Note: I've been in discussion with the IBM product owners about this, but I'm submitting this idea so that there will be a better/easier way to track the status of the feature.
In general, we need a way to replace existing on-premise provisioning systems that provision/de-provision a variety of on-premise targets. The discussion so far has centered around using technology very similar to the on-premise AD provisioning setup, but instead of having that on-premise component connect to AD, it would just emit raw provisioning messages (presumably in SCIM/JSON format) to a configurable endpoint address on-premise. This address would point to a customer-owned component (maybe SDI, maybe something else) that can perform the "last mile" provisioning.
Do not place IBM confidential, company confidential, or personal information into any field.