What Is Identity Lifecycle Management? (A Plain-English Guide)

What is identity lifecycle management?

Identity lifecycle management is the process of controlling what access a person has from the moment they join a company until the moment they leave. It covers account creation, app provisioning, role updates, group membership, access reviews, offboarding, license reclaim, and evidence. In plain English, it answers one question: should this person still have this access right now?

Good identity lifecycle management connects HR facts to app access. HR knows when a worker is hired, transferred, promoted, moved, or terminated. IT systems know where accounts and permissions live. A lifecycle platform sits between those worlds and turns employee changes into access changes across identity providers and SaaS tools.

What does JML mean?

JML stands for joiner, mover, and leaver. These are the three core lifecycle events.

Joiner means a person is starting. They need the right accounts, groups, licenses, and app roles before they can work. Mover means a person changes role, team, manager, location, or department. They may need new access, but they also need old access removed. Leaver means a person exits. Their access should be revoked quickly, licenses should be reclaimed, and evidence should be stored.

The mover part is where many companies struggle. Offboarding gets attention because it is urgent, but transfers quietly create access drift. A person moves from engineering to product, from support to operations, or from one region to another, and old permissions remain. Identity lifecycle management treats those changes as real access events.

Why does identity lifecycle management matter for SMB and mid-market companies?

Small and mid-market companies often adopt SaaS faster than they adopt governance. At 50 employees, a spreadsheet may work. At 200 employees, the company may have dozens of apps, multiple departments, contractors, external identities, and sensitive customer data spread across tools. At that point, manual access operations become a security and cost problem.

Identity lifecycle management helps because it creates repeatable rules. A new sales employee gets the sales baseline. A support employee who transfers to finance loses support tools and gains finance tools. A terminated contractor loses access everywhere. A dormant design license becomes a reclaim candidate. The company does not need a large IAM team to get the basics right; it needs the lifecycle events to drive the app actions.

What is the difference between HRIS, IdP, and lifecycle automation?

An HRIS, such as ADP Workforce Now, stores employee facts. It knows the worker record, department, manager, employment status, and lifecycle changes. An identity provider, such as Okta or Microsoft Entra, controls login and central identity policies. A lifecycle automation platform coordinates downstream work across many applications.

These systems overlap, but they do not replace one another. ADP can trigger a hire or termination event, but it should not be responsible for every SaaS admin action. Okta or Entra can manage SSO and some provisioning, but they often do not cover every non-SCIM or browser-only app. Lifecycle automation fills the operational gap between the HR event and the full app stack.

What is SCIM?

SCIM is a standard for user provisioning and deprovisioning. When an app supports SCIM well, an identity platform can create users, update attributes, deactivate accounts, and manage some group membership through an API. SCIM is useful because it standardizes common identity operations.

SCIM is not complete coverage. Some apps do not support it. Some support only part of the standard. Some require higher-tier plans. Some important actions still happen in an admin console. That means a lifecycle program based only on SCIM will usually leave part of the app stack unmanaged.

What is browser automation in identity lifecycle management?

Browser automation is a governed way to manage apps that do not expose the right API. A browser worker signs into an admin console, performs the same action a human admin would perform, captures evidence, and records the result in the workflow. It should run in an isolated environment and never become an invisible script outside the audit trail.

Browser automation matters because real companies use tools that do not fit perfectly into SCIM. Design suites, travel tools, niche finance systems, and department-specific platforms may still require browser-based admin actions. If those apps are excluded, manual work returns exactly where the company needs coverage.

What tools are usually involved?

The lifecycle stack usually includes an HRIS, an identity provider, SaaS app connectors, a workflow engine, a database-backed identity graph, audit evidence storage, and notification channels. Some companies also use access review tools, SaaS spend platforms, or ticketing systems. The strongest operating model connects these surfaces without making ticket state or frontend state the source of truth.

For example, ADP can provide the HR event. Kingsley INT can queue and execute the lifecycle workflow. Okta, Microsoft Entra, Google Workspace, Slack, GitHub, Jira, Zoom, and browser-managed apps can receive the access changes. Slack can receive the completion digest. The database can preserve the workflow run, attempts, provider responses, and evidence.

What should a good identity lifecycle system prove?

A good system should prove who the person is, which identities belong to them, what event triggered the change, which policy applied, which apps were touched, which access changed, which licenses were reclaimed, and which exceptions remain. It should also show retries and failures instead of hiding them behind a green checklist.

This is why lifecycle automation is more than convenience. It is operational evidence. When a customer, auditor, or security leader asks whether a former employee still has access, the answer should come from workflow truth, not a manual search through tickets.

How should a company start?

Start with the lifecycle event that creates the most risk: offboarding. Connect the HR source, identity provider, email suite, collaboration app, code repository, and one or two high-value SaaS tools. Run test workflows and verify evidence. Then add mover workflows, license reclaim, browser automation, and department-specific onboarding.

The goal is not to automate everything on day one. The goal is to create a durable pattern: HR event, workflow policy, backend execution, provider or browser action, evidence, and operator review. Once that pattern works, the coverage can expand without changing the fundamental model.