articleIcon-icon

Article

2 min read

The Hidden IT Cost of Every Cross-Border Role Change

IT & device management

Image

Author

Dr Kristine Lennie

Last Update

July 16, 2026

Deux personnes parlent sur un canapé
Table of Contents

Why are role changes harder than onboarding or offboarding?

What goes wrong when role changes don't trigger IT workflows

Why cross-border transfers are even more complex

So, what should happen when an employee changes roles?

How Deel IT supports role changes across the employee lifecycle

Key takeaways

  1. Promotions, cross-border transfers, and restructures are some of the most overlooked IT events in distributed organizations, often leaving stale access and unused software licenses behind.
  2. Role changes that don't trigger IT workflows create unnecessary software costs, security risks, and compliance gaps long before they're discovered in an audit.
  3. Deel IT integrates directly with your HRIS so that hire, transfer, and role-change events automatically push updated access policies across devices, applications, and SaaS tools

Disclaimer: This article is provided for general informational purposes and should not be treated as legal or IT compliance advice. Consult a qualified professional for guidance specific to your organization's regulatory obligations.

Onboarding and offboarding get all the attention. IT teams build checklists, automate provisioning workflows, and track device returns at exit. What rarely gets the same treatment is the event in between: the moment an employee changes roles.

A promotion, cross-border transfer, or team restructure should trigger updates to an employee's access, software licenses, and, in some cases, device policies. Too often, those changes are handled through a Slack message, a support ticket, or not at all. The employee's HR record changes, but their IT access doesn't, leaving behind stale permissions, unnecessary software licenses, and, for global organizations, compliance risks that often go unnoticed until an audit or security review.

Why are role changes harder than onboarding or offboarding?

Onboarding and offboarding are predictable IT events. Role changes aren't. Instead of following a single checklist, IT has to interpret what has changed and decide what needs to happen next.

The difference comes down to three things:

  1. There isn't one clear trigger. A hire has a start date. An exit has a termination date. Promotions, department changes, restructures, and cross-border transfers often happen over time, with effective dates that don't always align with HRIS updates.
  2. IT has to decide what changes and what doesn't. During onboarding, everything necessary is added. During offboarding, everything provisioned is removed. Role changes are more nuanced. Some access should stay, some needs to change, and some should be removed entirely.
  3. More teams are involved. HR records the organizational change, managers understand the employee's new responsibilities, and IT is responsible for translating those changes into the right access, software, devices, and security policies. Without a connected workflow, those handoffs are usually manual.

These differences make role changes one of the easiest lifecycle events to get wrong. When IT doesn't receive a structured signal that something has changed, access, software, and security policies quickly fall out of sync with the employee's actual role.

What goes wrong when role changes don't trigger IT workflows

When a role change doesn't trigger the right IT actions, the consequences are rarely immediate. Employees continue working, systems continue functioning, and the problems accumulate quietly until they're uncovered during an audit, security review, or software spend analysis.

Here are some of the most common issues that tend to surface in distributed organizations:

Access accumulation (privilege creep)

When an employee moves between teams or countries, new permissions are typically added while previous access remains in place. Over time, employees accumulate permissions that no longer reflect their responsibilities, increasing the organization's attack surface and making access reviews progressively more difficult.

Hidden software costs

Role changes often mean different software needs. A team lead promoted to a manager may need workforce planning software but no longer requires a developer-tier license. Without a structured role-change workflow, new software is assigned while previous licenses remain active.

This is an often-overlooked source of SaaS waste. According to Zylo's 2025 SaaS Management Index, organizations waste an average of $21 million annually on unused SaaS licenses, while research from Ramp estimates that as much as 50% of software spend goes toward unused licenses. Unlike offboarding, where licenses are expected to be removed, role changes are much harder to detect because the employee remains active.

Mobile Device Management
Secure and manage IT devices across any operating system
Keep every device secure and up to date—no matter where your teams are. Deel IT lets you manage your entire fleet across operating systems, automate updates, enforce policies, and deploy globally with zero-touch setup.
Banner asset_Deel IT Mobile Device Management

Without a structured role-change workflow, it's common to see:

  • New software assigned without licenses from the previous role being removed.
  • Employees retaining access to applications they no longer use.
  • Premium licenses remaining active after responsibilities change.
  • Unused software accumulating until it's uncovered during a manual audit.

The impact adds up quickly. Zylo's 2026 SaaS Management Index found that license utilization improved from 47% in 2024 to 54% in 2025, yet nearly half of all SaaS licenses still go unused. With average SaaS spend reaching $4,830 per employee, according to the 2025 Zylo report, a company with 500 employees spends roughly $2.4 million on SaaS each year. If role changes leave even 30–50% of outdated software assignments in place, that's $720,000–$1.2 million in avoidable annual spend—before accounting for the associated security and compliance risks.

Cross-border compliance gaps

Role changes that involve moving countries or legal entities introduce additional compliance and security considerations. Those challenges deserve a closer look (see below).

Why cross-border transfers are even more complex

The same operational challenges exist in any role change, but moving an employee across countries adds another layer of challenges. Beyond updating access and software, IT may need to review device configurations, account for different legal entities, and ensure security policies still align with local regulations. Each of these requires its own review as part of the transfer process.

For IT teams, the additional complexity usually falls into the following areas:

Device management across jurisdictions

A device configured for an employee in Germany may need to be reconfigured (or, in some cases, replaced) when that employee transfers to Singapore. Security baselines, MDM policies, encryption requirements, data residency rules, and local compliance obligations can all vary by country. If IT isn't automatically notified of the transfer, there's no prompt to verify that the device still meets the requirements of its new location.

Data access across legal entities

Cross-border transfers often involve moving between legal entities, not just countries. That means an employee may no longer need access to systems, files, or customer data owned by their previous entity. In regulated industries (or wherever data protection laws impose strict access controls) those lingering permissions can quickly become a compliance risk if they aren't reviewed as part of the transfer.

Regional software licensing

Software licensing isn't always global. Many SaaS vendors price licenses by region, apply different contractual terms, or limit features based on where employees are located. A role change that also moves an employee to another country may require licenses to be reassigned, downgraded, upgraded, or moved to a different regional agreement. Without reviewing software entitlements as part of the transfer, organizations can end up paying for licenses that no longer match the employee's location or role.

So, what should happen when an employee changes roles?

Every role change should trigger more than an update in the HRIS. Whether an employee is promoted, changes departments, moves to a new manager, or transfers to another country, IT should automatically update the employee's access, software, devices, and security policies to reflect their new responsibilities.

Use the checklist below to evaluate your current process. If a role change doesn't consistently trigger each of these actions, your organization is likely relying on manual handoffs between HR, managers, and IT, creating unnecessary security, compliance, and software management risks.

When HR records... IT should automatically... In place?
A promotion Update access permissions for the new role and remove permissions that are no longer needed.
A department change Review and reassign SaaS licenses and application access.
A country transfer Review device configuration, regional security policies, and location-specific requirements.
A legal entity change Remove access to the previous entity's data and systems.
A manager or team change Apply the appropriate role-based security policies and access groups.

How did you do?

  • 5 boxes checked: Your role-change workflow is likely well automated and consistently applied. HR events are triggering the right IT actions, helping keep access, software, and devices aligned with each employee's current role.
  • 3–4 boxes checked: You've automated some of the most important lifecycle events, but manual handoffs are still likely creating gaps. Review the unchecked areas—they're often where stale access, unnecessary SaaS spend, and compliance issues begin to accumulate.
  • 0–2 boxes checked: Your organization is likely relying heavily on manual processes to manage role changes. That increases the risk of outdated permissions, unused software licenses, inconsistent cross-border workflows, and compliance gaps that may only surface during an audit or security review.

How Deel IT supports role changes across the employee lifecycle

Deel IT helps organizations automate role changes by connecting HR events directly to IT workflows. Instead of relying on manual handoffs, promotions, department changes, and cross-border transfers can trigger the right actions across devices, access, and software—keeping IT aligned with every stage of the employee lifecycle.

With Deel IT, you can:

  • Connect to 15+ HRIS platforms so promotions, department changes, country transfers, and departures automatically trigger IT workflows.
  • Update role-based access across connected identity, MDM, and endpoint management tools as employees move between roles.
  • Keep software entitlements aligned by automatically updating license assignments to match an employee's current responsibilities.
  • Support cross-border transfers with workflows that review device configuration, access, and regional security requirements when employees move countries or legal entities.
  • Maintain a complete audit trail by logging every access change against the originating HR event for compliance and security purposes.
  • Manage the full employee lifecycle from onboarding and role changes to offboarding, giving IT a single view of every employee throughout their time with the company.
  • Equip employees in 130+ countries with global procurement, configuration, shipping, recovery, and replacement services, backed by 99.5% on-time device delivery.
  • Extend beyond IT with Deel's connected platform for global payroll, immigration, relocation, and compliance, helping HR, payroll, and IT work from the same workforce record.
Deel IT
Procure, deliver, manage, and secure devices anywhere
Book a demo to learn how Deel IT helps manage devices, access, and support from one platform.

FAQs

Privilege creep occurs when employees accumulate access permissions over time, typically because new permissions are added with each role change but old ones are never explicitly revoked. In distributed organizations with high internal mobility, privilege creep is a predictable outcome of any provisioning system that isn't integrated with real-time HR data.

Many SaaS vendors price licenses by region and apply different terms, feature sets, or data processing agreements by geography. A cross-border transfer may move an employee between licensing tiers or between data processing agreements. Neither updates automatically unless the IT team receives a structured signal about the transfer.

Onboarding provisions access from a clean state: the new employee has no existing permissions, and the workflow creates a new access profile aligned to the role. Role changes require both addition and subtraction — new permissions must be added and old permissions removed, with no guarantee that the old permission set was clean to begin with.

Cross-reference SaaS license assignment records against HRIS role-change history for a defined period, typically 12 months. For each employee who changed roles and whose license assignments weren't updated, calculate the per-seat cost multiplied by the number of months the stale license remained active.

Deel IT integrates natively with Workday, BambooHR, Personio, and HiBob, and supports additional platforms including Gusto, Dayforce, Microsoft Entra, Sage HR, and Zoho People through an iPaaS integration layer. Organizations using Deel HR as their primary HRIS don't require a separate integration.

Image

Dr Kristine Lennie holds a PhD in Mathematical Biology and loves learning, research and content creation. She had written academic, creative and industry-related content and enjoys exploring new topics and ideas. She is passionate about helping create a truly global workforce, where employers and employees are not limited by borders to achieve success.