Provisioning access is an IAM function, and deprovisioning that access is a security objective. How might these combined objectives be met with common process, and what sorts of access should be managed by it? Data, applications, networked services, and physical facilities all have particular provisioning and deprovisioning needs. Campus cards, for instance, mitigate risk only when the access information associated with them is current. When a card's rights get out of sync with its bearer's status, the card itself becomes a risk. Addressing this issue, given all the authorization and access points, can be a challenge unless they are tied into the enterprise identity management system.