What is reconciliation?

Within an IT context, reconciliation is a process in which data from different systems or sources are compared and synchronised. Its purpose is to ensure consistency, accuracy, and completeness.

What is a data reconciliation tool?

Data reconciliation tools are systems or applications used specifically to compare data from multiple sources for inconsistencies.

What is data governance?

Data governance is the set of policies, processes, and responsibilities that, often supported by systems, ensure that an organisation’s data are managed and processed correctly and securely in accordance with the relevant standards and laws.

What is IAM Reconciliation? Solving the Data Consistency Gap

Manual account creation is a security risk. When user data in an HR system does not match the actual permissions in target systems, organisations lose visibility and control over their environment. This discrepancy often leads to "orphaned" accounts that remain active long after an employee has left the company.

Reconciliation is the process of comparing digital identities across multiple systems to identify and resolve data inconsistencies. In the context of Identity and Access Management (IAM), it ensures that the "Soll" (the intended state defined by your business rules) perfectly matches the "Ist" (the actual state within target systems like Entra ID, local Active Directory, or ERP platforms).

The Technical Impact of Configuration Drift

IT departments frequently face "Configuration Drift." This occurs when manual changes are made directly in a target system, bypassing central governance. This creates a gap between what your reports say and what is actually happening on the network. Key drivers for implementing automated reconciliation include:

Audit Accountability: You must prove to auditors that no unauthorised accounts exist outside of official automated processes.
Security Risk Mitigation: Identifying accounts from former employees that persist because a manual deletion process failed.
Licensing Optimisation: Reclaiming expensive SaaS licences (such as Microsoft 365 or Salesforce) assigned to users who no longer require them.

Comparison: Manual vs. Automated Governance

Feature	Manual Process	Automated Governance (HelloID)
Detection	Manual exports and spreadsheet cross-referencing.	Scheduled automated scanning via API or SCIM.
Accuracy	Prone to human error and name mismatches.	Logic-based matching using unique UPNs or Employee IDs.
Compliance	Difficult to verify for ISO 27001 or GDPR audits.	Provides immutable audit trails and 360-degree logging.
Resolution	Manual account deletion or ticket creation.	One-click correction or automated de-provisioning.

Managing the Identity Lifecycle

The lifecycle of an identity is rarely a linear path. A user might change departments and receive new permissions, yet their previous access rights often remain active. This creates "toxic combinations" of permissions that increase the internal attack surface.

Reconciliation identifies these legacy rights by comparing the current user profile against the defined Role-Based Access Control (RBAC) model. If a discrepancy is found, such as an account existing in Entra ID that is not present in the HR source, the system alerts the IT manager. This allows for immediate remediation before an inconsistency becomes a formal security finding.

Regulatory frameworks in the UK prioritise the identification of accumulated access rights. Under ISO 27001, organisations must demonstrate that access is granted on a "need-to-know" basis and is subject to regular review. Without automated reconciliation, it is impossible to prove that accounts created locally by departmental administrators have been identified and deactivated.

GDPR mandates data minimisation and accuracy. If an employee leaves but their account remains active in a secondary system because it was missed during a manual offboarding sequence, the organisation is in breach of the principle of integrity and confidentiality. Reconciliation acts as the final safety net to ensure every leaver is fully processed across the entire stack.

HelloID Reconciliation Capabilities

HelloID Provisioning uses dedicated connectors to bridge the gap between source systems (such as HiBob or Workday) and targets (such as Entra ID, PaperCut, or Adobe Creative Cloud). The reconciliation module provides several critical functions:

Unmanaged Account Discovery: Automatically identify accounts created manually in target systems that bypass IAM logic.
Attribute Synchronisation: Detect if a user’s surname or department has changed in the HR source but remains outdated in downstream applications.
Legacy Data Cleanup: Identify service accounts or obsolete test accounts that are no longer required for operations.
Delta Processing: Utilising high-speed scans to identify specific changes rather than re-scanning entire directories.

The Future of IAM: AI and Fuzzy Matching

A significant challenge in reconciliation is identifying that "P. Smith" in a legacy database is the same individual as "Philippa Smith-Jones" in the HR system. Modern IAM platforms now utilise fuzzy matching and machine learning to link accounts even when unique identifiers like employee numbers are missing.

By automating this matching logic, the service desk significantly reduces the time spent on manual data cleanup. This allows IT staff to focus on high-level architecture and security hardening rather than chasing administrative inconsistencies.