Joiner, Mover, Leaver: The Access Workflow That Survives an Audit

Every time we talk to a mid-market company about their SOC 2 audit results, the same control line failed: access management. Not because the company is careless. Because the workflow is tribal knowledge and the evidence is thin.

A clean joiner, mover, leaver process is not technically hard. It is operationally disciplined. Here is what good looks like.

The goal: a new hire gets exactly the access their role requires, automatically, with a documented approval, on their first day.

• Role templates: every job family maps to a pre-approved set of groups and app entitlements
• HR as source of truth: the HRIS creates the user in the identity provider, not IT
• Approval for any access outside the role template, logged
• Temporary credentials delivered securely (not pasted in Slack)
• Manager confirms access on day 1; IT reviews within 24 hours

The critical word is automatically. If a human has to remember to add groups, humans will forget. An auditor can tell the difference between "we have a template" and "the template is actually applied," and they will ask.

An employee changes roles. New access gets added. Old access never gets removed. Over two or three internal moves, the employee accumulates entitlements that violate least privilege.

The mover workflow:

• HR marks the role change with an effective date
• Identity system recalculates entitlements from the new role template
• Old entitlements that do not apply to the new role are revoked on the effective date
• Manager of record approves any retained exceptions, with justification
• Quarterly review verifies no orphaned entitlements

Auditors love this control because most companies do not run it. If you do, it is a differentiator. If you do not, it is a finding.

The most dangerous gap in access management is the employee who left yesterday but whose accounts still work today.

• HR marks termination with effective date and time
• Identity provider disables sign-in at that exact time
• All sessions revoked immediately, not on next token refresh
• Email forwarded per policy, mailbox preserved for the retention window
• Device returned, wiped, and inventoried
• SaaS apps not behind SSO deprovisioned manually; ticket tracks each
• Evidence of the above logged to the audit trail

An hour is the outer bound for a normal departure. For a high-risk departure (disgruntled, terminated for cause, access to regulated data), it is minutes. Running this manually at 2am on a Sunday is how gaps happen.

The evidence artifacts that make the control demonstrably real:

• Written JML policy, approved by leadership, dated
• Role template document mapping job families to entitlements
• Sample tickets showing joiner, mover, and leaver runs in the last 90 days
• Quarterly access review report with signed approvals
• Identity provider export showing zero active accounts for terminated employees
• SaaS inventory with ownership and SSO status per tool

Auditors sample. A clean run of these artifacts closes the access management control line in a SOC 2, HIPAA, or HITRUST audit.

You do not need a dedicated identity governance platform to do this well at the mid-market. The core stack is your identity provider (Entra ID, Google Workspace, Okta), your HRIS, your MDM, and a ticketing system to track the non-SSO SaaS apps. Most companies already have all four.

What they do not have is the written workflow that glues them together and the operational discipline to run it every time.

JML is a Managed Operations core deliverable. We own the workflow, run it for every employee lifecycle event, produce the evidence artifacts, and close the most common SOC 2 audit finding at the mid-market.