Here's a scenario more common than most CISOs admit: your company runs 40-60 SaaS tools, your SSO is configured, MFA is in place-and then someone asks who has access to your GitHub repos, your Notion workspace, or your Figma files. The answer takes three days and four spreadsheets.
That's not a process problem. That's an identity security problem.
Credential abuse was the most common initial attack vector in 2025, accounting for 22% of all data breaches according to Verizon's 2025 Data Breach Investigations Report. And 91% of organizations reported experiencing an identity-related security incident in the past year-nearly double the prior year's reported rate. The perimeter is long gone. Identity is the new control plane.
The good news: you don't need an enterprise IAM team to build identity-first security. A 3-5 person IT or security team can do it-if they follow the right sequence and pick tools that match their actual constraints.
This is that playbook.
What "Identity-First" Actually Means (And What It Doesn't)
Identity-first security means every access decision starts with a verified identity-not a network location, not a VPN session, not an IP address. Cloud adoption, remote work, and API-driven architectures have dissolved traditional network boundaries. Identity is now the one consistent control point spanning all environments and access paths.
In practice, this means:
- Every access request is evaluated continuously, not just at login.
- Permissions are tied to roles and policies, not static group memberships that never get reviewed.
- Offboarding revokes access everywhere-not just in your directory or SSO, but in every app the user touched.
- Non-human identities-service accounts, API keys, bots, AI agents-are governed with the same discipline as human users.
What it doesn't mean: rolling out MFA and calling it done. MFA is a prerequisite, not an architecture.
The real challenge for lean teams isn't understanding the concept. It's closing the gap between authentication (what SSO handles) and governance (what most teams still do manually). That gap-typically covering 60-80% of your app stack-is where your real risk lives.
The coverage gap in plain numbers: Most SSO + SCIM-only setups automate governance for 20-40% of your app stack. The other 60-80% - legacy tools, niche SaaS apps, apps without APIs - are still managed via tickets and spreadsheets. That's where most of your risk lives.
Before You Start: Two Things You Need to Know About Your Stack
1. Map every app your team uses-including the "unofficial" ones.
A solid identity-first architecture starts with an honest inventory. Pull a list from your SSO, your browser management tool, your IT ticketing system, and your expense reports. You'll find apps IT didn't provision and can't currently deprovision. That's your shadow IT surface.
2. Categorize each app by integration capability.
Once you have the list, sort apps into three buckets:
| Bucket | What it means | Risk level |
|---|---|---|
| SSO-connected + SCIM-enabled | Fully automatable | Managed |
| SSO-connected, no SCIM | Login controlled, access not governed | Medium |
| Not in SSO | Fully unmanaged-direct logins, local accounts | High |
Most SaaS-heavy teams find Bucket 3 contains 40-60% of their apps. That's where the playbook starts.
The 7-Step Playbook
Inventory every app your team accesses. Separate them into three buckets: (1) SSO-connected, (2) SCIM-automated, (3) manual/ticketed. Bucket 3 is your immediate risk surface.
Enable MFA universally, configure conditional access policies, and disable local logins wherever possible. Then document every app that your SSO can't reach - that list is your governance gap.
Add an IGA platform (identity governance and administration) that connects to all apps - including those without SCIM or APIs. This is the layer that enforces who has access to what, automates lifecycle events, and runs access reviews.
Tie your HRIS to your IGA platform. Define role-based provisioning profiles for each job function. Every new hire, role change, and departure should trigger automatic access changes across every connected app - not just the SCIM-friendly ones.
Replace periodic spreadsheet reviews with always-on, automated access certifications. Flag orphaned accounts, overprovisioned users, and stale entitlements in real time - before an attacker or an auditor finds them first.
Inventory service accounts, API keys, bots, and AI agents. Assign owners, set expiry policies, and bring them into the same governance layer as your human users. Non-human identities are now the fastest-growing attack surface.
Run a quarterly review of coverage: what percentage of apps are fully governed? Track mean time to deprovision, orphaned account count, and access review completion rates. These are your identity security KPIs.
Step 1 in Depth: Finding Your Real Attack Surface
The protect-surface concept is more useful than "the perimeter" for lean teams because it's actionable. You're not trying to secure everything at once-you're identifying where a breach would actually hurt.
For most teams, the critical surface includes:
- Source code repositories (GitHub, GitLab)-especially repos with production access or secrets
- Communication tools (Slack, Teams)-where sensitive data lives informally
- Project management (Linear, Jira, Notion)-containing product roadmaps and financial data
- Cloud environments (AWS, GCP, Azure)-where the blast radius of a compromised identity is largest
- Finance and HR systems-where the data is most regulated
List your top 10-15. Then ask: if someone's account were compromised, what could they access, and what would the damage be? That ranking drives your governance priority order.
Step 2 in Depth: SSO Is the Foundation-Not the Finish Line
SSO (Single Sign-On) is the correct starting point for identity-first security. It centralizes authentication, enables conditional access policies, and gives you a single place to disable a user fast. If you haven't consolidated on an SSO platform yet, do that first.
But SSO has hard limits lean teams routinely discover too late:
- It only governs apps it's connected to. Many SaaS tools-especially on standard pricing tiers-don't support SCIM or even proper SSO. You can log someone out of Okta and they still have an active session in three other apps.
- It doesn't govern what users can do once they're in. SSO controls the front door. Fine-grained permissions-which Slack channels, which GitHub repos, which Notion pages-are invisible to most SSO setups.
- Partial offboarding is a real, common security gap. Attackers don't hack in anymore-they log in. Credential theft, privilege escalation, and account takeover are the path of least resistance. A user removed from your directory but not from a specific SaaS app is an open door.
The fix isn't replacing SSO-it's adding a governance layer on top. That's what IGA (Identity Governance and Administration) is for.
Step 3 in Depth: The Governance Layer-What IGA Actually Does
IGA is the layer that answers the questions SSO can't:
- Who has access to what, across every app?
- When did they get it, and why?
- Are they still supposed to have it?
- When they leave, does access get revoked everywhere?
The problem: most "modern IGA" tools share the same blind spot as SSO-they only automate apps with SCIM support. That means you're still handling 60-80% of your stack manually with tickets, emails, and deprovisioning checklists.
What you actually need is a platform with universal connector technology-one that connects to apps via SCIM, via API, or via neither. That's the difference between partial governance and complete governance.
For a lean team, the practical criteria for an IGA platform are:
- Live in hours, not months. A 6-18 month implementation is a non-starter for a 3-person IT team.
- No forced enterprise plan upgrades to automate key apps (the "SCIM tax"-paying 3x the price to unlock an API that should be standard).
- Fine-grained control down to the channel, repo, and project level-not just "user is a member of Group X."
- Automated lifecycle management so onboarding, role changes, and offboarding trigger access changes without manual tickets.
- Minimal ongoing maintenance. Zero upkeep is the goal.
Iden is built for exactly this reality-universal connectors for 175+ apps (and growing), zero SCIM tax, and live in ~24 hours. It completes your SSO rather than replacing it.
Step 4 in Depth: Zero-Touch Onboarding and Clean Offboarding
Once your IGA layer is in place, the JML process-Joiner, Mover, Leaver-pays off immediately.
Joiners: Connect your HRIS (Workday, BambooHR, Personio, ADP) to your IGA platform as the source of truth. When a new hire is created in HR, access provisioning fires automatically-the right apps, the right permission levels, the right team channels-without a single ticket. For a team adding 5-20 hires per month, each needing access to 10-30 apps, this alone eliminates hundreds of manual tasks monthly.
Movers: Role changes, team transfers, and promotions should trigger automatic access adjustments. Old permissions get revoked; new role permissions get granted. Without automation, these changes either don't happen or happen weeks late-creating overprovisioned accounts that are a compliance finding waiting to happen.
Leavers: This is the highest-risk moment. When someone leaves-planned or unplanned-every minute of active access is a security exposure. Automated offboarding that revokes access from every connected app (not just the SCIM-enabled ones) cuts mean time to deprovision from days to under an hour. For contractors and seasonal workers who aren't always in the central directory, this is even more critical-see our guide on contractor identity governance for how to handle that edge case.
Step 5 in Depth: Continuous Access Reviews-Not Audit Season Theater
The typical access review at a 200-person company: someone exports a spreadsheet of users and roles, sends it to managers who click "approve" on everything because they have five minutes before their next meeting, and files the results in a compliance folder. Rubber stamps, not governance.
Continuous access reviews work differently:
- Always running, not quarterly. Entitlements are evaluated in real time as roles change, apps are added, and users become inactive.
- Automated flagging of orphaned accounts (users no longer in HR but still with active app access), overprovisioned accounts, and policy violations.
- Targeted review requests sent only when there's a genuine reason to review-not a mass certification exercise no one takes seriously.
- Structured evidence generated automatically for auditors, not assembled manually from screenshots and log exports.
Credential-linked breaches using stolen or compromised credentials took an average of 292 days to resolve-the longest of any breach vector. Continuous access reviews are how you detect and close the access gaps attackers rely on long dwell times to exploit.
Step 6 in Depth: Governing the Non-Human Identities You've Been Ignoring
Here's the part most lean teams skip-and the part attackers increasingly target: non-human identities (NHIs).
Human users, service accounts, API keys, machine identities, and AI agents all require governance. Non-human identities often outnumber humans and are frequently under-governed.
In a typical 500-person SaaS company, you might find 500 human identities alongside 2,000+ non-human ones: CI/CD bots, Slack workflow automations, API keys for integrations, service accounts in cloud environments, and-increasingly-AI agents with autonomous access to tools and data.
The same governance principles apply:
- Inventory first. You can't govern what you haven't found. Map every service account, every API key, every bot.
- Assign owners. Every NHI needs a human owner responsible for it. "Orphaned" service accounts with no owner are a known attack vector.
- Set expiry policies. API keys and tokens should rotate. Service accounts should expire. Permanent standing access is a risk.
- Apply least privilege. A CI/CD bot needs access to your deployment pipeline-not your HR system.
- Bring NHIs into your governance platform. The same access reviews, audit trails, and lifecycle policies that govern human users should apply to non-human identities.
For a detailed step-by-step guide on AI agents and NHI governance specifically, see our guide to securing AI agent access and non-human identities.
Step 7 in Depth: Measuring What Matters
You can't manage what you don't measure. For a lean team, four metrics tell you most of what you need to know about your identity security posture:
| Metric | What it measures | Target |
|---|---|---|
| App coverage rate | % of apps fully governed (automated provisioning, deprovisioning, access reviews) | 100% |
| Mean time to deprovision | Time from offboard event to full access revocation | Under 1 hour |
| Orphaned account count | Active accounts belonging to departed users | Zero |
| Access review completion rate | % of triggered reviews completed within SLA | 100% |
Track these monthly. When coverage dips below 80% or orphaned accounts start creeping up, you know exactly where to focus.
Check Your Current Coverage
Before or after implementing this playbook, assess your actual current posture. This interactive tool walks through eight key indicators of identity-first security readiness:
The Tools You'll Need (and the One Gap Most Teams Miss)
A complete identity-first architecture for a lean team typically looks like this:
- HRIS (Workday, BambooHR, Personio, ADP)-source of truth for identity lifecycle events
- SSO (Okta, Microsoft Entra ID)-authentication, MFA, conditional access
- IGA platform (Iden)-governance layer covering all apps, lifecycle automation, access reviews, audit trails
- SIEM or log aggregation (optional at early stage)-behavioral monitoring and anomaly detection
Notice what's not on the list: a dedicated IAM engineer, a 6-month implementation project, or an enterprise contract with a legacy behemoth. The goal is complete coverage with lean tooling.
The one gap most teams discover late: their IGA platform only covers SCIM apps. They believe they have complete governance, then find out during an audit-or an incident-that 60% of their stack was never automated. Universal connector coverage is the single most important selection criterion for any IGA tool you evaluate.
For a head-to-head comparison of IGA platforms for lean teams, see our 2026 IGA vendor comparison guide.
What "Done" Looks Like for a Lean Team
A lean team that has completed this playbook should be able to:
- Onboard a new hire to their full app stack-with role-appropriate permissions-automatically, within hours of their HRIS record being created. Zero tickets.
- Offboard a departing employee and revoke access from every connected app in under an hour. No manual checklist.
- Answer "who has access to what, and since when?" in under 30 minutes, without spreadsheets, for any app in the stack.
- Produce audit evidence for SOC 2, ISO 27001, HIPAA, or DORA on demand-immutable logs, access review records, lifecycle history-without a manual evidence-gathering sprint.
- Detect and remediate orphaned accounts, overprovisioned users, and policy violations continuously-not once a quarter during audit prep.
None of this requires a dedicated IAM team. It requires the right architecture and the right platform.
FAQ
Does our team need a dedicated IAM engineer to implement this?
No. The playbook is designed specifically for lean IT teams of 3-5 people (or fewer) without a dedicated IAM function. The key is choosing an IGA platform built for this reality - one that deploys in hours, not months, requires no system integrators, and runs with minimal ongoing maintenance. Iden is built exactly for this model.
We already have Okta. Why isn't that enough?
Okta (and any SSO) handles authentication - it's the front door. But it governs access only for apps connected via SCIM, which is typically 20-40% of a real-world SaaS stack. Everything else - Notion, Figma, Linear, your custom tools, legacy systems - falls through the gap. Identity-first security requires a governance layer that covers all of those apps, not just the SCIM-friendly ones.
What's the difference between IGA and IAM?
IAM (Identity and Access Management) is the broad category covering authentication, directory services, and access control. IGA (Identity Governance and Administration) is a specific discipline within IAM focused on governing who has access to what, enforcing lifecycle policies (joiner-mover-leaver), running access reviews, and producing audit evidence. SSO is IAM. What sits on top of it - lifecycle automation, access reviews, fine-grained entitlement management - is IGA.
How do we handle contractors and temporary workers in this model?
Contractors are one of the biggest JML (joiner-mover-leaver) blind spots. Most HR systems don't track them cleanly, so they fall outside standard lifecycle automation and leave orphaned accounts behind. The fix: bring contractors into your IGA platform as a separate identity type with defined access profiles, explicit expiry dates, and automated deprovisioning on contract end. See our guide on contractor identity governance for a detailed walkthrough.
How long does it take to get full coverage across a 30-app SaaS stack?
With a platform like Iden that uses universal connectors (SCIM, API, or neither), you can be live across your core stack in approximately 24 hours. Full coverage - including long-tail and non-SCIM apps - typically takes 1-2 weeks depending on the complexity of your stack. This is dramatically faster than legacy IGA tools, which typically require 6-18 month implementation projects.
What are the most important metrics to track for identity security?
For a lean team, focus on four: (1) App coverage rate - what % of apps are fully governed (target: 100%). (2) Mean time to deprovision - how long after an offboard event until all access is revoked (target: under 1 hour). (3) Orphaned account count - active accounts belonging to departed users (target: zero). (4) Access review completion rate - what % of access reviews are completed on time (target: 100%). These four tell you whether your identity-first posture is holding.
Ready to Close the Gap?
Building identity-first security on a lean team is entirely achievable-but only if you close the gap between what SSO covers and what your full stack actually needs. Most teams are one step away: they have authentication handled and need governance to complete the picture.
Iden delivers complete identity governance across your entire stack-every app, every identity type, every lifecycle event-live in ~24 hours, with no SCIM tax, no enterprise-plan upgrades, and no IAM headcount required.
