What an Identity Architecture Review actually delivers.

Our flagship cybersecurity engagement. Five weeks. Seven domains. A board-grade memo your CIO and CISO can act on without translation.

Most identity programmes in mid-market and large enterprises are built up over years, in response to specific incidents and specific procurement decisions. They are not designed. They accrete.

The Identity Architecture Review is a five-week engagement that treats your identity estate as a coherent system and tells you, in writing, where it is sound, where it is exposed, and what to do next.

We work across seven domains: workforce identity, customer identity, machine identity, privileged access, SaaS-to-SaaS integration trust, AI agent access, and incident response readiness. Each domain is assessed against a maturity rubric that we share at the start, so the findings are explainable to a board, not just to a security team.

Week one is discovery. We read your IAM provider configuration, your SaaS integration map, your privileged access platform, your detection content, your incident playbooks. We do not run scanners. We read configuration the way an architect reads a plan.

Weeks two and three are interviews and threat modelling. Identity, infrastructure, application security, IT operations, internal audit, and the operators of the three or four systems that, if compromised, would constitute the worst day of your year.

Week four is synthesis. The architecture diagram, the gap register, the prioritised remediation roadmap, the policy and standard updates, and the board-grade memo.

Week five is socialisation. We present the findings to the security team, the IT leadership, and — if invited — the board or audit committee. Findings are written to be useful in those rooms, not impressive in them.

The deliverable is the memo, the architecture, the gap register, and a roadmap. The roadmap is sequenced, costed at order of magnitude, and aligned to the actual capacity of your team. It is not a vendor pitch in disguise.