Designing a Joiner-Mover-Leaver Process That Survives an Audit

Every identity program I have inherited has a joiner-mover-leaver diagram. Almost none of them survive contact with an auditor, because the diagram describes intent, not behaviour. The question an assessor actually asks is narrow and unforgiving: show me the access this person held the day they left, and show me when each entitlement was removed. If you cannot answer that in minutes from a system of record, you do not have a JML process — you have a JML aspiration.

Start from the authoritative source, not the request queue

The single biggest failure mode is letting the service desk be the trigger for identity events. People raise tickets when they remember to. HR systems, by contrast, hold a contractual truth: a start date, a cost-centre move, a termination. Your lifecycle must be driven by an authoritative source feed — typically the HRIS for employees and a contingent-worker register for everyone else — with the IAM platform reconciling against it on a schedule you can defend.

The non-employee population is where audits are won or lost. Contractors, service partners, and machine-adjacent humans rarely sit in the HRIS, so they become the orphans nobody decommissions. If you take one thing from this piece: every identity needs a sponsor and an expiry date, with no exceptions for "temporary" access.

Joiner: birthright should be boring

Birthright access — the baseline every new starter receives by role — should be small, role-derived, and fully automated. The temptation is to be generous so the help desk gets fewer "I can't access X" tickets in week one. Resist it. Generous birthright is the seed of every standing-privilege problem you will spend the next three years unwinding. Grant the minimum that lets someone be productive, and make everything above that an explicit, time-bound request.

Mover: the stage everyone skips

Movers are the most dangerous population in the directory. They accumulate. Someone who has moved through three teams in five years carries the union of all three roles' access unless something actively strips the old. A real mover process re-evaluates entitlements against the new role and revokes what no longer maps — not "flags for review," revokes, with the old manager's approval captured as evidence.

Leaver: speed is the control

Leaver risk is a function of time-to-revoke. For a standard exit, disablement should happen at the termination timestamp from the authoritative source, not the next overnight batch. For high-risk exits — privileged users, anyone leaving under duress — you need a same-hour kill path: disable authentication, revoke active sessions and tokens, rotate any shared or privileged credentials they could have known, and quarantine the mailbox.

• Disable, don't delete — preserve the account for forensics and licence reclamation, but cut authentication immediately.
• Revoke the session, not just the password — OAuth refresh tokens and long-lived sessions outlive a password change. Kill them explicitly.
• Rotate what they knew — a leaver with PAM access means the secrets they could see are now compromised by definition.

Close the loop with reconciliation

The thing that turns a process into evidence is continuous reconciliation: the IAM platform compares the access it believes exists against what target systems actually report, and raises a finding on every drift. Unmanaged accounts, entitlements granted out-of-band, leavers still active in a downstream app — these surface as exceptions you can triage, not surprises an auditor finds first.

A JML process that survives an audit is not the one with the prettiest diagram. It is the one where, on any given day, you can reconstruct exactly who had what, why, and when it changed — because the system, not a human's memory, is the source of truth.