Executive summary
Joiner–Mover–Leaver failures are rarely caused by missing tooling. They fail because ownership, data, and decision-making are misaligned across the identity lifecycle.
In regulated enterprises, JML breakdown is a common root cause behind persistent access drift, over-privileged users, repeat audit findings, and incidents involving abused (but valid) accounts.
What typically goes wrong
Joiners: access is granted faster than it is governed
What happens: New starters receive broad baseline access. Entitlements are granted "temporarily" to unblock delivery. Exceptions are not tracked as exceptions.
Why it fails: Speed is prioritised over precision. Role definitions lag organisational reality. There is no forced revisit point for early access grants.
Result: Temporary access becomes permanent by default.
Movers: role change does not equal access change
What happens: Title changes are captured, but entitlements are not reviewed holistically. Old access is retained "just in case".
Why it fails: Role ownership is unclear. Approval workflows focus on new access only. Removal decisions feel risky and irreversible.
Result: Access accumulates silently over time.
Leavers: deprovisioning is incomplete or delayed
What happens: Core accounts are disabled, but secondary systems lag behind. Service, shared, or delegated access persists.
Why it fails: Identity data is fragmented. Offboarding stops at HR or directory level. Non-human access tied to individuals is overlooked.
Result: Former users retain access paths long after exit.
The real root causes
JML failures usually trace back to one or more of the following:
Identity data quality
Unreliable manager, role, or employment attributes turn automation into error at scale.
Ownership gaps
No clear owner for roles, entitlements, exceptions, or deprovisioning completeness.
Approval theatre
Approvals exist, but approvers lack context and outcomes are not measured.
No lifecycle checkpoints
No mandatory moment where accumulated access must be challenged and reduced.
Authorisation drift
Access grows by exception and "just in case" grants, without routine role discipline.
Evidence gaps
Controls exist, but cannot be evidenced reliably under audit.
Why audits keep finding the same issue
Auditors don't fail JML because it doesn't exist. They fail it because it cannot be evidenced end-to-end.
Common audit observations: incomplete access reviews, inconsistent removal evidence, manual exceptions without expiry, and lack of reconciliation between systems. This converts lifecycle weakness into repeat compliance failure.
What effective JML looks like in production
High-performing IAM programs treat JML as a control system, not a workflow. Effective JML has:
Explicit lifecycle ownership
Accountability for role definitions, exception expiry, and removal completeness.
Forced reduction moments
Access is intentionally reduced at role change and via periodic certification.
Exception governance
Exceptions are time-bound, reviewed, and reportable — not hidden in tickets.
Evidence by design
Every join, move, and leave produces an auditable decision and traceable outcome.
Operational reality
Controls are tuned for production delivery, not theoretical process maps.
Continuous improvement
Lifecycle controls are measured and refined based on exceptions and drift signals.
How Solluna Caelum approaches this
We don't start with workflows. We start by mapping ownership, defining lifecycle decision points, designing access reduction as a first-class outcome, and ensuring every step produces audit-ready evidence. Only then do we apply tooling.
Want to explore this in your environment?
If JML findings keep resurfacing — or if access drift feels inevitable — tell us what you're trying to achieve and we'll come back with a practical plan.
Related taxonomy: Identity Lifecycle Failure (JML) · Identity Data Quality Failure · Approval & Workflow Governance Failure · Authorisation & Entitlement Failure