoke access across every system, not merely “disable” or “archive” accounts in primary directories. Partial deprovisioning is unfortunately common, and it opens the door for orphaned accounts that attackers can exploit or for ex-employees to inappropriately retain sensitive business access.

Failing to manage these stages proactively results in major risks and losses. Studies and audits reveal that one in eight employee accounts at many corporations are dormant yet still have active permissions. Astonishingly, nearly ninety percent of businesses have so-called “ghost users” lurking in their environments: accounts that continue to access resources without any legitimate business relationship. Even more alarming, roughly half of all assigned permissions are high-risk, though only a tiny percentage are routinely used. These dormant accounts, especially those lacking multifactor authentication (MFA), are favorite targets for threat actors. Such accounts seamlessly impersonate legitimate users, circumventing security baselines and monitoring routines.

Real-world breaches highlight how dangerous this can be. A Fortune 500 firm once discovered that a former employee’s AWS credentials were still active five months post-departure. Attackers capitalized, deleting hundreds of virtual machines and causing millions in damages. In another case, attackers exploited dormant GitHub accounts to penetrate production environments. In almost every incident, the root cause came back to fragmented, reactive access processes rather than a lack of technology.

Why do these vulnerabilities persist?

Everyone is involved in the lifecycle, but no one is truly accountable. In practice, HR acts as the “source of truth” for employment data. HR knows when people are hired, promoted, transferred, or terminated, but rarely do these systems communicate directly with IT’s provisioning environments. When HR updates a termination and IT isn’t signaled, access lingers. It’s only a matter of time before an auditor catches the mistake—or a breach occurs.

IT is often expected to be the “execution engine,” owning the technical means for provisioning and deprovisioning access. Yet IT has no say in hiring, firing, or even defining business policies for access. They are expected to create accounts and remove access when asked, but these asks are often delayed, unclear, or incomplete. Frequently, last-minute terminations occur on a Friday afternoon, leaving lingering access over the weekend and creating prime windows for abuse.

Security teams are tasked with defining the rules—crafting least-privilege baselines, Segregation of Duties (SoD) policies, and ensuring access is justified. However, they often don’t directly influence or oversee account provisioning, nor are they positioned to enforce remediation when violations occur. Their insights are too often trapped in spreadsheets or static policy documents, rather than operationalized as dynamic controls.

GRC (Governance, Risk, and Compliance) teams, by contrast, oversee the effectiveness of these controls. They gather audit evidence, certify compliance through reviews, and flag gaps or noncompliance. But GRC cannot remediate technical issues, nor do they always understand the broader context without input from HR, IT, and Security. The result? Dormant accounts and policy violations frequently go unresolved, with non-compliance compounding across audit cycles.

The failure here isn’t individual—it’s systemic. “If HR doesn’t notify IT, the user isn’t offboarded. If IT doesn’t notify GRC, the audit fails. If Security doesn’t define access policy, the wrong people get privileged access. If GRC doesn’t follow up, violations go unnoticed.” Ownership ambiguity and process gaps lie at the heart of almost every significant breakdown.

Many organizations default to putting IT solely in charge of ALM because, traditionally, IT managed the directories, email systems, and physical badges. But in the era of cloud, SaaS, and digital transformation, IT alone lacks the scope to see and control every employment event or business policy violation. The reality is that IT neither creates nor terminates employment—they only hear about changes reactively and often after the fact. They also do not have the broader business context to determine what access combinations are inherently risky or constitute policy violations.

Additionally, IT never runs the audit—GRC does. Even if IT provides logs or technical records, it is up to compliance leaders to interpret them and assure auditors that controls are effective and exceptions are rare and justified. Misalignment leads to time-consuming, fraught audit cycles and repeat findings.

The solution is explicit, documented, cross-functional ownership. By adopting a robust RACI (Responsible, Accountable, Consulted, Informed) matrix, organizations can ensure that at every lifecycle stage, the correct teams are not just participating but have clear mandates:

• For onboarding (“Joiner”), HR is responsible for initiating the process, IT is accountable for delivering access, Security acts as a consultant on permissions, and GRC is informed for compliance tracking.
• For role changes (“Mover”), HR initiates the change, IT again delivers, but Security is both consulted and responsible for SoD checks, while GRC is kept in the loop.
• For offboarding (“Leaver”), HR triggers, IT executes, Security consults, and GRC tracks resolution.
• For SoD policy definition, Security is responsible, GRC is accountable, IT is consulted on feasibility, and HR is kept informed.
• Access reviews and audit reporting are similarly mapped with clear roles.

This approach grounds every access decision in a set process and eliminates passing the buck.

What does this look like when executed well?

In leading organizations, the “future state” is a well-orchestrated, technology-enabled workflow. When HR enters a new employee into their system, it automatically triggers access creation in all connected IT systems, based on well-defined and role-based policy mappings. No more manual handoffs or “access not ready on day one.” Should a role change happen, the user’s permissions are tightly realigned—granting what is needed, pulling back what is not, and always checking for SoD conflicts before finalizing. When an employee leaves, a single HR action instantly revokes all digital access, with notifications and audit trails sent to all stakeholders.

Security plays a proactive role by building and maintaining the policy engine that drives these decisions—not just for current needs but adjusted as new risks emerge. GRC oversees controls, monitoring for issues before they become full-blown problems, and coordinating periodic access review campaigns to ensure every manager certifies team access is current and justified.

The difference is stark when comparing the old and new: Previously, a change or offboarding might take weeks for full access revocation, with IT left chasing tickets and GRC finding gaps months later. Now, the HR system triggers an immediate, no-exceptions, policy-aligned access adjustment or removal—ensuring nothing gets missed, every action is logged, and all stakeholders are kept in the loop automatically.

All of this is underpinned by the JML (Joiner-Mover-Leaver) lifecycle model, also known as the spine of robust ALM. Organizations that build integrated, automated processes for each of these transitions—and who run regular privilege reviews, enforce SoD policies, and reconcile dormant accounts—are those that consistently reduce risk while accelerating productivity.

However, even the best RACI matrix or the smartest technology won’t close all the gaps unless organizations systematically address integration issues (like HR-to-IT sync delays), clarify and document access policy definitions, create automated SoD violation detection, standardize access review schedules and formats, and monitor for dormant accounts and take prompt action to close them.

To achieve this, start with an ALM assessment, mapping people and processes as they exist today and identifying pain points. Design the future state with detailed RACI, role models, and SoD policies. Build integrations and workflows, pilot them in a contained environment, review and refine, then roll out in managed phases to the whole business. Monitor, measure, and continuously improve as new needs and risks emerge.

Beyond technology and controls, the benefits of mature, cross-functional ALM are profound. Productivity surges when access is granted (and removed) instantly and with confidence. Security improves as dormant accounts and risky permissions vanish. Audit readiness becomes routine, not reactive. Costs are trimmed, as automation lessens IT workloads and limits the fallout from incidents. Perhaps most importantly, organizational compliance health improves continuously.

You don’t need a larger IT team—you need a smarter, shared ownership model. Begin with the RACI, align your teams, show quick wins through integration or automation, and sustain long-term momentum with leadership buy-in and transparent reporting. Access governance, done well, moves from being a source of audit pain to being a distinct business advantage.

How BalkanID Enables Platform-Wide Lifecycle Ownership

This cross-functional model requires centralization, automation, and transparency. BalkanID’s identity governance platform operationalizes shared ownership:

1. HR System Integration: Real-time provisioning and deprovisioning triggered by HR events.
2. Policy Engine for RBAC: Define roles, segment access, maintain audit trails.
3. SoD Framework: Define forbidden combinations, real-time detection, automated alerts.
4. Access Review & Certification: Automated scheduling, attestation workflows.
5. Multi-System Provisioning: Cloud, SaaS, database, VPN, and more.
6. Comprehensive Audit Trails: Every access change logged.
7. Role-Based Dashboards: Tailored for HR, IT, Security, and GRC.

Without BalkanID: HR updates a record. IT gets an email. Some access is revoked, not all. GRC has no idea. Auditor finds gaps later.

With BalkanID: HR updates record. Access is realigned automatically. SoD checked. Audit trail is perfect. Everyone is notified.

Next steps

Ultimately, access lifecycle management isn’t just an IT problem, a GRC checklist, or an HR administrative concern. It is a foundational operational muscle that, when strengthened, drives organizational security, agility, and resilience.

• Download and customize a RACI matrix to clarify roles and close gaps.
• Book a demo of a modern platform like BalkanID that brings these workflows under one roof.
• Continue learning from additional resources such as the Access Lifecycle Management Buyer’s Guide and related governance case studies.

With clarity, coordination, and commitment to cross-functional ownership, access—and risk—can finally be managed at the speed and scale your organization demands.