What a sprint implements
- Disable or remove confirmed stale users, guests, contractors, and external collaborators.
- Reduce admin roles to what jobs actually require, and document who holds privileged access and why.
- Transfer ownership of files, shared drives, shared inboxes, automations, and client handoff points before accounts are touched.
- Restructure groups and permission tiers so access follows roles instead of history.
- Revoke risky OAuth grants and connected apps, and rotate exposed API keys and tokens.
- Move automations off personal accounts onto named service accounts with documented owners.
- Set AI tool access controls: inventory, allowed scopes, approval steps, and offboarding tasks.
- Write the offboarding workflow so the next departure is a checklist, not a scramble.
Change control, in practice
Every sprint runs from an approved change list. Each change is classified before work starts: safe to execute, approval-needed, dependency-check-needed, or out of scope. Changes that could affect data, billing, production systems, client access, or integrations wait for explicit sign-off. Every change is logged with what changed, when, why, and how to reverse it where reversal is practical.
Where the change list comes from
Most sprints follow a VXSec Access and Offboarding Audit, which produces the findings table the sprint executes. Sprints can also run from a partner's findings or a clear internal backlog, as long as the change list can be verified before work starts.
What is excluded
Helpdesk tickets, device support, managed IT retainers, custom app development, broad procurement, emergency incident response, and destructive changes without written approval. If new findings surface mid-sprint, they are documented and quoted separately rather than absorbed silently.
Advanced implementation work
Where an audit shows the fix is structural rather than janitorial, VXSec scopes identity projects as their own engagements: SSO and MFA rollouts, Microsoft Entra ID and Google Cloud Identity configuration, conditional access, CIS-mapped secure baselines, and offboarding automation. These are quoted case by case after an audit.
Have a fix list that needs executing?
Bring an audit report, a partner's findings, or a backlog. The scope check confirms the change count, approval owners, and a fixed fee.
Book a 15-minute scope check