Provisioning & Automation

User Lifecycle Management Software for Large Enterprises: Replacing the Script Stack

May 6, 2026
8 MIn read
Table of Contents
Table of Contents
This is also a heading
This is a heading
About the author

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

At 50,000 employees, a user lifecycle management stack built on PowerShell scripts, ARS, AD Manager, and SCORCH isn't a temporary solution that got out of hand — it's a real operational architecture that worked long enough to become load-bearing. The problem isn't that it doesn't work. The problem is that it's expensive to maintain, breaks when any upstream system changes, and has no path to integration with ServiceNow as the new IT request hub.

The category you're looking for is an IGA (Identity Governance and Administration) platform, and at 50,000 employees the evaluation criteria are different from mid-market. The question isn't whether the platform has the features — most enterprise IGA platforms do. The question is implementation overhead, ongoing maintenance ownership, ServiceNow integration depth, and how the platform handles the on-prem AD footprint that AD Manager currently serves.

Why the Script Stack Persists at Enterprise Scale

Every product option on the market still pushes development debt to the customer. AD Manager breaks when a schema changes. PowerShell scripts break when Microsoft updates a module. Any commercial IGA platform requires configuration maintenance when it updates, when connected applications change their APIs, or when a new role or department needs to be added to the provisioning logic. The question isn't whether you'll have maintenance burden — it's where that burden sits and who's responsible for it when things break.

At 50,000 employees, this isn't theoretical. The customization and edge-case handling that get built into a homegrown script stack over years is exactly what requires the most ongoing attention when you migrate to a commercial platform. The most realistic expectation is that a commercial IGA platform reduces the maintenance surface significantly, not that it eliminates it.

The practical advantage of a modern IGA platform over the current stack isn't zero maintenance — it's maintained connectors (the vendor updates them when Microsoft or Salesforce or Workday changes their API, not you), no-code playbook configuration instead of PowerShell scripting, and an audit trail that exists natively rather than requiring you to build logging infrastructure.

ServiceNow as the User-Facing Layer

The requirement that all IT requests flow through ServiceNow creates a specific integration architecture question: does the IGA platform sit behind ServiceNow, or in front of it?

The right answer for most enterprise environments is behind it. ServiceNow remains the user-facing request portal — employees submit new hire requests, access requests, and role change requests through SNOW as they do today. The IGA platform receives those requests via API integration, executes the provisioning logic (create the AD account, assign the licenses, add to the correct groups), and updates the ServiceNow ticket with completion status. The sysadmin team sees the same SNOW workflow. The execution is no longer manual.

Zluri integrates with ServiceNow specifically for this pattern: a ticket created in SNOW triggers a Zluri Onboarding Playbook with the relevant data passed as variables, the playbook executes the backend provisioning, and the SNOW ticket is updated when the work is complete. The audit trail spans both systems — the ticket exists in SNOW for the user-facing record, and the provisioning actions are logged in Zluri for the identity governance record.

For a 50,000-person organization that has standardized on SNOW for IT requests, this integration depth is a non-negotiable evaluation criterion. Any IGA platform being evaluated should be demoed against your actual ServiceNow instance and your actual provisioning workflows, not a generic demo environment.

Replacing AD Manager for On-Premises Active Directory

At enterprise scale, the on-premises AD footprint is typically too large and too embedded to migrate away from quickly. AD Manager is doing something specific — managing on-prem AD structure, users, and groups — and whatever replaces it needs to do the same thing without requiring firewall changes or architectural disruption.

Zluri's Directory Agent is a lightweight Docker container deployed within your network that connects to on-prem AD via LDAP/LDAPS using an outbound-only connection. No inbound firewall ports required. The agent handles user discovery, group membership, and write operations against AD as part of the same playbooks that provision cloud applications. The provisioning workflow creates the on-prem AD account and assigns cloud licenses in the same automated run rather than requiring separate tools for each.

For a hybrid environment at 50,000+ employees, the specific capability to verify is: how does the platform handle group writeback between cloud and on-prem? What's the sync latency? How does it handle the organizational unit structure in your AD? These are the questions that determine whether the agent-based approach actually replaces AD Manager's current role or just adds another layer alongside it.

JML Automation at Enterprise Scale

The Joiner-Mover-Leaver lifecycle at 50,000 employees has more edge cases than the standard onboarding flow covers. The platform needs to handle the 80% case cleanly and have a clear path for the exceptions.

Joiners at this scale typically start with an HRMS event — a new record in Workday or SuccessFactors — rather than a manual SNOW request. The IGA platform should be capable of both: HRMS-triggered provisioning for standard hires, and SNOW-triggered provisioning for the exceptions (contractors, temporary workers, emergency access). Both paths should produce the same provisioning result with the same audit trail.

Movers are the hardest to get right because they require simultaneous deprovisioning of old role access and provisioning of new role access. The failure mode is deprovisioning without provisioning — the employee loses their old access before the new access is ready, creating a productivity gap on transition day. The platform's mover workflow handling and the speed of execution both matter here.

Leavers at 50,000 employees will include immediate terminations (security incidents, involuntary departures) where the window between termination and access revocation needs to be minutes, not hours. Verify the platform's revocation latency from the HR termination event to actual account disablement and session revocation, particularly for the applications beyond AD that are currently outside the script stack's scope.

The Maintenance Ownership Question

The core point — that every platform still pushes development debt to you — is worth evaluating honestly against whatever platform you select.

The questions to ask in vendor evaluations: when a downstream application changes its API and breaks the connector, who fixes it and how fast? When a Microsoft AD schema change requires an update to the provisioning logic, is that your team's work or the vendor's? When the platform updates and a custom playbook breaks, what does the support model look like?

For the enterprise segment, the answer varies significantly between platforms. SailPoint at enterprise scale has a large professional services and MSP ecosystem, which means help is available but at a cost. Managed service models transfer the maintenance responsibility entirely but may not cover the breadth of systems a 50,000-person enterprise needs. Cloud-native platforms like Zluri maintain connectors on the vendor side and release updates without breaking customer configurations — the right question to ask is how they handle the edge cases that your environment's specific complexity will expose.

What to Look for in an Enterprise Evaluation

Don't evaluate IGA platforms against your requirements on paper. Evaluate them against your actual data.

Bring your AD structure, your ServiceNow integration requirements, your HRMS source data, and your current provisioning edge cases to vendor demonstrations. Ask vendors to set up an import and run a provisioning test on your actual environment during the evaluation, not a sanitized demo. Watch how much effort they expend to handle the edge cases — that's the proxy for what implementation will actually look like.

At 50,000 employees, the platforms worth serious evaluation in the enterprise IGA space are SailPoint (IdentityNow for cloud, IIQ if you're heavily on-prem), Saviynt, Microsoft Entra ID Governance for Microsoft-centric environments, and next-generation platforms like Zluri for organizations that want faster deployment and lower ongoing maintenance overhead at the cost of some depth in very complex on-prem scenarios.

Frequently Asked Questions

What is user lifecycle management software and how does it differ from IGA?

User lifecycle management software automates the provisioning and deprovisioning of user accounts across applications when employees join, change roles, or leave. IGA (Identity Governance and Administration) is the broader category that includes user lifecycle management plus governance capabilities — access reviews, certification campaigns, Segregation of Duties enforcement, and compliance reporting. Most modern IGA platforms include full lifecycle management as a core capability, so the two terms are often used interchangeably for evaluation purposes.

How do you integrate a user lifecycle management platform with ServiceNow?

The standard integration pattern is bidirectional: ServiceNow receives and manages the user-facing request workflow, the IGA platform receives ticket data via API when a request is submitted, executes the provisioning backend, and updates the SNOW ticket with completion status. This keeps ServiceNow as the user-facing portal and audit record while automating the backend execution that currently requires manual IT work. Evaluate any platform against your actual SNOW instance, not a demo environment.

How do you replace AD Manager in an enterprise IGA implementation?

IGA platforms that include an on-premises AD connector — typically a lightweight agent deployed within your network using an outbound-only LDAP connection — can perform the same user, group, and OU management that AD Manager handles. The agent-based approach avoids inbound firewall changes and can be deployed without restructuring your AD architecture. Key evaluation criteria are sync latency, group writeback capabilities, and how the platform handles your existing OU structure.

Is SailPoint the right choice for a 50,000-employee enterprise?

SailPoint is the established enterprise IGA platform for large regulated organizations with dedicated IAM teams. It has the depth and feature set for complex enterprise requirements, and the professional services ecosystem to support large implementations. The tradeoffs are implementation complexity, high ongoing maintenance overhead, and a clunky reviewer UX for access certifications. Saviynt is the most comparable enterprise alternative. Next-generation platforms offer faster deployment and lower maintenance at the potential cost of depth for the most complex on-prem scenarios.

Take the First Step Towards Effortless Access Control

Experience the power of Zluri’s platform firsthand to boost your organization’s efficiency and security.

Book a demo →

Related Blogs

May 6, 2026
May 6, 2026

Building an IGA Portfolio With MidPoint: What to Document on GitHub

May 6, 2026
May 6, 2026

Entra ID for IGA: What It Actually Covers and Where It Falls Short

May 6, 2026
May 6, 2026

Identity Dark Matter: How to Find What Entra ID Can't See in Your Hybrid Environment

691, S Milipitas Blvd,
St 217 Milpitas 95035
Platform
AICPA SOC 2ISO 27701 CertifiedGDPRISO 27001 certifiedPCI DSSNLST
Recognition
GartnerG2FORRESTERAWS ReviewedGIGAOMCYBER_150
© 2026 Zluri, All Rights Reserved
MSA T&C
  -  
Responsible Disclosure Policy
  -  
Terms & Conditions
  -  
Privacy Policy
  -  
Disclaimer
  -  
Terms of Service
  -  
Zluri AI Terms