Origin
Pranay, one of our founders, wrote this after spending an afternoon with an IT lead at a 600-person company - four days into figuring out what a single departed engineer still had access to. The list kept growing.
There's a version of identity governance that satisfies every auditor, passes every compliance checklist, and leaves your ex-employees with active Salesforce accounts three months after their last day. Most companies are running this version right now.
It looks exactly right from the outside. You have Okta. You run access reviews. You have an offboarding process. The SOC2 report says access management: compliant. The board gets a slide that says identity governance: in place.
The slide and the reality are different documents.
Here's what the reality looks like at a typical 500-person company. Across the companies we've onboarded, the average 500-person company has 107 applications in their environment. Their SSO (Okta, Entra, whatever they're running) governs 23 of them.
The other 80% exist outside that system entirely.
Notion. Figma. Linear. Miro. Loom. Airtable. GitHub on a standard plan. The project management tool one team adopted last quarter. The analytics platform someone signed up for with a company card. Every tool that doesn't support SCIM, every app provisioned before the SSO existed, every piece of software an employee signed up for without going through IT (which, at a growing company, happens constantly).
These apps get provisioned manually when someone joins. A Slack message to IT. Someone logs in, creates the account, sets the permissions, moves on. When someone leaves? The same process in reverse, except now you're trying to recall every tool that person touched across three years and multiple role changes. Under time pressure. While the rest of the queue is still moving.
This is not a criticism of IT teams. It's a description of a structural problem that no checklist can fix.
In our first discovery scan on a new customer environment, we find an average of 18 former employees with at least one active account still open. The average orphaned account has been sitting there for 52 days since the person's last day. Not because anyone decided to leave it open. Because nobody had visibility into it in the first place.
The access review tells the same story. Once a quarter - or once a year, if you're honest about it - someone exports a spreadsheet from Okta, formats it into a review document, and sends it to thirty managers asking them to confirm which permissions their people still need. Most managers approve without reading. Not because they don't care. Because the spreadsheet doesn't tell them what the access actually does, why it was granted, or whether it's still needed. So they clear their inbox, and the review gets filed as complete.
The auditor sees: access review conducted. The reality: the same permissions that existed last quarter still exist, with a timestamp that says someone looked at them.
That is governance theater. The performance of governance without the substance. Every box checked. Every risk still present.
The tell is a single question.
Ask your IT team: if someone left today, how long would it take to revoke their access to every application in your environment (including the ones not in your SSO)?
If the answer is measured in hours rather than seconds, you don't have a governance program. You have a governance approximation. One that works well enough until it doesn't: until the access review finds something that shouldn't be there, until the auditor asks for the evidence behind the checkbox, until the former employee who left on difficult terms quietly logs back in.
The answer should be seconds, not hours. Not because someone ran through the checklist faster. Because the checklist doesn't exist anymore.
That's what complete coverage looks like in practice: person leaves, access closes across every application in your environment, not just the ones your SSO was built for. The 20 apps in Okta and the 100 that aren't. Closed together. Automatically. Without requiring those apps to support SCIM.
Governance theater feels safe. That's what makes it dangerous.
It creates the confidence of a solved problem without solving the problem. Which means the next incident, the next audit, the next departure lands on a team that believes it's protected and isn't. The companies that fix this don't fix it by improving their Okta configuration. They fix it by acknowledging the gap that SSO was never meant to close, and closing it.
Nothing left open. Not as an aspiration. As the baseline.
If this is where your identity program is, we'd show you what finally complete looks like. No deck. Just the product.