In partnership with
Attio is the AI CRM for high-growth teams.
Connect your email, calls, product data and more, and Attio instantly builds your CRM with enriched data and complete context. Whether you’re running product-led growth or enterprise sales, Attio adapts to your unique GTM motion.
Then Ask Attio to plan your next move.
Run deep web research on prospects. Update your pipeline as you work. Find customers and draft outreach emails. Powered by Universal Context, Attio's intelligence layer, Attio searches, updates, and creates across your data to accelerate your workflow.
Ask more from your CRM.
Jordan had stopped expecting the week to be quiet.
Six weeks in, the calendar moved differently now. Not the tentative introductions of early days, or the positioning sessions that carried everyone through the middle weeks. Now the invites came with names beside tasks, timelines attached to outcomes, and the steady cadence of a program that had started to run on its own rhythm.
The alert came on a Tuesday morning.
Not dramatic. No red banner or urgent page. Just a line in the partner access review queue that Evan flagged over Slack before Jordan's second coffee was cold.
Review cycle flagged: partner contact inactive. No login activity in 71 days.
Jordan opened the report. Priya had her own copy up within minutes, cross-referencing against the HR lifecycle records that now fed directly into the identity system. The partner's primary contact had left their organization three weeks prior. Their main account was already in the deprovisioning queue.
"Clean catch," Evan said over a quick video call. "The cycle worked."
Jordan almost said the same thing. Almost.
"Pull the full account list for that partner relationship," Jordan said instead. "Everything. Not just the primary contact."
There was a pause. Evan's cursor moved across the screen.
"There's a service account."
Jordan stared at the result.
The account wasn't in the partner inventory Jordan had built during the mapping phase. It had been created two years earlier, tied to a data integration that ran overnight. The account had permissions. It had been active as recently as last week. And no one had flagged it for the review, because no one had known to look.
"How did we miss it?" Priya asked when they joined Jordan ten minutes later.
Jordan didn't answer immediately. The honest answer was complicated.
The service account existed before the program did. It had been created the way most service accounts were created. Quickly, quietly, by someone solving a specific problem at a specific moment, with no process requiring documentation or review. The oversight wasn't a failure of the new program. It was a remnant of the old one.
But it was still their problem now.
By early afternoon, ownership had been established. Mark confirmed the integration's purpose and current usage. IT placed the account under immediate review, limiting its permissions while the business confirmed whether it could be safely deprovisioned. By end of day, the service account was in controlled suspension pending final sign-off.
Forty-eight hours after the initial flag, it was gone.
Jordan drafted a summary for Karen before logging off. Clear. Factual. No inflation of the outcome. A partner account had been flagged correctly through the review cycle. During investigation, a related service account had been identified that was not part of the original inventory. The account had been reviewed, assessed, and deprovisioned through the proper chain of ownership.
What worked: The review cycle surfaced the primary issue within the defined window. The ownership structure allowed rapid coordination across Security, IT, and HR. Resolution happened in 48 hours.
What didn't: Service account coverage was incomplete. The initial mapping effort captured most non-human identities, but not all. Remediation plan attached.
Karen's reply came the next morning. Two sentences.
Good response. How do we close the gap?
Jordan already had a draft for that too.
The real conversation happened Friday, in the same room where most of the program's real conversations had happened. Smaller group. Chairs pulled back from the table at an angle that suggested a post-mortem rather than a formal review.
Mark sat down without setting anything on the table. "External auditors would have loved this six months ago," he said. "The service account would have been their finding. We'd have spent three months explaining why it existed."
Evan leaned back. "Instead we found it ourselves."
"Found it, owned it, closed it," Priya added.
Jordan let the room hold that for a moment.
"The program didn't prevent this," Jordan said. "The account was already there. What the program did was shrink the time between the problem existing and us knowing about it."
Mark nodded slowly. "That's the argument for identity investment no one makes well enough."
Jordan thought about the first week. The Access Risk Score at 72 with no scale and no explanation. The meetings that circled the same territory without ever landing on an owner. The quiet accumulation of things that everyone assumed were handled.
"Before," Jordan said, "this would have sat until an audit found it. Maybe six months. Maybe longer. The integration would have kept running under credentials that belonged to a contact who hadn't worked there in a year."
No one pushed back on that.
"Now it's a 48-hour close."
That evening, Jordan stayed late again. Not because something was unresolved, but because something had settled.
The whiteboard still held the markers of the week's work: the partner account in red, the service account in blue, the resolution steps in black. Jordan studied it without adding anything.
A good program, Jordan had learned, didn't look like a wall. It looked like a system that could see clearly when something went wrong, respond coherently, and document what it had learned.
The service account gap was real. But it had been visible, assignable, and fixable. Not because everything had been done perfectly at the start, but because the foundation existed to hold the response together when reality arrived differently than expected.
Jordan capped the marker and left it on the tray.
There would always be service accounts that didn't make it into the first inventory. Legacy integrations. Inherited credentials. Things created before the program existed and still running quietly under the surface.
The answer wasn't to have caught them all.
The answer was to have built something that could surface them when the moment came.
This time, it had.
The Lesson
A well-built identity program won't prevent every incident. What it changes is the quality of your response when one occurs.
Before ownership is clear, a flagged account becomes a question: whose problem is this? Every hour spent answering that question is an hour the risk stays open. After ownership is established, the question becomes: how quickly can we resolve this? That's a different kind of problem. A solvable one.
Several things tend to shift in programs that have reached this stage. Review cycles surface issues within defined windows instead of at audit time. Cross-functional responses are faster because roles and escalation paths are already established. Post-incident documentation improves because there's a structure to fill in, not a blank page to face.
That shift, from discovery lag to response clarity, is often how you make the strongest case for continued investment in identity governance. Not by pointing to the incidents that never happened, but by demonstrating what happens when one does.
Two things are worth tracking after an event like this.
First: what gap in your coverage did it reveal, and how will you close it? Every incident is information about the edges of your inventory, your lifecycle processes, or your account discovery methods. The response isn't just remediation. It's refinement.
Second: how long did resolution take? Benchmark it. The next time the same category of issue surfaces, you want evidence that the program is improving, not just functioning.
Identity programs don't prove their worth in the absence of problems. They prove it in the quality of how problems get handled.
Next episode, Jordan is asked to present Phase 2. What leadership expects and what Jordan has realized are about to be very different things.