Enterprise IAM Governance¶
The Challenge¶
Large enterprises accumulate tens of thousands of access grants across Azure AD, on-premises directories, SaaS applications, and data platforms. Traditional periodic access reviews suffer from well-known problems:
Pain Points
- Volume overload — Reviewers face 10,000+ grants in a single campaign and rubber-stamp approvals to finish on time.
- Stale access — Employees change roles but keep old permissions; service accounts outlive the projects that created them.
- No risk context — Every grant looks the same in a spreadsheet. High-risk DBA access sits next to harmless read-only dashboards.
- Slow cadence — Quarterly or annual reviews leave a 3–12 month window where decayed access goes undetected.
How Verity Helps¶
Verity replaces the "review everything on a schedule" model with continuous, risk-prioritised access governance.
flowchart LR
subgraph Sources
AD["Azure AD<br/>(Entra ID)"]
HR["HR System<br/>(SCIM / CSV)"]
end
subgraph Verity
I["Ingest Plane"]
N["Normalise Plane"]
S["Score Plane"]
R["Review Plane"]
X["Remediation Plane"]
end
AD -->|Graph API| I
HR -->|SCIM / CSV| I
I --> N --> S --> R --> X
X -->|Revoke / Downgrade| AD
style I fill:#7c4dff,color:#fff,stroke:none
style N fill:#651fff,color:#fff,stroke:none
style S fill:#536dfe,color:#fff,stroke:none
style R fill:#448aff,color:#fff,stroke:none
style X fill:#40c4ff,color:#000,stroke:noneKey Capabilities¶
| Capability | Description |
|---|---|
| Continuous Scoring | Every grant is re-scored every 6 hours using 6 weighted factors. |
| Identity Resolution | Multiple identifiers (UPN, email, employee ID) collapse to a single canonical principal. |
| Peer Comparison | A marketing analyst with DBA privileges scores higher than their peers — surfacing outliers. |
| HR Signal Integration | Departures, transfers, and leave events instantly boost decay scores. |
| Smart Review Routing | Only grants above the risk threshold generate review packets — typically ≤ 5 % of total grants. |
| SLA Enforcement | Temporal workflows track response times and escalate automatically. |
Example Scenario¶
Contoso Financial Services — 42,000 Employees¶
Contoso connects Azure AD and their SAP SuccessFactors HR feed to Verity.
Day 0 – Ingest¶
Verity discovers 87,400 access grants across 1,200 Azure AD applications.
Day 1 – Score¶
The Decay Engine computes initial scores. Distribution:
| Risk Level | Grants | % of Total |
|---|---|---|
| Low (0–29) | 68,200 | 78 % |
| Medium (30–59) | 12,800 | 15 % |
| High (60–79) | 4,900 | 5.6 % |
| Critical (80–100) | 1,500 | 1.7 % |
Day 2 – Review¶
Verity generates 6,400 review packets (High + Critical) — a 93 % reduction from the 87,400 grants that a traditional campaign would require.
Review packets are routed to 340 data owners via the dashboard and email notifications.
Day 7 – Remediate¶
- 1,200 Critical grants auto-remediated (dry-run validated in week 0).
- 4,100 High grants reviewed and decided by data owners.
- 1,100 remaining grants escalated per SLA policy.
Before & After¶
| Metric | Before Verity | After Verity |
|---|---|---|
| Grants reviewed per cycle | 87,400 (all) | 6,400 (7 %) |
| Review cycle duration | 6–8 weeks | Continuous (7-day SLA) |
| Reviewer fatigue | High — rubber-stamping | Low — contextual packets |
| Stale access detection lag | 3–12 months | ≤ 6 hours |
| Compliance evidence | Manual screenshots | Automated ClickHouse audit |
| Mean time to revoke (MTTR) | 45 days | 2.3 days |
Enterprise Deployment Architecture¶
A typical enterprise deployment runs Verity on Kubernetes alongside existing identity infrastructure.
graph TB
subgraph "Corporate Network"
AD["Azure AD<br/>(Entra ID)"]
HR["HR System"]
ITSM["ServiceNow"]
end
subgraph "Kubernetes Cluster"
subgraph "Verity Namespace"
API["API Gateway"]
ING["Ingest Workers (3)"]
NRM["Normalise Engine (2)"]
SCR["Decay Engine (2)"]
REV["Review Generator"]
WFE["Workflow Engine"]
REM["Remediation Executor"]
AUD["Audit Writer"]
CMP["Compliance Reporter"]
UI["Dashboard UI"]
end
subgraph "Data Namespace"
PG["PostgreSQL +<br/>TimescaleDB"]
CH["ClickHouse"]
KFK["Kafka (KRaft)"]
RDS["Redis"]
TMP["Temporal"]
end
end
AD <-->|Graph API| ING
HR -->|SCIM / CSV| ING
ING --> KFK
KFK --> NRM --> PG
KFK --> SCR --> PG
KFK --> REV --> TMP
TMP --> WFE
WFE --> REM
REM -->|Revoke| AD
REM -->|Ticket| ITSM
AUD --> CH
API --> PG
API --> RDS
UI --> APIGetting Started¶
Recommended First Steps
- Deploy Verity using the Quick Start guide.
- Connect Azure AD — follow First Connector.
- Add the HR feed — configure the HR connector in Configuration.
- Run in Dry-Run mode for 2 weeks to validate scoring before enabling auto-remediation.
- Enable live remediation and set SLA policies per risk level.