Know how to Automate Access Requests, Certifications, and Compliance Reporting
Organizations today are heavily investing in identity governance at the two ends of the workforce lifecycle ie. employee onboarding and offboarding. However, the middle or the mover phase is where this model becomes weak. When an employee’s department, role, or title gets updated, often their identity accumulates privileges and entitlements from previous roles that nobody revoked. This is the mover phase IGA gap which is the most underaddressed source of privilege creep in today’s enterprise identity programs.
As per a year 2025 survey of 1000 enterprises by CloudEagle.ai, 50% of employee who changed roles internally carry excessive rights and permissions they no longer need. This study also says 1 in 2 organizations acknowledge privilege creep after role transfers is common within their environment but only 5% have actively enforced least privilege policies within their environment.
The JML Framework or Joiner Mover Leaver governance is the center of most identity governance programs. In most organizations, the Joiner or Leaver phase are highly governed. When new hires join, their accounts are provisioned according to existing checklist. At the time of employee termination, offboarding checklists and automated revocations are scheduled to run. But, when the same employee changes roles or department, the model becomes weak. Often, a mover carries the combined access footprint of every role they have ever held, leading to entitlement accumulation.
Most IGA implementations drive events in one direction. When something new happens, they provision access. For an employee’s last day, offboarding checklists and automated revocations are scheduled to run. But, when the same employee changes roles or department, the model becomes weak.
When a worker changes role internally, this is how typical sequence looks like:
In addition to access risk, the compromised employee experience is equally crucial. A 2024 RoboMQ webinar survey found that over 63% of HR leaders report their current systems cannot handle real-time role changes effectively. It resulted in delayed system access, stale group memberships, and employees who either do not have right permissions to work on first day of their new job or continue accessing systems they no longer have a business reason to use.
Role transitions are not just a security event. When email addresses, org chart updates, SharePoint and Teams access, IT asset assignments, and third-party application provisioning are handled through manual tickets and email chains, the window for error expands. What makes this even dangerous is compounding effect over time. The horizontal access sprawl because of change of systems and departments combined with vertical access sprawl from changing seniority level leads to two-dimensional access accumulation.
Microsoft’s 2024 State of Multicloud Security Report measured dormant permissions across more than 51,000 cloud entitlements. Only 2% were actively used. The other 98% represented latent risk with zero operational justification.
According to the 2025 State of IGA Survey only 6% of organizations have achieved full IGA automation, with 82% claiming integration complexity as the primary barrier. When provisioning is manual, deprovisioning on a role transition is the first thing to break. It generates no SLA breach, no failed workflow alert, and leaves no visible gap until an auditor or a breach points it out.
Manual Access reviews compound this problem rather than solve it. When managers certify 30 to 50 entitlements per quarter under operational pressure, blanket approvals become a common issue. Organizations pass SOX or SOC 2 inspections while employees retain admin access from roles held two transitions ago.
Missing HR to IT synchronization adds another layer to this gap. A role change recorded in the HR system can sit unactioned in an IT queue for days. During that window, the employee holds the combined entitlements of both the prior and incoming roles simultaneously.
To be honest, process improvements with hidden broken manual workflows won’t solve the Mover Phase IGA gap. Organizations should build their processes considering HR system as authoritative, real source of data and automate lifecycle management to manage role change events as structurally as the hire and terminations events are handled. When a role transition occurs, operationally three things must happen simultaneously and automatically:
The absence of any one of these three leaves the mover phase ungoverned.
Hire2Retire is built on the principle that every identity action must be driven by an HR event, not a manually raised ticket, a scheduled batch job or a periodic review cycle. As soon as an employee profile is updated in the HR system such as ADP, Workday, or other 25+ HR platforms that Hire2Retire integrates with, that change is consumed in near real time. Hire2Retire, then ensures that based on the employee profile update such as change in role, department or title, new access is provisioned, and prior role’s entitlements are revoked in near real time.
Hire2Retire connects HR system, identity providers such as Entra ID, Active Directory, Okta or Google Workspace and any connected ITSM platforms( ServiceNow, JIRA Service Management, or Freshservice) into a single automated workflow. It maps HR profile attributes to the Identity Providers through advanced data transformation and look up capabilities, ensuring AD profile always reflect current HR record, not a snapshot from last provisioning run.
Hire2Retire supports both RBAC and ABAC frameworks. Access profiles are policy-driven definitions built on organizational attributes: department, location, seniority, employment type, and manager hierarchy. Role-based group membership rules, including security group and distribution list assignments, are defined once and applied automatically across every subsequent lifecycle event. Organizational unit placement uses AND/OR condition logic to support complex hybrid AD environments.
One capability that specifically addresses the operational reality of role transitions is the configurable transition period. Rather than a hard cutover, Hire2Retire supports an overlap window of 30 or 90 days where the employee retains access to both the prior and incoming role. An engineer stepping into a team lead role still needs to close active projects and hand off responsibilities. Cutting all prior access on day one is operationally disruptive. The transition period handles this by design, with automatic revocation once the defined window closes with no manual follow-up required.
Every lifecycle event generates a timestamped audit trail traceable back to the originating HR record. For organizations subject to NIST, ISO-27001, or SOC-2 requirements, Hire2Retire provides a complete log of what changed, when, and what triggered it. Audit logs are retained on-platform for one year with export options to Azure, AWS S3, or MySQL for long-term storage.
Hire2Retire’s communication hub handles the notification layer. Every role transition or leave event triggers configurable, templated notifications to the employee, manager, IT, and any defined stakeholder. Employee attribute placeholders populate automatically. This replaces informal email chains with a documented communication record sitting alongside the access change log. For privileged access changes that need human sign-off, approval workflows integrate directly into the transition flow through connected ITSM systems, without breaking automation for everything else.
With Hire2Retire, users have reported:
Hire2Retire is deployed across 150+ organizations in healthcare, manufacturing, financial services, and other industries with go-live typically taking 6 to 8 weeks through a white-glove QuickStart Pro implementation.
The challenge with Mover Phase IGA gap has always been conceptual rather than operational. The organizations that close the mover gap are not running more access reviews. They have connected their HR system directly into identity governance layer, treating every HR event as an identity event, and letting policies govern who has access to what and for how long.
Book a quick discovery call with one of our IGA specialists and see Hire2Retire Governance in action!
Somya Shrimal is a Marketing Specialist at RoboMQ. She is a tech enthusiast and a prolific blogger who helps businesses stay up-to-date with the latest trends and best practices in the industry. Her expertise in SaaS, cloud, on-premises apps, and IoT has made her a go-to source for businesses looking to navigate the ever-changing tech landscape.
Somya Shrimal is a Marketing Specialist at RoboMQ. She is a tech enthusiast and a prolific blogger who helps businesses stay up-to-date with the latest trends and best practices in the industry. Her expertise in SaaS, cloud, on-premises apps, and IoT has made her a go-to source for businesses looking to navigate the ever-changing tech landscape.
