Jordan comes in earlier than usual on Monday. Not because they’re motivated. Because sleep didn’t come easily. There’s a sentence from Friday that keeps resurfacing, uninvited.

We need to understand what we’re actually protecting.

It sounded reasonable at the time. Almost obvious.Now it feels like the kind of statement that opens doors you can’t close again. Jordan sets their bag down, opens a fresh page in the notebook, and writes a single word at the top.

Business.

They stare at it longer than they mean to, then draw a line underneath.

The meetings start simply enough. Operations first. Then Product. Then Sales. Jordan keeps the question deliberately plain. “Who uses our systems?” The answers come quickly, with confidence that suggests the question has been asked before.

Employees. Contractors. Partners. Customers.

Each group is described cleanly, almost proudly. For a moment, Jordan feels a flicker of relief. Maybe the complexity has been exaggerated. Maybe this really is manageable. Then someone adds, almost as an afterthought, “Well, except for…”

Another voice jumps in. “Oh—and there’s also…”

By lunchtime, the notebook tells a different story.External vendors with standing access.

Regional partners sharing credentials across teams. Temporary workers who never quite exit the system.APIs built years ago by people no longer here. Automations that run overnight and touch systems no one checks anymore. No one is trying to hide any of this. That’s what unsettles Jordan most. It’s all treated as normal. Familiar. Too routine to question.

After lunch, Jordan sits down with IT to “walk through the environment.” It starts with diagrams projected onto the screen. Clean lines. Logical groupings. Colors that suggest order. Jordan follows along, nodding, asking questions that keep the pace moving. On paper, it all works. Then Jordan asks, “Where do partners fit into this?”

There’s a pause — brief, but noticeable.

Evan shifts in his chair, eyes flicking briefly to the diagram before back to Jordan. He reaches for the mouse and drags a box to the far edge of the screen.

“Well… sort of here,” they say. “But not exactly.”

Jordan nods, makes a note, and keeps going.

“And service accounts?” they ask.

Another pause. Longer this time.

Evan hesitates before answering. “They’re not really identities,” he says carefully. “They’re more… functional.”

Jordan writes the word down. Functional. They don’t respond. They don’t challenge it. But the word sticks.

Midweek brings a meeting with Finance. The tone is different here. Tighter. More deliberate. They want predictability. Exposure. A sense of whether the business is standing on solid ground or something softer. Jordan talks through what they’ve been learning. Slowly. Methodically.

Employees don’t behave like partners.

Partners don’t behave like customers.

Customers don’t behave like machines.

Each group enters the environment differently. Each one leaves differently. Each one fails differently. Finance listens without interrupting. One of the finance directors, Karen, leans back slightly, hands folded., “So,” she says, choosing her words, “do we actually know who has access to what, end to end?” Jordan hesitates. The honest answer settles in before they say it out loud.

“No,” they reply. “We know pieces. Just not the whole picture.”

No one looks surprised. A few people exchange glances that suggest they already suspected as much. Jordan notes that too.

By Thursday, the org chart has lost most of its usefulness. It explains reporting lines, but it says nothing about trust. It doesn’t show where access crosses teams, companies, or boundaries that no one officially owns. It doesn’t show the contractor who’s been around for years. Or the partner account tied to multiple integrations. Or the automation that bypasses controls because it was easier than fixing the process. Jordan starts sketching a new diagram. Not for presentation. Not for approval. Just for understanding. Lines crisscross the page. Boxes overlap. Arrows loop back on themselves. It’s messy, almost uncomfortable to look at. But it feels closer to the truth than anything they’ve seen so far.

Friday afternoon brings another cross-functional meeting. The energy is different this time. More guarded. People seem to sense that something is shifting, even if they can’t quite name it. Jordan walks them through what they’ve been seeing. No accusations. No drama. Just observations. They talk about how access actually flows. About how identities behave once they’re inside the system. About how the business operates when no one is watching closely. When Jordan finishes, the room goes quiet.

Not the awkward kind. The thoughtful kind.

Lena from Sales breaks the silence. “So,” she says, arms crossed but voice steady, “are you saying we’re exposed?”

Jordan looks around the room. Mark is leaning forward now, elbows on the table. Evan has gone still, jaw set. Lena doesn’t look defensive — just thoughtful. Jordan recognizes them for what they are. People aren’t pushing back. They’re seeing themselves in the picture for the first time.

“I’m saying we’ve designed identity around how we thought the business worked,” Jordan replies. “Not how it actually does.”

That’s when the tension arrives — not loudly, but unmistakably. Not because anyone disagrees. Because the picture Jordan just painted can’t be unseen. Mapping the business didn’t simplify identity. It made the scope impossible to ignore.

Later that evening, Jordan sits alone again, notebook open, city lights blurring faintly against the window. They flip back to the first page. The word Business still sits there, underlined. What they’re dealing with isn’t a lack of controls. Or even a lack of effort.

It’s a lack of shared visibility. And Jordan knows what comes next. Once you make something visible, people expect you to do something about it. Jordan closes the notebook.Next week, they’ll have to give the problem a name.

And once that happens, there won’t be any room left to pretend it’s small.

Once you start mapping the business honestly, identity stops feeling contained.If you’re at this stage, here’s how to keep moving without overwhelming yourself or everyone around you.

1. Treat the org chart as a reference, not reality

It’s useful for knowing who reports to whom. It’s almost useless for understanding access.Start asking where access crosses boundaries — teams, companies, regions, systems.That’s where identity risk tends to hide.

2. Pay attention to behavior, not labels

The name on the identity matters less than how it behaves.

Focus on:

Differences in behavior demand differences in governance.

3. Notice discomfort without rushing to resolve it

When conversations tighten or people get quiet, don’t fill the space too quickly.That discomfort usually means something important just became visible.Sit with it long enough to understand what it’s telling you.

4. Capture reality before you design fixes

Resist the urge to clean up the picture too soon. Messy understanding beats elegant assumptions every time. You can’t govern what you refuse to fully see.