The Ungoverned Fix
Every identity surface has a history. Some of it was designed. The rest accumulated — through acquisitions that closed before the access map did, through build cycles that didn’t price governance in, through budget conversations that treated identity infrastructure as overhead, and through the slow entropy of access that outlived its purpose without anyone deciding to close it.
The practitioner who inherits that surface didn’t create the condition. The debt was made the moment the organization decided, explicitly or by omission, that something else deserved the budget.
What they arrive into isn’t a gap. It’s a negotiation.
Not with the technology. The inventory is achievable with standard tooling. What isn’t achievable without a different kind of work is organizational legibility: making the debt visible to the people who own the decision about what to do with it.
That’s the first act. Not remediation. Not heroism.
Before that first act is possible, the practitioner has to read the entry point correctly. The three most common ones produce different starting conditions and different paths.
Governance omission at design time means the perimeter was never defined to include the full identity surface. No one decided to leave the gap open. The gap is what provisioning looked like when governance wasn’t in the room. The path runs through design — rebuilding the provisioning logic, not reconciling what it missed.
Inherited acquisition surface means the access map arrived with the acquisition and was never rationalized. Identities exist. Access exists. The governance record does not. The path is inventory first, then a joiner-mover-leaver process that treats the acquired surface as new scope rather than legacy exception.
Carried-forward drift means governance existed and eroded: through role creep, through access that outlived its purpose, through review cycles that attested to what was there without asking whether it should be. The structure exists. The enforcement didn’t hold.
The practitioner who inherits acquisition surface and responds as if it’s drift builds toward the wrong starting point. Misread entry point, misread path.
The inventory is the beginning, not the delivery.
Mapping the ungoverned surface is the achievable part. What happens after the map exists — whether it stays inside the team or reaches the people who own the decision — is the work that determines whether anything changes.
Legibility is the delivery mechanism. And legibility requires holding two acts apart that are easy to collapse.
Surfacing the gap is political. It is the act of making the debt visible to the people who hold the budget, translating an ungoverned identity surface into a cost the organization can recognize and own.
Documenting the gap is evidentiary. It is the act of creating the record: what exists, what it costs, what the organization was told and when. That record matters regardless of what the organization decides to do next.
Both are required. They are sequential. Surfacing without documentation creates visibility with no record. Documentation without surfacing creates a record no one with authority has seen. The liability condition shifts when both have happened. Not before.
Surfacing. Documentation. That’s the full path before remediation begins.
The practitioner who absorbs the waiting through heroism takes on cost that belongs to the organization. The one who waits for a mandate that arrives as an incident transfers nothing forward. The middle position is the only one that moves the condition regardless of what the organization decides.
The debt was always there. The organization made it by deciding, at some point, that something else deserved the budget more. That’s not negligence in every case. It’s a resource decision made with incomplete visibility into what the deferral would cost.
The practitioner’s job isn’t to reverse that decision. It’s to make the cost visible — clearly enough that the next decision is made with the full picture in the room.