How We Built Identity Governance from Scratch for a National Circular Economy Organization
Orphaned accounts and manual onboarding replaced by automated identity governance: a greenfield SailPoint IdentityIQ implementation for a multi-subsidiary national organization, all 18 applications live by month nine of a 12-month engagement, and access that now starts and stops with the HR record.
Agency and system names anonymized for security. Full briefing available under mutual NDA.
8 min read
- Client
- National waste management and circular economy organization (anonymized)
- Domain
- Identity governance and access management
- Engagement
- Greenfield SailPoint IdentityIQ implementation with HR-driven provisioning and role-based access control spanning subsidiaries and domains
The situation
The client is standing up a new national sector: building waste management capability across the Kingdom in support of national circular economy goals. Organizations assembled from multiple subsidiaries and domains accumulate identity problems at every seam.
User identities lived across multiple domains and applications with no central control, producing overprovisioned access, orphaned accounts, and no reliable record of who had access to what. Onboarding and offboarding were mostly manual: new joiners waited for access while human error crept into every step, and departing employees left active accounts behind, credentials that outlived their owners, a standing risk the IT and cybersecurity teams could see but not close. And the data any automation would depend on, the user records and the Active Directory structure itself, needed cleanup before it could meet the accuracy and regulatory standards required of a source of truth.
Automation built on dirty data just makes the wrong thing happen faster.
The challenge
Fixing this meant engineering through four constraints at once:
- Eighteen business applications to integrate, each with different connector types and integration requirements, and some application owners who had never used their systems' integration capabilities.
- A hard dependency at the front of the schedule: no workflow could go live until user data was verified across every field provisioning would rely on, departments were remapped, and Active Directory was restructured, because automating against inaccurate source data would only propagate it.
- Complex manual workflows that generic lifecycle templates could not represent, requiring custom rules to automate.
- An RBAC model that had to govern different user types across subsidiaries and domains.
The approach
Identity governance programs have a well-earned reputation for stalling after the first wave of connectors. ExeQut phased this one against that failure mode: SailPoint IdentityIQ implemented from scratch, with planning, integration waves, and stabilization each given dedicated room in the schedule.
Workshops before architecture
The first 3 months went to full workshops with application owners across the organization: understanding business needs, gathering integration requirements, and building a strategy and roadmap for onboarding every application. For the owners integrating their systems for the first time, these sessions doubled as enablement.
Clean the data, then trust it
Before any workflow went live, cleanup processes verified the existing user data, departments were remapped, and Active Directory was restructured so the directory could be trusted as a provisioning target. Only then did HR data become the source of truth: automated target mapping now keeps employee data synchronized from HR systems to Active Directory.
Two implementation waves
Integration ran in two 3-month waves: the first 8 key applications, then the remaining 10, each wave shipping its integrations and the automation of the processes around them. Custom rules automated the joiner and leaver workflows around the client's actual operational processes rather than a generic template, and RBAC was implemented to manage user types across subsidiaries and domains. Lifecycle scope was set deliberately: mover workflows and access certification campaigns sat outside these waves, which concentrated on the two events where manual process was doing the most damage, arrival and departure.
Support, training, and managed administration
The final 3 months delivered training for the client's teams and complete design documentation and user manuals for current and future administrators. ExeQut now operates and administers the platform under an ongoing support arrangement, continuing additional integrations and requirements as the organization grows, while the documentation and trained client teams keep the option open to bring administration in-house at any time.
The outcome
The organization moved from fragmented, manual identity operations to a centralized, automated governance model:
- A fully operational IdentityIQ platform: one current record of identities and access in place of per-domain fragmentation.
- Joiner provisioning fully automated: access that once waited on manual steps is created when the HR record says an employee starts, removing the delays and the human error that came with hand-built accounts.
- Leaver deprovisioning fully automated: the active accounts that manual offboarding used to leave behind are now closed by the same record that opens them.
- Employee data synchronized from HR systems to Active Directory automatically, ending manual re-entry.
- RBAC governing access across user types, subsidiaries, and domains: a structural control against the overprovisioned access the engagement began with, enforceable and demonstrable from one platform.
- Complete design documentation, user manuals, and trained internal teams, prepared so administration can move in-house whenever the client chooses.
Deprovisioning no longer depends on someone remembering. It happens because the HR record says so.
From the client's team:
Thanks to their strategic input, we were able to optimize onboarding processes and automate account management with confidence.
The return shows up in the mechanics: provisioning that runs on the HR record instead of tickets, deprovisioning that runs on the same record instead of memory, and a single current answer to who has access to what. For an organization building a new national sector, the identity layer now scales with headcount instead of against it.
What we took from it
- Data cleanup is the first deliverable. Provisioning automation is only as good as its source data, so cleanup and directory restructuring belong at the front of the plan, not on the punch list.
- Invest in application owners early. Requirements workshops doubled as enablement, and owners who understand their own integration are the difference between a wave and a stall.
- Custom workflows beat template workflows. The client's operational complexity needed rules built around how they actually work; a generic model would not have met the business requirements.
- Phase integrations in waves. Bounded 3-month waves kept each integration testable and shipped working automation inside every wave rather than promising it at the end.
- Plan the handover from day one. Documentation, manuals, and training written for future administrators are what let support become managed administration without a cliff, and what keep insourcing an open option for the client.
Want the unredacted briefing?
Agency, systems, architecture, vendors, and outcomes. We walk you through the full engagement under mutual NDA.
Request a private briefing →