Case study
Case studiesIdentity platform rebuild
30 to 300+ Okta integrations, under Terraform
A publicly-traded consumer hardware and SaaS company, roughly 900 employees, had inherited an Okta org with about 30 integrations, no infrastructure-as-code, and access reviews run from a quarterly spreadsheet that nobody trusted. Twelve weeks later, the company was running 300+ Okta integrations under Terraform with a continuous review loop, and the next SOX audit closed with zero exceptions.
Where we started.
The inherited org had about 30 integrations, most configured by hand in the admin console with no record of who changed what or when. Provisioning was ad hoc: accounts were created on request, sometimes from an IT ticket, sometimes from a Slack message to the admin. Deprovisioning had the same problem. There was no consistent process for revoking access when someone left, and a meaningful percentage of terminated accounts were still active across systems.
The quarterly access review was a spreadsheet export, emailed to managers, and returned with almost everything approved unchallenged. Nobody in the process had clear ownership of the SOX ITGC controls for identity. When a control question came up in an audit, the answer was manual and slow to produce.
What we built.
We designed a target Okta-as-code architecture in Terraform and onboarded the engineering team to a PR-based identity workflow. Every group, policy, app assignment, sign-on rule, and lifecycle hook is now a resource in version control, reviewed before it applies. We rebuilt lifecycle policies and SCIM connectors for the 270 new integrations, connecting them to the HRIS so provisioning triggers automatically on join, transfer, and termination.
We established a per-quarter access review that runs against real entitlement data rather than a manual export. The review generates findings ranked by risk: active accounts for terminated employees, separation-of-duties conflicts, and stale entitlements. Remediation steps are attached to each finding. We also documented the SOX ITGC controls covering identity, aligned to the Trust Services Criteria, so the answers to audit questions were ready before the questions arrived.
What changed in practice.
Every Okta change now ships as a pull request with a reviewer. There is no legitimate reason to touch the admin console directly, and drift detection flags it when it happens. Provisioning is automatic from the HRIS: the right accounts and entitlements exist from day one without a ticket.
Access reviews moved from a three-week spreadsheet exercise to a single-day review of generated findings. Managers see only what requires a decision, not a raw export. The next two SOX audits closed with no exceptions on identity controls. The audit evidence is a byproduct of how the system runs, not a separate preparation exercise.
What this looked like as numbers.
- 30 to 300+ Okta integrations, all under infrastructure-as-code.
- Access review time: from 3 weeks to 1 day.
- SOX identity exceptions: 0 across two consecutive audit cycles.
- Engagement length: roughly 12 weeks.
- 550 devices in scope for the connected MDM lifecycle work.
What we learned.
A clean IaC architecture is worth more than any single tool. The connectors and integrations matter, but the thing that actually changes audit outcomes is having a workflow where every identity change is reviewed, logged, and reproducible. Auditors care about evidence consistency more than tool choice. They want to see that the same process ran each quarter and that deviations were caught and corrected.
The lifecycle is the thing, not the connector. Getting provisioning and deprovisioning to run automatically and completely, covering every downstream system, is harder than adding integrations and matters more. That is where the audit findings live.