The three stages of JML
The joiner stage covers everything a new hire needs on day one: an account in the directory, email, group memberships, and access to the applications their role requires. The trigger is typically a record created in the HR system, which flows into the identity platform and drives automated provisioning.
The mover stage handles role changes. When someone transfers from finance to sales, they need new access — but just as importantly, their old access must be removed. Movers are the hardest stage to get right, because adding access is visible and urgent while removing it is neither.
The leaver stage revokes everything: disabling accounts, terminating sessions, revoking tokens and certificates, and transferring ownership of resources such as mailboxes and files. Speed matters here; leaver deprovisioning should happen within hours, not weeks.
Why JML matters
A slow joiner process costs productivity — new hires waiting days for access. A weak mover process causes privilege creep, where long-tenured employees accumulate access from every role they have ever held. A broken leaver process is a direct security exposure: active accounts belonging to people who no longer work for the organization are a well-documented entry point for both attackers and disgruntled former employees.
Auditors focus on JML heavily. SOC 2 and ISO 27001 assessments routinely sample recent leavers and check how quickly their access was removed, and sample joiners to verify access was approved before it was granted.
Good JML also underpins everything else in identity governance: access reviews and SoD checks are only meaningful when the underlying account data reflects reality.
Automating JML in practice
Automation starts by making HR the authoritative source of truth. When hire, transfer, and termination events flow automatically from the HR system into the identity platform, provisioning and deprovisioning follow without tickets or manual steps for the standard cases.
Role- or attribute-based access models make the automation predictable: a person's department, title, and location determine a baseline set of birthright access, with anything beyond it going through a request-and-approval workflow. For movers, a common pattern grants new access immediately while old access expires after a short, defined grace period.
Monosign supports this with lifecycle workflows that automate joiner, mover, and leaver events across connected applications.