Joiner, mover, leaver across every system

Identity requests are the highest-volume category in every IT helpdesk we have looked at. New hires waiting on Workspace plus Slack plus GitHub plus the rest. Movers stuck on stale group memberships from their last role. Leavers leaving accounts active across fourteen systems because nobody chased the long tail. The toil is real, the SLA pressure is real, and the security exposure on the leaver case is the part that turns into a board conversation when something gets compromised.

Documented cases show onboarding time falling from twelve days to four once provisioning is orchestrated across systems instead of handled sequentially by humans walking each ticket through. The agent is the orchestrator that closes that gap.

One accepted offer in the HRIS triggers the fan-out. Workspace mailbox plus Drive plus group membership. Slack account plus the channel set the role lives in. GitHub seat plus team membership. Okta SCIM provisioning plus app assignments. Microsoft 365 Entra ID account plus Exchange plus Teams plus SharePoint. AWS IAM scoped user. 1Password or Bitwarden vault access. Notion workspace member. Linear seat. Figma editor. Plus the equipment shipping ticket, the W-4 with state-form lookup, and the direct-deposit micro-deposit verification through Plaid. All of it on one trigger, all of it inside thirty minutes from offer accept to ready-for-day-one.

The terminate call on the HR record fires the revocation queue. Each adapter returns a risk summary describing what the user touched recently. Anything suspicious gates on approval. Anything clean ships through. Workspace mailbox suspends with ownership transfer to the manager. Slack deactivates on Enterprise Grid. GitHub PATs and SSH keys revoke. Okta global token revocation receiver fires. Microsoft 365 sign-in disables and the mailbox handoff begins. AWS IAM keys deactivate and MFA detaches. 1Password drops the user from every shared vault. Bitwarden removes from cloud or self-hosted. Notion transfers page ownership. Linear reassigns open issues. Figma reclaims the editor seat. Fourteen systems in under a minute, with one audit log row per action.

Two specific things make the JML implementation hard for the build-your-own-Slack-bot category to copy. The first is the per-adapter risk summary, which lets the platform gate on suspicious activity rather than blindly revoking and trusting the customer to handle the consequences. The second is the symmetric reactivation pipeline, which fires when a rehire happens and walks the same fourteen systems back. The orchestrator that does not hold the employment record cannot reactivate on rehire because it does not know who got rehired. The system of record plus orchestrator combined is the only architecture that closes both ends of the loop.