Who owns identity in your organization?
When asked where IT access and provisioning sits, most organizations say with IT. If you're looking at provisioning strictly from a technical perspective, this makes sense. But to truly protect an organization from wayward data leakage, human resources should ultimately control the process.
Here's why. Disgruntled employees are the most dangerous, and likely, source of data leakage. When employees are let go, HR is usually among the first to know, and is almost certainly alerted before IT. So if the HR team is controlling provisions, they can quickly-even preemptively-employ safeguards to ensure dismissed employees' access is immediately blocked.
Ideally, HR could do this without tinkering with complicated secure access or IT systems. This is crucial because the HR team's expertise typically doesn't include access control or identity management, so pushing them too far into the technical weeds could be inefficient and lead to additional support load. To make provisioning easy for HR, we suggest creating an enable/disable feature on IT identities that HR could simply switch on or off.
For organizations not yet equipped to do this, another solution is to name a liaison between HR and IT. This person would sit in HR but be tech-savvy enough to work with IT, to ensure proper provisioning and access control takes place. Organizations that insist on having IT enable the provisioning process should, at the very least, give HR the authority to direct IT on provisioning instructions.
There are some truly visionary organizations that have integrated HR into the provisioning process. But unfortunately, most organizations are stretched so thin that provisioning falls to the backburner. This shouldn't be so. After all, proper provisioning can protect an organization's security and thwart costly, and often embarrassing, data leakage and breach scenarios.