Automating Joiner, Mover & Leaver Workflows with Agentic Orchestration
Overview
Employee onboarding and offboarding should be seamless. However, most organizations still rely on tickets, manual handoffs, and slow approvals that introduce all sorts of risk.
IT and HR teams know these workflows should be automated, but the usual tools struggle to orchestrate access, software, and devices across systems. Teams are left with inconsistent onboarding, delayed new hire access, and lingering permissions for departing employees.
If that’s the reality you’re facing, we’ve got you covered. We’ll show how Resolve automates joiner, mover, and leaver workflows end to end. More specifically, we’ll cover provisioning access, applications, and devices for new hires, as well as expediently reclaiming assets and permissions for departures.
Join Resolve’s Global Director of Sales Engineering, Derek Pascarella, and Director of Product Marketing, Zack Austin, for a review of:
- How agentic orchestration replaces ticket-driven onboarding and offboarding
- What building end-to-end joiner, mover, and leaver orchestration looks like in practice
- How to prove the ROI of automating onboarding and offboarding for IT and HR teams
Watch the replay to see how IT teams are transforming employee experience with autonomous, policy-enforced workflows.
Key Takeaways
- Joiner/mover/leaver (JML) is a hidden risk when it runs on tickets, email, and human follow-through. Delayed onboarding leads to day-one “broad access so they can work,” mover changes leave old entitlements behind (hello, privilege creep), and offboarding delays can leave VPN/SaaS sessions active and out of sync. None of it is intentional; it’s just how manual workflows behave at scale.
- Lifecycle control works best when enforcement is tied directly to the HR event. Instead of “HR notifies IT → ticket → backlog → somebody eventually does it,” the HR event becomes the trigger that consistently kicks off whichever process.
- Least privilege should be continuous, not a quarterly project. A strong JML approach evaluates entitlements when roles change, removes what’s no longer needed, and grants only what’s required for the new role.
- Orchestration turns JML from a “pile” into a coordinated, parallel workflow with audit evidence baked in. Multiple systems (IAM, SaaS, endpoints, security tools, reporting) execute in parallel under policy logic, and with centralized logging. That means your workflow becomes deterministic and traceable from start to finish.
- JML isn’t just access; it’s also employee Q&A + policy execution. Employees ask policy questions and request actions. When knowledge is unified and governed, a virtual agent can answer from approved sources and trigger compliant workflows through the same orchestration engine.
FAQs
Q: Why do joiner/mover/leaver workflows become risky so fast, even when teams are trying their best?
A: Because manual processes depend on tickets, emails, and follow-ups. Those just don’t scale cleanly. Onboarding gets delayed so teams grant broad access “just for day one,” mover entitlements don’t always get removed, and offboarding steps (SaaS/VPN/device) can become out of sync. Over time, the exposure compounds and audit evidence often requires manual reconstruction.
Timestamp: 2:20–4:35
Q: What does “orchestrated enforcement” actually mean in joiner/mover/leaver (JML)?
A: It means that the HR event becomes the control point. Resolve ingests the HR event (API polling, file feed, etc.), normalizes it, applies conditional policy logic, and executes actions across multiple systems in parallel while centrally logging each step for auditability.
Timestamp: 19:00–20:11, 20:20–21:48
Q: We don’t have Workday/SuccessFactors. Can this still integrate with our legacy or homegrown HR setup?
A: Yes. The webinar calls out supporting modern HR platforms and legacy/homegrown sources using multiple integration options (APIs, webhooks, file feeds like CSV/SFTP batch exports). The key point is that the orchestration layer can ingest from many sources of truth, normalize events, and apply policy consistently regardless of system age.
Timestamp: 22:18–24:21, 42:55–43:55
