Most small businesses believe their biggest IT risk comes from outside attackers.
In reality, many of the most damaging incidents start internally, without bad intent, because access was never properly removed or adjusted.
A former employee still has access to email.
A manager changed roles but kept admin permissions.
A contractor account was never disabled.
These situations exist because Joiner Mover Leaver controls were never defined.
Joiner Mover Leaver governance is not about red tape.
It is about closing gaps that quietly accumulate as a business grows.
What Joiner Mover Leaver Actually Means
Joiner Mover Leaver, often shortened to JML, refers to how access is handled when someone:
- Joins the organization
- Moves to a new role
- Leaves the organization
Each of these moments introduces risk if access is not reviewed deliberately.
In small Ontario businesses, JML is usually handled informally through emails, hallway conversations, or assumptions that someone else took care of it.
That approach works until it does not.
Why JML Breaks Down in Growing Businesses
JML failures are rarely caused by negligence. They happen because:
- Roles evolve faster than documentation
- Managers approve access verbally
- IT providers are not informed of changes
- HR and IT responsibilities overlap without clarity
At Fidalia Networks, JML gaps are one of the most common issues we find in organizations with messy IT environments.
The business assumes access is managed.
The systems quietly disagree.
What Goes Wrong Without JML Controls
When Joiner Mover Leaver governance is missing, four predictable problems appear.
1. Orphaned Accounts
Users who no longer work at the company still have access to systems, email, or cloud platforms.
2. Privilege Accumulation
Employees who move roles keep old permissions while gaining new ones, creating unnecessary admin access.
3. Incident Confusion
During security events, teams do not know which accounts are valid and which should be disabled immediately.
4. Compliance and Insurance Exposure
Cyber insurers increasingly ask how access is removed when employees leave. Weak answers increase risk ratings.
JML failures rarely cause instant outages.
They quietly increase blast radius.
The Joiner Mover Leaver Register That Fixes This
The Joiner Mover Leaver sheet in the IT Governance Workbook exists to make access changes intentional and visible.
It focuses on decisions, not tools.
| Event Type | Required Action | Owner |
|---|---|---|
| Joiner | Grant minimum required access | Manager |
| Mover | Review and remove old access | Manager and IT |
| Leaver | Disable and remove all access | IT and Operations |
This table clarifies responsibility at the moment risk changes.
The purpose is not to slow onboarding.
The purpose is to prevent access from silently persisting forever.
Why Onboarding Alone Is Not Enough
Most businesses focus heavily on onboarding new staff.
They create accounts, assign licenses, and move on.
The real risk appears later:
- When roles change
- When responsibilities expand
- When someone exits unexpectedly
Without a mover and leaver process, access only ever grows.
This is how organizations end up with:
- Shared passwords
- Lingering admin rights
- Vendor access that never expires
JML Governance During Security Incidents
During a cyber incident, Joiner Mover Leaver clarity becomes critical.
Someone must decide:
- Which accounts are still valid
- Which accounts should be locked immediately
- Whether departed users still have active sessions
- Whether credentials must be rotated
If this information is not already documented, response slows dramatically.
This is why JML governance directly supports incident response, disaster recovery, and operational resilience.
You can see how this governance layer supports Fidalia’s service delivery here:
https://fidalia.com/it-services
And how it fits into the broader IT governance framework here:
https://www.fidalia.com/it-governance
Who Owns Joiner Mover Leaver Decisions
In small businesses, JML ownership usually involves:
- Direct managers
- Operations leadership
- HR or finance leadership
- IT or external IT partners
The critical requirement is that ownership is explicit.
When everyone assumes someone else handled access changes, no one actually does.
This Is Practical Governance, Not Bureaucracy
Joiner Mover Leaver governance does not require:
- Complex identity platforms
- Lengthy approval chains
- Dedicated security teams
It requires:
- Clear triggers
- Defined responsibility
- Consistent follow-through
If you cannot confidently say that access is removed when people leave, you are carrying unnecessary risk.
Call to Action
If your business has grown and roles have changed over time, Joiner Mover Leaver gaps almost certainly exist.
Download Fidalia’s IT Governance Workbook and document access changes before they turn into a security or insurance problem.
Access the workbook here:
https://www.fidalia.com/it-governance
Frequently Asked Questions
What are Joiner Mover Leaver controls?
They define how access is granted, changed, and removed when people join, change roles, or leave a business.
Why are leaver controls so important?
Former employees and contractors pose high risk if access is not fully removed after departure.
Can Fidalia help implement JML governance?
Yes. Fidalia helps Ontario businesses document and operationalize Joiner Mover Leaver controls as part of a broader IT governance program.