Every identity, human or machine, affects an organization’s security posture. As people join, change roles, or leave — and as systems introduce new service accounts or AI agents — access must evolve in step. When it doesn’t, permissions accumulate, rules drift, and accounts linger long after they’re needed, expanding the attack surface in ways that traditional IAM tools can neither detect nor contain. And while such tools can support onboarding and offboarding, they weren’t built to govern the full lifecycle continuously or across identity types.

Managing that lifecycle requires governance that adapts to context, not static roles or periodic reviews. Opal was designed around that principle. Our Access Rules apply dynamic, attribute-enriched policies that automatically grant, update, and revoke entitlements as context changes while keeping the source(s) of each grant transparent. Built-in failsafes prevent bulk “SCIM-cidents” by pausing unexpected, high-impact changes. Our Risk Center, meanwhile, continuously analyzes IDP configurations, flags risky policies and other anomalies before they propagate, and guides remediation to help teams prevent access drift at scale.

Our recent releases extend this foundation from entitlement management to the account layer itself: provisioning users only when needed, updating access automatically as roles evolve, and deprovisioning accounts securely at offboarding. Joiners, movers, and leavers (JML) are arguably the clearest example of these workflows for human identities — and where most organizations begin when modernizing lifecycle governance.

Let’s take a closer look at how this works in Opal.

Joiner: Account Creation and Entitlement Governance

Provisioning new accounts is one of the biggest slowdowns in onboarding. Many organizations still rely on manual (or otherwise overly complex) steps to create accounts in downstream systems, which delays productivity and increases the risk of misconfigurations. 

In Opal, our User Account Provisioning automates this process by creating accounts only when access is needed. Admins or end users can trigger account creation in connected applications — either when a user is assigned access or when they request and are approved to receive it. No account exists until it’s required, and the right access is provisioned only after approval.

With User Account Provisioning, Opal ensures accounts are created only when access is approved and deprovisioned cleanly at offboarding — eliminating manual steps and reducing risk.

Once an account is created, Access Rules take over to assign entitlements dynamically and keep them current. This pairing eliminates both the manual provisioning burden and the risk of over-entitlement. The focus then shifts to keeping access accurate as responsibilities change.

Mover: Dynamic Access Adjustments with Guardrails

When employees change roles or departments, access must update immediately to reflect their new responsibilities — but most identity systems struggle to keep up. A single change in an IDP or HRIS can ripple unpredictably downstream, leaving old access behind and adding new permissions where they don’t belong. Over time, brittle IDP logic compounds the issue by creating redundant entitlements and orphaned accounts that increase lateral movement risk and complicate least-privilege enforcement.

Opal’s approach, however, keeps access current as people move. Our Access Rules recalculate entitlements in real-time as attributes change, always keeping the source of each grant – whether direct, through a group, and/or via a codified policy – transparent. That visibility enables teams to easily spot and resolve overlapping policies (such as when a legacy IDP group and an app-level admin role both grant permissions to the same system for the same user) and retire messy rules as governance is normalized.

The Inventory view shows all users with access to a resource, along with their access paths — helping teams trace overlapping grants and understand how access was inherited or assigned.

To prevent unintended bulk updates (or “SCIM-cidents”) from cascading downstream, Opal layers in guardrails that pause high-impact changes for review. These checkpoints ensure entitlement changes happen safely and intentionally, avoiding the chain reactions legacy group logic tends to cause.

Access Rules offers a failsafe functionality that, if enabled, automatically pauses any rule that would trigger a large or unexpected entitlement change, preventing high-impact updates until reviewed.

Our Risk Center reinforces this control loop by continuously monitoring identity configurations, surfacing policies or attributes that have drifted from intent. By tying those insights directly to Access Rules, the Risk Center helps teams correct misconfigurations before they spread — keeping governance precise without slowing day-to-day work. And when access does need to continue, employees can renew or re-request it directly in Opal or via Slack, enabling them to stay productive while least-privilege boundaries hold.

Leaver: Entitlement Revocation and Secure Deprovisioning

Offboarding is one of the highest-risk moments in the identity lifecycle. Accounts that aren’t fully deactivated can linger in connected systems, leaving orphaned access behind. These dormant identities are a common entry point for attackers — a risk underscored by incidents like the 2023 Snowflake breach.

Opal closes this gap by automating offboarding end to end. Our Access Rules revoke entitlements when someone leaves, and — through our User Account Deprovisioning — Opal now also disables the underlying accounts across systems like Okta, Google Workspace, Salesforce, Duo, PagerDuty, Snowflake, and others.

Deprovisioning can run automatically from an IDP/HRIS change or be started by an admin from Inventory or during an access review. Our Risk Center keeps the full process honest by flagging inactive or misaligned accounts that drift out of sync with upstream systems, so teams can close gaps before they become exposed.

Opal’s Risk Center automatically flags misconfigured or overprovisioned IDP rules — such as unused access from outdated groups — so teams can correct them and prevent privilege sprawl throughout the entire identity lifecycle.

Together, entitlement revocation, account deprovisioning, and continuous visibility eliminate orphaned access and shorten the window of risk during offboarding.

Closing

Most enterprises still operate with overgrown IDP rules and fragmented manual processes, leading to sprawling entitlements, orphaned accounts, and limited visibility into where risk accumulates.

Opal brings structure and intelligence to that sprawl. Our Access Rules enforce dynamic, context-aware governance; our Risk Center adds continuous analysis and anomaly detection; and lifecycle automation ensures that accounts are provisioned and deprovisioned securely.

Joiners, movers, and leavers are the most visible expression of these workflows because every organization manages them, but the same governance foundation extends to contractors, service accounts, and even AI agents — each with its own lifecycle requirements and controls. Together, they form a unified model for secure, least-privilege automation at scale.

Whether you’re migrating away from brittle IDP logic or modernizing lifecycle governance end-to-end, Opal provides the foundation to do it intelligently, continuously, and with confidence. If you’re not yet using Opal, get in touch with our team to see how we can help streamline lifecycle management for your environment.