The three-stage model for managing user access across the employee lifecycle. JML ensures access is correctly granted at joining, updated through role changes, and fully removed at departure.
What JML Means
Joiner Mover Leaver is the operational model that describes what IT and HR need to do at every significant change in an employee's relationship with the organization.
- Joiner: a new employee needs accounts, devices, and access provisioned before their start date.
- Mover: an employee changes role, team, or location, and their access set needs to update accordingly.
- Leaver: an employee departs, and every access point gets closed.
Simple in concept. Complex in practice. Because every organization runs dozens of systems, and each transition affects all of them simultaneously, and the changes need to happen consistently without manual intervention at each step.
The Joiner Process
A joiner event fires when HR creates a new employee record, typically one to two weeks before the start date. The process creates identity accounts, assigns role-based access, configures device enrollment, and sends the employee a welcome communication with login instructions. The IT team's job at this stage is designing and maintaining the automation, not executing it individually for each hire.
The Mover Process
Movers are the hardest part of JML. When someone moves from support to engineering, they need new access and should lose access that no longer applies. The challenge is that role transitions are often gradual, someone might move teams but temporarily retain access to a shared project, or take on additional responsibilities without a formal title change.
Mover workflows need to handle both clean transitions (a role change in the HRIS triggers a clean permission swap) and exception cases (request-based temporary access with a defined expiry). Privilege creep, permissions accumulating through movers who retain old access alongside new, is one of the most common compliance gaps auditors find.
The Leaver Process
Leaver workflows are the most time-sensitive. The process covers access revocation across all systems, device retrieval, data transfer (files, email, calendars), license reclamation, and documentation for audit purposes. The timing and extent of revocation depends on whether the departure is planned or immediate, the JML framework needs to handle both clearly.
JML and Compliance
Auditors care deeply about JML. SOC 2, ISO 27001, and HIPAA all require that organizations demonstrate controlled access throughout the employee lifecycle. Access not revoked when it should have been is a finding. Access granted beyond what the role requires is a finding. A JML framework with documented automation and regular access reviews provides the audit-ready evidence both.