Every vendor now touts "lifecycle automation." But dig deeper-most mean, "automation for the 20% of apps that offer SCIM," leaving the other 80% of your stack stuck on tickets and spreadsheets.

Meanwhile, your real world looks like this:

  • New hires start on Monday but wait days for access to GitHub, Notion, and half the SaaS your teams actually use.
  • Internal moves quietly pile on permissions-nothing gets removed.
  • Offboarding means scrambling across 30+ apps, hoping you didn't miss Salesforce, an HR portal, or an AI bot with production access.

Joiner-Mover-Leaver (JML) automation should end this mess. Done right, it shifts identity governance from quarterly fire drills to continuous, reliable control.

The JML lifecycle tracks how identities are created, changed, and removed as people join, move within, or leave an organization1openiam.com-and by 2026, that lifecycle covers contractors, bots, and AI agents, not just employees.

Security cares for good reason. Industry data shows identity and access management (IAM) misconfigurations cause a third of breaches-average cost: $4.9M. Over 80% of organizations report at least one breach linked to IAM errors2gitnux.org. A 2026 identity survey found that two-thirds of IT leaders see moderate to high workflow friction around JML processes, driven by inconsistent identity controls3delinea.com.

This guide is for:

  • IT and security leaders in SaaS-heavy companies (50-2,000 employees)
  • Lean IT teams (1-10 people) beyond manual provisioning
  • Organizations facing real audits (SOC 2, ISO 27001, HIPAA, DORA) with no IAM department

We'll cover:

  • What matters most in JML automation
  • How legacy IGA, SCIM-only tools, and complete platforms compare
  • Unvarnished reviews of SailPoint, Entra ID Governance, Okta, and Iden
  • A direct comparison table and a practical decision framework for 2026

Quick recommendations (TL;DR)

If you want the bottom-line advice, start here:

  • Best for fast-growing, SaaS-heavy orgs with lean IT (50-2,000 employees): Iden
    Complete, universal identity governance (SCIM, API, or neither), fine-grained control, agentic workflows. Built for small teams.

  • Best for Microsoft-centric orgs: Microsoft Entra ID Governance
    Solid JML automation where Entra/M365 dominate-especially if your core is all Microsoft.

  • Best for Okta-first companies: Okta Lifecycle Management + Okta Identity Governance
    Good JML automation for SCIM/Okta-provisioned apps when Okta is your main identity layer.

  • Best for giant, highly regulated enterprises: SailPoint Identity Security Cloud / IdentityIQ
    Deep, extensible IGA with mature JML. Heavyweight to implement; needs real IAM staff.

  • Best interim solution for small teams: DIY (HRIS + SSO + scripts/workflows)
    A practical stopgap if your stack is small and audit needs are light. Quick to build, but will not scale.

Details on each below.

What to look for in a Joiner-Mover-Leaver automation solution

Don't get distracted by surface features. The real JML failures happen because people evaluate tools on one metric ("does it have SCIM?") instead of the requirements that matter.

1. Coverage: does it reach your actual stack?

The important question isn't "does it support SCIM?"-it's:

How much of our real app estate can this solution automate?

Check:

  • SCIM vs non-SCIM: Can it automate apps without SCIM or robust APIs? (Notion, Figma, custom tools, legacy systems, OT/ICS, provider portals)
  • On-prem and legacy: AD-joined servers, old business systems
  • New species of identities: Bots, AI agents, service accounts

Most SSO-focused tools only automate about 20% of your apps-leaving 80% manual. Without closing that gap, you're buying partial relief, not real automation.

2. Depth: how fine-grained is the control?

JML isn't just about creating and deleting accounts. The real pain is in movers-the need to right-size access:

  • Channel-level in Slack/Teams
  • Repo-level in GitHub/GitLab
  • Project-level in Jira, Asana, or internal systems
  • Cloud and OT/ICS environments by environment

Ask:

  • Can it manage access down to channel/repo/project?
  • Does it enforce least-privilege and SoD during moves?
  • Is it easy to codify policy for birthright, time-bound, and exception access?

3. Automation and agentic workflows

Static rules and quarterly reviews can't compete with continuous attacks.

Look for:

  • Policy-driven JML tied to HRIS/directory events
  • Event-driven movers that recalculate access on department, manager, or project changes
  • Automated reviews-flagging anomalies, not just sending spreadsheets
  • Agentic workflows (AI-driven, autonomous):
    • Auto-approve low-risk requests via policy
    • Escalate outlier or risky patterns
    • Package audit evidence continuously

4. Governance, audit, and compliance

Auditors will ask:

  • Who had access, when, and why?
  • Who approved it?
  • What changed as people changed roles or left?

Critical features:

  • Immutable audit logs for every identity event
  • Policy-backed approvals-not just "VP said so"
  • Continuous reviews that actually remove unused access
  • SoD modeling for risk combos

5. Time-to-value and upkeep

A JML project that takes 12-18 months is a relic by go-live. Your org will already have reorged twice.

Assess:

  • Time-to-live for your first set of apps
  • How much admin time it takes
  • How tough it is to add new apps and identities later

Iden's benchmarks: 24-hour deployments, 47 minutes to first automation, 175+ apps. Use those as sanity checks.

6. Cost, SCIM tax, and total cost of ownership

Don't just compare license prices. Also include:

  • Forced enterprise upgrades just for SCIM ("SCIM tax")
  • Professional services/integration work
  • Internal FTEs to maintain the platform
  • Zombie licenses and overprovisioned access never cleaned up

Iden data: customers can cut up to 30% SaaS spend through automated license reclamation and avoiding SCIM-only upgrades. Legacy solutions may seem cheap on paper but balloon with services and internal staffing.

Option 1: SailPoint (Legacy enterprise IGA-robust, but heavy)

SailPoint (IdentityIQ on-prem and Identity Security Cloud SaaS) is the classic enterprise IGA.

What it offers

  • Pre-built lifecycle events for JML, powered by workflow engines to drive provisioning/deprovisioning across connected systems4documentation.sailpoint.com
  • Wide connector catalog (SaaS, on-prem, and enterprise)
  • Strong SoD controls and certifications for regulated industries

It's powerful-if you have the resources to wrangle it.

Pros

  • Deep, extensible governance for complex, global estates
  • Solid for highly regulated industries
  • Mature certification and policy frameworks

Cons

  • Heavy, months-long implementations (often need consultants)
  • Requires steady IAM expertise/admin time
  • High licensing and support costs for midmarket
  • Long-tail SaaS/non-API apps often still require custom work

Best for

  • 10,000+ employee orgs
  • Places with entrenched SailPoint/IAM teams
  • JML as a piece of a broader IGA program

Pricing snapshot

  • Model: Quote-based, enterprise subscription
  • Extras: Professional services/integrators are standard
  • TCO: Great for massive orgs, overkill for 50-2,000 employees

Option 2: Microsoft Entra ID Governance (For the Microsoft-first world)

If you're deep in Microsoft 365 and Entra ID, start here.

What it offers

  • Lifecycle Workflows directly model JML-creating accounts, managing group memberships, cleaning up access when someone leaves5learn.microsoft.com
  • Tight links to Entra ID, M365, and HRIS sources
  • Policy-driven flows triggered by HR or directory changes

Pros

  • Logical fit if Entra ID is your main directory/SSO
  • Strong on Microsoft workloads (Teams, SharePoint, Azure)
  • Native audit, reporting, conditional access integration

Cons

  • Non-Microsoft apps depend on SCIM/custom integrations
  • Long-tail SaaS, OT/ICS, custom tools often manual or script-only
  • Licensing is convoluted (varies by plan/region)

Best for

  • Microsoft-centric orgs with modest SaaS outside M365
  • Teams already invested in Entra features

Pricing snapshot

  • Lifecycle Workflows need Entra ID Governance/Suite licenses for covered users5learn.microsoft.com
  • Bought as Entra add-ons; per-user rates vary

Option 3: Okta Lifecycle Management + Okta Identity Governance

For Okta-centered orgs, this is the logical extension.

What it offers

  • Lifecycle automation for JML, triggered by HR/directory events-drives provisioning/deprovisioning via Okta Workflows6okta.com
  • Workflow builder for complex logic/custom API calls
  • Governance adds access requests, certifications, policy-driven assignments

Pros

  • Strong automation for apps in Okta Integration Network (with SCIM/provisioning)
  • Tight fit if already on Okta SSO/MFA
  • Flexible low-code workflows

Cons

  • Still focused on SCIM-enabled apps; others need custom work/remain manual7reddit.com
  • Separate SKUs for LCM, Identity Governance, workflows-all different prices
  • Small teams may find Workflows a maintenance burden

Best for

  • Orgs already on Okta
  • Teams with dev/admins comfortable building flows/connectors

Pricing snapshot

Option 4: DIY JML-HRIS + SSO + scripts/workflow tools

Many lean teams roll their own:

  • HRIS (Workday, BambooHR, Personio, etc.) as the source of truth
  • SSO (Okta, Entra) for SCIM/provisioned apps
  • Power Automate, Zapier, scripts for "the rest"

This works for:

  • Small orgs (<20 apps)
  • Minimal compliance
  • Enthusiastic engineers ready to maintain it

But beyond 50-60 apps and real audits, DIY hits these walls:

  • Fragile one-off automations reliant on tribal knowledge
  • No single view across identities, roles, entitlements
  • Manual review/evidence hunts every quarter

Pros

  • Lowest upfront cost
  • Max flexibility for edge cases
  • Good experimentation lab before buying real IGA

Cons

  • High operational risk-scripts break, owners leave
  • No clear way to govern bots/AI agents
  • Painful compliance and evidence collection

Best for

  • Early-stage teams (<50 people, light audit pressure)
  • Technical teams happy building/owning everything

Pricing snapshot

  • Mainly internal time
  • Real TCO: outages, offboarding gaps, audit scrambles

Option 5: Iden-Complete JML automation for the whole stack

What about the 80% of your stack outside the SCIM bubble?

Iden delivers complete identity governance for 50-2,000-employee, SaaS-native orgs with lean IT.

What it offers

  1. Coverage
    Iden connects to any app-SCIM, API, or neither-using universal connectors. 175+ apps out of the box; 48-hour custom connector delivery for new ones.
  2. Fine-grained movers
    Goes beyond group shuffling:
    • Adjusts access at channel, repo, project levels
    • Re-evaluates on team, role, or location changes
    • Applies SoD rules before access is granted
  3. Agentic workflows & zero upkeep
    • Policy-driven, AI-native orchestration
    • Automated provision/deprovision everywhere
    • Continuous compliance, license cleanup, audit evidence

Reference numbers: customers typically see 80% fewer manual access tickets, save 120 hours/quarter on reviews, and cut up to 30% SaaS spend by reclaiming licenses and skipping SCIM-only upgrades.

Pros

  • Universal coverage: reaches the 80% of apps left manual elsewhere
  • Fine-grained control: channel, repo, project, module permissions-not just groups
  • Fast deployment: live usually within 24 hours, often running automations in under an hour
  • No SCIM tax: standard app plans, no forced enterprise upgrades
  • Built for lean IT: 1-10 person teams-no IAM admin needed
  • Unified view: all identities, human and non-human; bank-grade security, immutable logs

Cons

  • Newer than legacy giants; rare connectors may need a short build cycle (typically within 48 hours)
  • Overkill for <50 employees, <10 apps, no audit pressure

Best for

  • 50-2,000-employee, SaaS-centric orgs, globally distributed
  • Lean IT swamped by access tickets and offboarding risk
  • Companies facing (or scaling) real audits, without an IAM team

Pricing snapshot

  • "Modern IGA, live in days, ~$5/user/month, no pro services needed" for the target segment
  • No SCIM-only upgrades required; TCO benefit is ticket reduction and SaaS waste elimination

More about Iden

Comparison table: JML automation options in 2026

High-level-validate in your own environment.

Solution Stack coverage Granularity Deployment effort Ideal org size JML strength Pricing / TCO
Iden Universal (SCIM/API/none; 175+ apps) Fine-grained (channel/repo/project/module) ~24 hours; self-serve 50-2,000, SaaS-heavy Strong on joiner/mover/leaver, incl. non-human ~$5/user/mo; no SCIM tax; low services
Microsoft Entra ID Governance Strong M365; ok for covered SaaS; weak for others Group/role, finer if app supports Project rollout; complex for big tenants 500+, Microsoft-first Strong JML for MS workloads Add-on Entra licenses; TCO shines if all-Microsoft
Okta LCM + OIG SCIM/OIN strong; limited otherwise Group/role, finer if API Base rollout + ongoing workflows 500-10,000, Okta-first Strong JML where covered ~$9-11/user/mo + SKUs; TCO rises with complexity
SailPoint (ISC/IQ) Broad (SaaS/on-prem); custom for old/legacy Very granular, rich SoD 6+ months; consultant/IAM staff 10,000+, regulated Very strong if fully built High license + pro services + FTE
DIY (HRIS+SSO+scripts) What you build; often patchy Depends on code/flows Ongoing eng/support Early stage / few apps Patchy-onboarding ok, movers/leavers weak Low license, high hidden cost

How to choose: a practical decision framework

1. Company size and IT capacity

  • <200 people, <20 apps, light compliance:
    DIY (HRIS+SSO+workflows) is workable-briefly. Document everything. Don't expect to scale.
  • 200-2,000 people, 40-150 apps, lean IT:
    This is where SCIM-only tools fall apart. Complete platforms like Iden save you from endless point-tool glue.
  • >5,000 people, heavy legacy/on-prem, IAM team:
    SailPoint or similar may fit-often plus a connector tool for better coverage.

2. App landscape

  • Microsoft-first, few SaaS:
    Entra ID Governance is a good native option.
  • Okta-first, SCIM-friendly SaaS:
    Okta LCM + OIG fits naturally.
  • SaaS-heavy, lots of "rogue" apps, OT/ICS, portals:
    You need universal coverage. That's Iden's lane.

3. Compliance needs

  • SOC 2 / ISO 27001 / HIPAA / DORA coming:
    Prioritize:

    • Immutable logs
    • Continuous reviews
    • SoD modeling
    • Clean evidence exports

  • No audits yet:
    Don't over-optimize for certifications, but avoid architectures doomed at first audit.

4. JML pain points

Ask your team:

  • Where are delays worst-joiners, movers, or leavers?
  • Where did real-world failures happen?

Patterns:

  • Joiners: Optimize for tight HRIS sync, birthright access, fast onboarding.
  • Movers: You need event-driven, fine-grained re-evaluation-beyond groups.
  • Leavers: Universal deprovision, license clean-up, catch zombie accounts.

Iden is optimized for all three but stands out where movers/leavers are the real pain.

Our 2026 recommendation

If you're a growing, SaaS-heavy company (50-2,000 employees) running lean IT, your challenge isn't "no SCIM"-it's:

  • 60-80% of your stack is manual
  • Movers accumulate permissions; nobody reviews
  • Offboarding means hope-and-pray

A truly complete, AI-native platform with universal coverage and fine-grained control is now the pragmatic answer. That's Iden: closing the 80% gap, managing every joiner, mover, and leaver-including forgotten and long-tail apps-without extra hires or SCIM ransom.

If your entire world is Entra or Okta and your SaaS stack is modern and SCIM-friendly, their JML tools may be enough for now. Just audit what's left manual, and know how you'll answer the next "who had access, when, and why?" question.

Either way, by 2026 the bar is raised: JML must be continuous, stack-wide, and provable. Spreadsheets are over.

FAQ

What exactly is Joiner-Mover-Leaver (JML) automation?

JML automation controls everything for an identity that joins, moves, or leaves:

  • Creating accounts and "birthright" access on day one
  • Adjusting access as roles or departments change
  • Revoking entitlements, reclaiming licenses, deprovisioning on exit

Executed properly, it covers every identity-human and non-human, for all your apps (not just SCIM ones).

Isn't this just SSO provisioning?

No. SSO provisioning typically:

  • Only works for SCIM-enabled apps
  • Is group-/role-focused
  • Misses bots, long-tail, and internal tools

JML automation ties in HR, triggers on moves, covers all apps, and delivers end-to-end governance.

How long to implement proper JML automation?

It depends:

  • Legacy IGA (SailPoint): Months plus consulting
  • Entra/Okta: Weeks-months to go live broadly
  • Iden: About 24 hours to deploy and under one hour to first automation for typical customers

The more universal your connectors, the faster to value.

What about contractors, bots, and AI agents?

These "new species of identities" are now first-class:

  • Contractors/vendors often outside HRIS
  • Bots and AI run critical processes

Look for solutions that treat non-humans as equals, apply policy-driven JML flows, and offer real-time oversight3delinea.com.

Isn't automating 20-30% of apps "good enough"?

Automating the easy 20-30% reduces some work-but most friction (and audit risk) is in the other 70-80%: long-tail SaaS, legacy, OT/ICS, internal tools. That's where offboard failures and audit disasters happen.

If your JML tool can't reach those, you're flying blind. That's not governance-it's theater.

Book a call