Identity & access for enterprise.

Workforce and customer identity across hybrid estates. Consolidates legacy directories, retires standing privilege, and makes access reviewable.

Request a private briefing→All identity work→

Overview

Identity & access infrastructure for enterprise, built to the standard institutions in this sector are required to operate.

XVICA designs, builds, and operates this layer for enterprise clients in the UK, US, Canada, and Australia. The work is specified against the regulatory regime, the operational profile, and the examination expectations of this sector before any code is written.

01Why it matters

What enterprise cannot get wrong here.

A typical enterprise inherits four identity providers and three directories that disagree with each other.
Privileged access is carried by shared accounts nobody wants to retire.
Joiners-movers-leavers runs on tickets, not automation.
Supplier and contractor access outlasts the engagements that created it.

02Regulatory posture

Named regimes, mapped controls

Regulatory requirements are translated into explicit control requirements, then mapped to tests and evidence collection. Nothing is implied.

Information security standards

ISO 27001 Annex A, ISO 27002 controls, NIST SP 800-53 AC family, and SOC 2 CC6 common criteria.

Privacy & data protection

GDPR Article 32 security of processing, UK Data Protection Act 2018, CCPA access controls, and sectoral overlays (NIS2 for critical entities).

Third-party risk

Supplier access treated as a first-class identity population with its own lifecycle, attestation, and auditable retention.

03Reference architecture

Design decisions distinctive to this intersection

Components and design choices that recur across our work for this sector. Each deployment is specified individually.

Federated identity over hybrid directories

Entra ID, Okta, Ping, and legacy AD coexist under a single policy plane. Federation not replacement.

SCIM-driven lifecycle

HR system is the source of truth; provisioning and de-provisioning follow the employment event, not a ticket.

Privileged access brokering

Short-lived credentials, recorded sessions, break-glass runbooks that are tested, not theoretical.

Contractor and supplier populations

Separate lifecycle from employees. Sponsor attestation on renewal; automatic expiry without it.

Evidence for the auditor, not the engineer

Access review exports produce what an auditor can sample. The same export is what the engineer uses to investigate.

04XVICA's approach

How we work in enterprise.

Enterprise identity engagements rarely deliver a new IdP. They deliver a defensible access position. The estate we inherit usually has the right tools already; what it lacks is a single policy plane, a defensible review cycle, and a credible story for privileged access. Our work typically consolidates the policy layer without ripping out the tools underneath, retires standing privilege by moving to just-in-time elevation, and puts supplier and contractor populations on their own lifecycle so they stop surviving the engagements that created them. The measurable outcome is shorter access reviews, fewer exceptions at the control attestation, and — in practice — a material reduction in the time the security function spends on access administration rather than security.

05Engagement