You appeared to say "it should never be up to IT to grant/deny/revoke access"?
Of course a department manager should inform IT of a new starter what their role will be and what applications etc they may need access to (for non-standard) roles. But it is up to IT to make decisions on what access should be granted to achieve this or whether it is overreaching. There will always be procedures in place with various levels of sign-off but this is usually decided by IT based upon how confidential or what security needs to be put in place to achieve that.
For instance IT may request that all VPN access requires a big checklist of safeguards put in place with a director sign-off before granting it. The department manager might fill in the form to request it but it was up to IT to decide how this will be granted, exactly what it will give access to and ultimately whether it is felt that the requested purpose for needing this access is not sufficient to warrant the security risk.
Similarly if previously the HR department had full access to xyz system. If IT feel that this system was not necessary, or that it breaks data protection laws, for instance, then it is well within their remit to close access to it. If there is likely to be any impact to the users by doing that then I would always expect it to be discussed with them first or explained the reasons behind it but in circumstances it may be necessary.
So I would disagree that "it should never be up to IT to grant/deny/revoke access". I would say it is the primary responsibility of IT to do this and any requests to do this are asked using the relevant company procedures, which if followed correctly and are relevant will be actioned without issue.
I would also say the opposite in that it shouldn't be up to HR to tell IT to revoke access, for instance. A policy should be in place that when someone is due to leave the company IT are told x amount of time before they leave. It is then up to IT to have their own procedures on how to handle this and limit and/or revoke access as necessary. HR should just need to inform the relevant departments of the leaver, the rest is up to IT/security/recoverables/finance etc.