What is joiner, mover, leaver (JML)
Joiner, mover, leaver is shorthand for the identity lifecycle: provisioning on hire (joiner), role and access sync during tenure (mover), and revocation on exit (leaver). The category is the single highest-volume IT ticket type in every organization we have looked at, and the one most amenable to agent-based automation.
Joiner
Account creation across every system the new hire needs. Group memberships per role. License assignments. MFA enrollment. Hardware provisioning. The work is sequential by tradition and parallel by architecture. Run it parallel and it fits in thirty minutes.
Mover
Role change. Promotion. Transfer to a different team or business unit. Access requirements change. The mover case is where access creep happens, because the new groups get added but the old ones rarely get removed. The agent reconciles against the new role and removes the stale grants.
Leaver
Termination. Revocation across every system the user touched. Per-adapter risk summary on each call. Hash-chained audit log on every action. Sixty seconds end to end on the standard case.
Frequently asked
What is the difference between JML and SCIM?
SCIM is a protocol. JML is a process. SCIM is one of the implementation paths the JML process uses to talk to a downstream identity provider. The process is bigger than the protocol; the protocol is the wire format.
Keep reading
How to automate employee onboarding
Most onboarding workflows still run sequentially because that is how the spreadsheet was written. Run them in parallel and the calendar drops from twelve days to thirty minutes.
How to automate employee offboarding
The leaver case is the security exposure people hand-wave through. Sixty-second revoke is not a marketing number; it is the difference between an audit finding and an audit pass.
What is an AI agent workforce
An AI agent workforce is a team of specialized agents working alongside a human team across every department. Less abstract than that does not work.