Most breaches still pivot through accounts that should have been deprovisioned, restricted, or monitored. Mid-market organizations feel the pain acutely: too many SaaS tenants, not enough automation, and policies that say the right things without operational proof. Identity hygiene is how you close that gap without boiling the ocean.
Joiner/mover/leaver that people actually run
Paper processes fail at scale. Pair HR triggers with technical workflows, but stay pragmatic: start with the systems that gate customer data and remote access. Measure cycle time for access changes after role updates. If you cannot produce samples during an audit, you do not yet have a program, only an intention.
Privileged access that is boring on purpose
Privileged roles should be rare, time-bound, and observed. Just-in-time access is not magic; it is discipline. Pair technical controls with culture: admins should expect friction as a feature, not an insult. Document exemptions and revisit them, permanent exceptions are how privilege debt accumulates.
Signals over slogans
Identity hygiene is a subset of security culture. Training helps when tied to concrete behaviors: reporting anomalous MFA prompts, using approved SSO, refusing credential sharing. As a Calgary-based Senior Cyber Security Analyst writing publicly under Richard Craig Lissaman, I emphasize narratives employers can verify, see Certifications for how I surface credentials transparently.
For leadership context on how I frame outcomes more broadly, read Measurable security outcomes for Calgary teams, then return to the blog index for new posts as they publish.