The Identity Lifecycle Problem in Mid-Sized Companies

Why Joiners, Movers, and Leavers Matter More Than You Think

Mid-sized companies face outsized risk and wasted effort when the Joiner–Mover–Leaver (JML) process is manual or inconsistent. Identity lifecycle management (ILM) ensures people have the right access at the right time by provisioning, updating, and revoking user access automatically as roles change. Done well, automated JML workflows reduce access creep, speed onboarding, and strengthen governance and compliance. 

What Is the Joiner–Mover–Leaver (JML) Process? A Mid-Sized Company Guide to Identity Lifecycle Management 

The Joiner–Mover–Leaver (JML) process is a simple framework for managing user access throughout the identity lifecycle. It covers how access is provisioned when someone joins, updated when they change roles, and revoked when they leave. In identity and access management (IAM), JML helps ensure people have the right access at the right time — without manual tickets and guesswork. 

Why identity lifecycle management matters for mid-sized organizations 

Identity lifecycle management matters in the mid-market because teams scale faster than processes. With lean IT, rapid hiring, and SaaS sprawl, access decisions often happen ad hoc. That creates gaps in security and productivity: new employees wait for access, movers keep old privileges, and leavers retain accounts longer than they should. An effective JML process helps mid-sized companies standardize user access without adding headcount. 

According to CISOs and IT leaders in the mid-market, the challenges are consistent: 

• New hires can’t work on day one due to delayed access. 

• Employees accumulate too much access over time. 

• Departing users keep access far too long. 

• Audits are painful because there is no single source of truth. 

• IT is overwhelmed by repetitive provisioning work. 

These identity lifecycle problems don’t just inconvenience IT teams — they affect security, compliance, and productivity across the whole organization. 

What the identity lifecycle really is and how JML fits 

The identity lifecycle is the full journey of a user’s digital identity: from the moment they join the organization, through every role change, until they leave. Identity lifecycle management organizes that journey into predictable stages so access rights remain aligned with business needs. In practice, the JML process in IAM acts as a management framework for controlling who gets access, what changes, and what must be removed. 

A mature identity lifecycle determines: 

• How employees are onboarded 

• What systems they can access 

• How their access changes over time 

• How their access is removed at exit 

The Joiner–Mover–Leaver model divides this lifecycle into three stages — Joiner, Mover, and Leaver — each with its own operational and security challenges. 

JOINER: Where first impressions and security foundations are set 

The Joiner stage is where a new identity is created and the baseline level of access is provisioned. For mid-sized companies, this is the moment that shapes both productivity and security: joiners get access quickly and correctly, or they start their first week stuck in ticket loops. Automating JML processes at onboarding makes access intentional, standardized, and consistent with least-privilege principles. 

Onboarding is often the most visible part of the identity lifecycle and one of the most painful for mid-sized companies. Without automation, the process frequently looks like this: 

That delay is more than an annoyance. It leads to inconsistent provisioning across apps, and the shortcut that follows -- granting broad access “just to get them started” -- becomes a future risk. 

What a better Joiner process looks like 

A strong Joiner stage starts with birthright access — the standard, role-based permissions every new employee should receive. Birthright access is typically defined by attributes like role, department, location, and employment type. When those attributes are present in the identity source of truth (often HR), access is provisioned automatically — not manually. 

The result: 

• New employee accounts are created across core systems on day one. 

• Baseline access is consistent and auditable. 

• IT stops hand-building access for every hire. 

MOVER: the most overlooked and risk-prone lifecycle stage 

The Mover stage is when an existing employee changes roles, departments, managers, locations, or project assignments. Movers receive new access as responsibilities expand — but they also need old access removed. This stage is the biggest driver of access creep, and the one most likely to cause audit failures if left manual. Attribute-based automation ensures that access stays aligned as people move through the organization. 

If onboarding affects productivity, the Mover stage affects security. 

Employees regularly shift teams, take on new responsibilities, or join temporary projects — and their access should change with them. Instead, most organizations simply add new privileges while never removing the old ones. Over time, users collect access rights they no longer need, expanding the blast radius for mistakes or compromise. 

Why access creep happens so easily 

• Role changes happen often, but aren’t routed to IT reliably. 

• Each app has its own access model, so tracking is hard. 

• Managers approve access additions quickly, but don’t request removals. 

A mature ILM approach uses attribute-based updates. When HR updates an employee’s department, role, or manager, the system recalculates entitlements — ensuring that access required for the new role is provisioned and outdated access is revoked. This prevents permission sprawl and keeps privileges tied to real responsibilities. 

LEAVER: the stage with the highest security stakes 

The Leaver stage is when access must be revoked completely and immediately. Leaver process failures are among the most common and preventable causes of security incidents because orphan accounts linger in SaaS apps, VPNs, shared tools, and internal systems. Automated offboarding closes that gap by triggering deprovisioning across all connected systems with an audit trail. 

Offboarding is the single most dangerous point in the identity lifecycle. When employees leave, their access should be removed right away — not hours or days later. 

Yet mid-sized companies often disable an AD or primary directory account but miss downstream systems: 

• SaaS applications 

• Shared accounts 

• Privileged tools 

• VPN access 

• Internal databases or file shares 

That leaves behind orphan accounts — accounts that do not belong to any current employee but still have permissions. A mature Leaver stage treats termination as a single lifecycle event that triggers: 

1. Account disablement. 
2. Session and token revocation. 
3. Deprovisioning everywhere the identity exists. 
4. Logging for compliance. 

This is where an effective JML process pays for itself fastest. 

Why mid-sized organizations struggle with JML 

Implementing the JML process sounds simple until you try to do it across fast-changing teams and dozens of apps. Mid-sized companies don’t fail at JML because their IT teams are weak. They struggle because old, manual lifecycle management can’t keep pace with modern environments. 

Common blockers include: 

• HR and IT operate in silos. Lifecycle events don’t flow automatically, causing delays. 

• SaaS sprawl. Each app has its own access model and admin console. 

• Informal processes dominate. Access relies on tribal knowledge or Slack messages. 

• Roles aren’t well defined. Without clear roles, automation is difficult. 

• Deprovisioning is inconsistent. Critical systems get missed. 

• Lean teams. Manual JML isn’t sustainable with small IT orgs. 

These are symptoms of growth — not poor IT performance. 

Manual JML vs. automated JML: A realistic comparison 

Manual lifecycle management across many apps creates gaps you can’t “process your way out of.” Automated JML workflows reduce variance by tying provisioning and revoke actions directly to lifecycle events. 

Joiner (onboarding) 

Manual: Access is provisioned slowly, inconsistently, and often incorrectly. New hires begin already frustrated. 

Automated: HR triggers identity creation, birthright access assigns baseline permissions instantly, and accounts are provisioned everywhere automatically. 

Mover (role changes) 

Manual: Employees accumulate excessive access, creating risk and audit failures. 

Automated: When attributes change, the system recalculates entitlements — adding what’s required and removing what’s outdated. 

Leaver (offboarding) 

Manual: IT disables a few systems but misses many others, leaving orphan accounts. 

Automated: A termination event triggers complete deprovisioning across all systems with a full audit trail. 

This shift doesn’t require “big enterprise” complexity. It requires advanced IAM solutions built to automate lifecycle events without overloading small teams. 

How OpenIAM enables a mature identity lifecycle 

A mature identity lifecycle is achievable for mid-sized companies when identity is treated as a connected system, not a collection of tickets. OpenIAM’s approach focuses on automating the JML process end-to-end so lifecycle management stays consistent even as organizations scale. 

Key building blocks include: 

• A unified identity source of truth: Keeps identity data consistent, accurate, and auditable. 

• Role- and rule-based access for Joiners: Delivers predictable baseline access through birthright policies. 

• Attribute-based automation for Movers: Updates access automatically when job attributes change. 

• Immediate, complete deprovisioning for Leavers: Revokes access across all systems with a dependable audit trail. 

• Workflow automation: Mirrors real approval paths, reduces manual work, and supports governance. 

• Designed for mid-sized organizations: Delivers maturity without requiring enterprise-scale staffing. 

The result is a strong JML process that keeps access aligned from onboarding to offboarding. 

Mature lifecycle management is achievable — even for lean teams 

Mid-sized companies don’t struggle with identity lifecycle management due to lack of skill. They struggle because manual processes can’t keep pace with modern access environments. 

With a structured JML model supported by automation — especially birthright access, attribute-driven updates, and complete offboarding — companies can reduce risk, eliminate repetitive provisioning work, and offer a dramatically better employee experience. 

Identity lifecycle maturity isn’t just an IT improvement. It’s the foundation for how mid-sized organizations operate, secure themselves, and scale. 

Frequently Asked Questions

The JML process is a model for managing identity lifecycle events: Joiner (onboarding), Mover (role changes), and Leaver (offboarding). It helps organizations provision, update, and revoke access consistently as users move through the company. 

Because role changes are frequent and often informal. If old access isn’t removed, users keep permissions they no longer need, creating access creep and audit risk. 

Automated JML workflows tie access changes to authoritative lifecycle events (like HR updates). That creates consistent enforcement and a clear audit trail for who had access and why. 

Everything an identity touched: directory accounts, SaaS apps, VPN, privileged tools, internal databases, shared accounts, and tokens/sessions. A single termination event should revoke access everywhere. 

Start with a reliable identity source of truth, define birthright access for key roles, connect core apps for automated provisioning, then expand to attribute-based updates and full deprovisioning.