Employee onboarding automation and offboarding automation: an IT-first joiner mover leaver framework

The fastest way to deprovision a departing employee across every app is automated deprovisioning triggered from HRIS: disable the IdP user, revoke SCIM entitlements, run API workflows for non-SSO apps, and export an access revocation log in one pass. Employee onboarding automation and offboarding automation should treat joiner mover leaver (JML) as one employee lifecycle automation program, not a hire checklist in Confluence. The IT-first framework below integrates HRIS integration, Okta provisioning, and SCIM provisioning while covering apps that never supported SCIM.

JML workflows explained

JML workflows cover three lifecycle states:

• Joiner: new hire or contractor. Account provisioning, baseline groups, hardware, day-one setup.

• Mover: role, department, or manager change. Add new access, remove stale permissions, update approver chains.

• Leaver: employment ends. Automated deprovisioning, asset return tasks, preserved audit records.

Security risk concentrates on leavers when HRIS updates lag or managers forget to file tickets. A complete program logs every grant and access revocation with approver, system, and timestamp.

Why IT should own the automation layer

HR owns employment decisions; IT owns how those decisions become technical reality.

HRIS is the trigger, not the execution engine. Workday, BambooHR, SuccessFactors, and Rippling supply hire date, title, department, and manager for workflow triggers.

IdP is the highway, not the destination. Okta provisioning and Entra group design provision many apps via SCIM provisioning. They do not automatically reach bespoke internal tools or partial APIs.

Non-SSO apps are where automation breaks. Classify apps into SCIM, API workflow, or approval-gated manual tasks with SLAs so leavers are not "mostly done."

Zero-touch provisioning on day one sets the tone. Perplexity highlights Day 1 employee onboarding as a top use case, with Google Group creation, tool access, and new employee setup automated from Slack in the first week of pilot.

The IT-first JML framework

Joiner: zero-touch day-one setup

Trigger: new employee record in HRIS or approved pre-start request.

Workflow steps (example):

1. Create or verify IdP user from HRIS fields.

2. Assign baseline groups (email, chat, VPN, security training).

3. Run hardware workflow if procurement ships separately.

4. Notify manager with onboarding checklist link.

5. Log each action for audit.

Mercor onboarded approximately 4,000 expert contractors in minutes for a defined program. Dana Stocking, Head of IT, describes "zero touch tickets" where Serval uses guidance and workflows to complete complex tasks without growing the team.

Employee experience: the new hire messages the Help Desk Agent in Slack for status tied to live workflow state.

Mover: access that tracks the org chart

Trigger: title, department, or manager change in HRIS.

Pair every access add with removal for high-risk systems or a dated revocation window. Together AI automates 95% of just-in-time access requests with automatic deprovisioning when windows end.

Leaver: automated deprovisioning

Trigger: termination date in HRIS or approved People team request.

1. Disable IdP user at configured time.

2. Revoke SCIM-managed entitlements.

3. Run API workflows for non-SSO apps.

4. Create IT tasks for hardware return if required.

5. Export audit log for security review.

Kyle Polley at Perplexity notes Serval helps practice least privilege by granting only necessary access for the necessary duration.

Handling non-SSO apps and SCIM gaps

Serval provisions via SCIM, direct API, or reviewed TypeScript workflows the Automation Agent executes consistently. Tier C still automates ticket creation, ownership, and "offboarding complete" gates.

HRIS and Okta integration without losing control

HRIS supplies truth about people. Use it for triggers and attributes, not as a duplicate employee database.

Okta or Entra supplies truth about identity. Avoid one-off group edits outside workflow.

Serval sits between request and execution. The Help Desk Agent captures intent; the Automation Agent runs provisioning and automated deprovisioning. Approvals from managers or security are workflow steps, not reasons to count the ticket as unautomated when IT never touched it.

Implementation roadmap

Week 1–2: Document joiner baseline. Connect HRIS and IdP. Run one joiner workflow in parallel with manual process.

Week 3–4: Add leaver revocation for Tier A apps. Measure time-to-disable vs policy.

Month 2: Mover diff logic for top role changes driving access creep.

Month 3: API workflows for top non-SSO apps by risk. Track automation rate for onboarding and offboarding types separately.

Mercor's Derek Shimozawa implemented a first workflow in a couple of hours and used it for triage automation within 24 hours. Perplexity completes over 50% of incoming requests automatically after switching to Serval.

Governance and metrics

Measure automation rate for JML request types, not deflection.

Review workflows quarterly with security. Version-controlled workflow code supports the same review process as application changes.

Align with HR on timing. Accurate termination timestamps and start dates prevent early access or locked-out day one.

License reclamation: tie offboarding to SaaS seat removal where apps bill per user.

Choosing the right onboarding automation approach

Serval's Automation Agent builds onboarding and offboarding flows from plain language, publishes deterministic TypeScript, and connects to HRIS and Okta-native stacks.

See how Serval automates joiner, mover, and leaver workflows → Book a demo

Frequently asked questions

What are joiner mover leaver workflows?

JML workflows standardize creating, changing, and removing employee access across HRIS, IdP, and business applications with exportable audit evidence.

How do you achieve zero-touch provisioning on day-one setup?

Trigger workflows from HRIS hire events, provision IdP and baseline apps automatically, and give employees the Help Desk Agent in Slack for status. Perplexity automated new employee setup from Slack during its first pilot week.

How does offboarding automation revoke access?

Workflows disable the IdP user, remove SCIM entitlements, call APIs for non-SSO apps, and log each step. Serval executes automated deprovisioning on schedule rather than relying on ticket queues.

What if an application does not support SCIM?

Use direct API workflows or approval-gated manual tasks with enforced SLAs. Serval supports SCIM, API, and custom workflows so leavers are not excluded.

How do HRIS integration and Okta provisioning work together?

HRIS provides employment events and attributes; Okta provides identity and group-based account provisioning to integrated apps. An automation platform connects both with approvals and audit logs.

How long does employee onboarding automation take to implement?

Teams can ship a first workflow in hours and expand over weeks. Mercor and Perplexity case studies describe same-day or first-week value on high-volume patterns.