The IT + HR Alignment Playbook

HR and IT own more of the same surface area than either team usually acknowledges. Devices, onboarding, offboarding, access, compliance: all of it sits at the intersection. When these teams operate from the same language and ask each other the right questions, everything runs better. When they don't, both sides pay for it.

This guide gives both teams a shared foundation: the terms worth knowing and the questions worth asking before any major initiative.

Part 1: The Shared Vocabulary

These are the terms that come up most at the IT-HR intersection. HR often encounters them without context. IT often uses them without explanation. Here's what they actually mean, and why they matter to both sides.

MDM: Mobile Device Management

How IT remotely controls and secures the devices employees use for work. MDM lets IT configure, lock, or wipe a device if it goes missing or when an employee leaves.

For HR: If you're onboarding or offboarding someone with a company device, MDM is involved. Device readiness on day one depends on HR providing accurate start dates and shipping information in time.

For IT: MDM only works as well as the HR data feeding it. Late or incorrect employee records mean late or broken device setup.

See how Rippling MDM works.

SSO: Single Sign-On

One login that gets an employee into every app they need. SSO reduces password sprawl and is more secure than requiring separate credentials for each tool.

For HR: When you evaluate new software, ask whether it supports SSO. Tools that don't integrate with SSO create credential management overhead for IT and security gaps for the company.

For IT: SSO configuration depends on knowing which apps a role requires. The clearer HR's role definitions are, the faster IT can get new hires into the right systems.

MFA / 2FA: Multi-Factor Authentication

A second verification step after a password: a push notification, passkey, or code. It exists because passwords alone are no longer a reliable security control.

For HR: MFA requirements aren't IT being difficult. They're closing one of the most commonly exploited gaps in any company's security posture. HR's onboarding walkthrough is often where employees form habits around security tools, for better or worse.

For IT: Low adoption of MFA often traces back to onboarding. Partnering with HR to build MFA setup into day-one flow improves coverage without requiring IT to chase employees individually.

Provisioning

The process of setting up a new employee with everything they need: device, accounts, and app access. Provisioning is triggered by data in the HR system: job title, department, start date, manager.

For HR: When provisioning fails, it's usually because HR data was incomplete or late. A wrong start date, a missing manager field, or an incorrect department assignment can cascade into a broken day-one experience.

For IT: Provisioning automation is only as reliable as the inputs. Building a feedback loop with HR to catch data quality issues before they hit the new hire improves outcomes for both teams.

RBAC: Role-Based Access Control

A security model where employees get access based on their role, not because someone manually granted it. HR data (title, department, manager) feeds the rules that determine who gets access to what.

For HR: When job titles or departments change and aren't updated in the system, people end up with the wrong access. A promotion that isn't reflected in HR data is a compliance gap.

For IT: Role definitions maintained by HR are the foundation of access policy. The more precisely HR defines roles, the more accurately IT can automate access. Rippling automates RBAC so permissions update the moment employee data changes.

IAM: Identity and Access Management

The broader discipline governing who can access what, across devices and applications. SSO and RBAC are both components of IAM.

For HR: When IT talks about "access," IAM is usually the system behind it. Understanding that access is systematic (not arbitrary) helps HR anticipate what information IT needs to do its job.

For IT: IAM quality is a direct function of directory completeness. Contractors, international employees, and temp workers who aren't in the HR system create IAM blind spots.

Offboarding / Deprovisioning

The process of removing an employee's access to all systems when they leave. Higher-risk than onboarding because there's no employee present to flag problems; the window between someone's last day and full access removal is one of the largest security vulnerabilities in most companies.

For HR: The earlier IT knows about a departure, the cleaner the offboarding. Last-minute notification puts the company at risk, especially for sensitive terminations.

For IT: Offboarding completeness requires HR's app list. IT can revoke access to known systems; missed apps stay open. Running the access list together closes the gap.

How Rippling ensures smooth IT offboarding.

SOC 2

A compliance framework certifying that a company's security controls are in place and operating effectively. HR data accuracy is directly tied to SOC 2 readiness: access reviews, provisioning logs, and offboarding records are all part of the audit trail.

For HR: If your company is pursuing SOC 2, the accuracy of your employee data in Rippling matters for IT's compliance posture. Gaps in HR records become gaps in the audit.

For IT: SOC 2 evidence collection is much easier when HR and IT workflows are automated and connected. Rippling can make SOC 2 a byproduct of how you operate.

Shadow IT / Shadow AI

When employees adopt tools or services outside IT's visibility or approval process. Shadow IT has always existed, but AI tools have accelerated the problem significantly. Employees can now spin up capable AI assistants, writing tools, coding helpers, and data analysis platforms in minutes—often on personal accounts, often with company data flowing through them, and often with no one in IT aware it's happening.

For HR: The habits employees form during onboarding shape how they engage with IT for the rest of their tenure. Onboarding that includes IT policy on AI tool usage—not just general software—gives employees a clear framework before they default to whatever is fastest. Without that, shadow AI becomes the norm before IT has a chance to build an approved alternative.

For IT: Shadow AI is now one of the fastest-growing risk surfaces in most companies. Unlike traditional shadow IT (a rogue SaaS subscription), AI tools often process sensitive data in ways that are harder to audit and harder to reverse. The same intake process that catches unauthorized software requests needs to explicitly cover AI tools. HR is often first to encounter new AI requests from employees and managers; a standing conversation between HR and IT about what's coming is one of the most effective early-warning systems available.

Part 2: Questions to Ask Each Other Before Any Major Initiative

These questions work in both directions. HR should ask them before bringing IT a decision. IT should raise them when they're not being asked.

Before a New Tool Rollout

• Who needs access, and how should that be defined by role? Upfront role mapping lets IT automate access rather than grant it manually.

• Does this tool support SSO? Tools that don't integrate with SSO create credential overhead and security gaps.

• What data will this tool access or store? IT needs to assess the security profile before anything touches employee records or company data.

• How much lead time does IT need? Build IT's timeline into the rollout plan from the start, not as an afterthought.

Before a Surge Hire or Headcount Change

• Is employee data in Rippling current and complete? Start dates, departments, managers, and titles all drive automated provisioning. Gaps in HR data become gaps in access.

• Are any of these roles new to the company? New functions may not have provisioning templates yet. IT needs advance notice to build them.

• Are there device lead times to plan around? Shipping and configuring hardware takes time. Remote hires especially require early coordination.

• What happens if device delivery and system access aren't in sync? Plan the edge case before it becomes a day-one incident.

Before a Sensitive Termination or Offboarding

• How much notice can HR give IT, and when? The more lead time, the lower the risk window. Establish a standing protocol rather than deciding case by case.

• What is the full list of apps this person had access to? HR and IT should build this list together. Missed apps mean retained access after departure.

• What's the device retrieval plan, and who owns it? Define ownership before the situation arises.

• Are there shared credentials or service accounts tied to this person? These are the most commonly missed items and the highest risk if left active.

Before Opening a New Office or Location

• Is IT in the planning conversation from the start? Network infrastructure, device setup, and local compliance requirements all require IT input before commitments are made.

• What are the security and data handling requirements for this region? Different jurisdictions have different requirements that affect how IT configures access and manages devices.

• Managing remote employee devices across locations.

• Who handles IT support for employees at this location? Define the escalation path before anyone is on-site.

Three Questions That Work Every Time

• "What do you need from us to make this go smoothly?" Opens the door instead of handing IT a fait accompli.

• "What could break?" Gives IT permission to surface risks before they become incidents.

• "How do we avoid creating compliance gaps or double work for each other?" Frames the relationship around shared accountability, not competing priorities.

Rippling connects HR and IT in a single platform so the employee data that drives provisioning, access control, and device management stays in sync automatically. See how Rippling IT works.