TMF Group unifies identity security at scale

Helping businesses invest and operate safely around the world, TMF Group is a leading global provider of employee, financial and legal administrative services. Its team of over 13,000 experts in more than 125 offices works with the majority of the Fortune Global 500, FTSE 100 and top 300 private equity firms across 87 jurisdictions. TMF Group is a critical part of client’s governance processes, leveraging its global service model and technology platform to maintain operational compliance and reputational standing for clients, everywhere they do business.

“We view identity security as sitting at the cusp of both insider threats and outsider threats,” Kumar Ravi, Global Chief Security and Resilience Officer, TMF Group, says. “Hackers nowadays don't break in; they log in. In the zero trust model, identity is the new perimeter. It’s fundamental to modern cybersecurity. And that was our starting point as we began our journey to transform identity security and administration at TMF Group in 2024.”

Operating at the intersection of regulation, growth and scale

According to Kumar, three business imperatives set the parameters for the Group’s identity transformation.

First, is regulatory complexity. The services TMF Group provides – from payroll to taxation and regulatory compliance – deal with very critical financial and personal data. The firm has to maintain the highest standards of security, adhering to the NIST Cybersecurity Framework and meeting ISAE 3402 requirements and other compliance standards across 87 jurisdictions. An ex-employee or contractor with lingering access to company data is unacceptable, presenting a massive risk and potential regulatory violation.

The second factor is hypergrowth through acquisition. TMF Group was founded in Amsterdam in 1988. It has expanded globally over the years, initially fueled by 47 acquisitions between 2006 and 2009. Since 2017, it has completed a further 20 acquisitions, averaging two per year. Each brings new identities, applications and identity and access management (IAM) systems – creating a heterogeneous security landscape.

The third business imperative relates to the scale of the firm. TMF Group has over 13,000 employees across 125 different locations. The challenge is less about the number of employees than the overall complexity, with these 13,000 users accessing any combination of more than 120+ key business applications under strict compliance across disparate systems. Kumar’s Information Security team must also manage access for around 1,500 vendors and sub-contractors.

Altogether, these user groups generate in excess of 2,500 access requests per month. Furthermore, the firm’s legacy quarterly access review cycle relied on manual processing and took more than 30 days to complete.

“Given this volume of access requests and the complexity of our heterogeneous systems landscape, plus the pressure of mission-critical compliance across a wide geographic spread, it was clear that our only option was to modernize our IAM system and digitalize the joiner-mover-leaver (JML) process,” Kumar explains.

That was easier said than done. Like most organizations of similar scale, TMF Group faced a fundamental IAM challenge that its business realities amplified: disparate systems that prevented centralized processing and governance while hampering visibility.

Centralizing identity management with SailPoint Identity Security Cloud (ISC)

TMF Group selected SailPoint Identity Security Cloud as a centralized platform on which it could automate identity lifecycle management, streamline access requests and ensure consistent governance across its heterogeneous application landscape.

“The architecture is straightforward in concept, but execution requires sophisticated integration,” explains Kumar.

The TMF Group’s HRMS– serves as the single source of truth for the IAM system. When someone joins TMF Group, their user ID is automatically created in Active Directory, and they automatically get birth right access. SailPoint Identity Security Cloud connects to TMF Group’s 120+ key business applications through APIs, enabling automated workflows that eliminate manual processes.

The real value, according to Kumar, comes at the leaver part of the JML process. “People generally take care of creating user IDs when someone joins,” he notes. “But where manual processes fail is when someone leaves. Perhaps their supervisor is on vacation. Or requests don’t reach IT or HR. That’s when you get delayed deactivations and even orphan accounts – exactly the sort of compliance risk we couldn’t afford.”

At the interface layer, the solution provides centralized dashboards for TMF Group teams (IAM owners, business owners, auditors and access reviewers) to access audit reports and certifications and to oversee the entire identity security program. End users have a self-service portal where they can submit access requests that flow through automated approval workflows, eliminating bottlenecks.

At the core, SailPoint Identity Security Cloud manages the complete identity lifecycle through several integrated modules: JML automation; access certifications for quarterly reviews; dashboards and audit reports; provisioning; and requests and approvals.

On the application side, SailPoint Identity Security Cloud connects to cloud and on-premises applications such as the ERP platform, digital client platform, global payroll and enterprise finance management. A phased implementation strategy prioritized applications under the strictest compliance requirements, with the goal to eventually integrate all 120+ key business applications into the platform.

"Streamlining JML sounds simple," Kumar reflects. "But achieving true automation with proper governance across this many applications, jurisdictions and user types requires a robust platform and careful integration work. That's exactly what SailPoint delivered."

Achieving scale, speed and compliance

In the first few months since implementing SailPoint Identity Security Cloud, TMF Group has achieved significant results across identity lifecycle management, demonstrating both the scale of the transformation and the precision of automated governance.

• 13,000+ user IDs onboarded
• 1,300+ application access requests fulfilled
• 700+ domain user IDs created, with <1-hour SLA
• 1,200+ domain user IDs disabled, with 100% SLA

Compliance as a competitive advantage: 100% leaver SLA

The 100% service level agreement (SLA) for disabling accounts is what Kumar calls “a big feat” and a critical compliance achievement. Every departing employee’s user ID is automatically disabled on their last working day, eliminating orphan accounts that plagued the manual process.

“The risk is minimized. The compliance level is increased,” Kumar explains. “And compliance, as we all know, is not optional. Operating in a heavily regulated industry across 87 jurisdictions – each with stringent requirements – this automation has really made life easy.”

Centralized visibility saves time and effort: Automated access review

Before SailPoint, TMF Group’s quarterly access review (QAR) process was manual and time-consuming. “Each quarter, an entire month would go into initiating access reviews, getting approvals by email, taking action and closing it out,” Kumar explains. “It had both a risk dimension and a compliance dimension.”

Applications are integrated for digitized QAR with automated workflows. Reviewers receive automated requests, can see exactly who has access to what, and can take immediate action – including initiating removal if someone has moved roles – all within the system. This improves both operational efficiency and audit readiness.

With more than 13,000 user IDs now governed from an HR and Active Directory perspective across a growing number of applications, TMF Group has achieved centralized visibility, transforming its governance capabilities.

“If you don’t have visibility, you can’t measure. And what you can’t measure, you can’t manage,” Kumar emphasizes. “Centralized visibility is the real value we’ve gained from this journey. We can now see the entire identity landscape across our key business applications—and that’s what enables true governance.”

Building the foundation for future automation

Beyond compliance and governance improvements, SailPoint Identity Security Cloud has transformed the day-to-day experience for TMF Group's workforce. The <1-hour provisioning SLA

means new employees are productive from day one. The self-service portal eliminates bottlenecks, empowering more than 13,000 users across 85 countries to request access through streamlined workflows rather than waiting for manual IT processes.

But for Kumar, the real achievement is building a platform for future automation.

"This isn't just about solving today's problems," Kumar reflects. "It's about creating the infrastructure that lets us scale identity security as we add new jurisdictions, new acquisitions and new applications."

The journey required more than technology. Kumar emphasizes that implementing identity security at this scale demands vision, stakeholder alignment, and realistic planning.

"Implementing identity security is not something you can do in a silo," he explains. "You need stakeholders from business, IT, HR, vendor teams, and information security all working in tandem. Everyone must share the vision of where you are, where you want to be, and what it will take to get there."

His advice for organizations embarking on similar transformations is to start with feasibility testing. "Check compatibility with your business-critical applications first," he recommends. "Understand what can be directly integrated and what will require custom work. That gives you realistic timelines and helps you set proper expectations for the project."

The journey from heterogeneous, manual identity management to automated, enterprise-wide governance required significant integration effort, including API development, stakeholder coordination, and a long gestation period. But the results speak for themselves: 100% SLA for compliance-critical processes, centralized visibility across 13,000 identities and a scalable platform that positions TMF Group for continued growth.

"There's definitely a lot of effort and background work that goes in," Kumar acknowledges. "But the value we've gained – the visibility, the governance capability, the compliance confidence – makes it absolutely worthwhile. Partnering with SailPoint was a wise decision.