About - The practice behind the work
persona.how builds identity systems for companies where access management is held together by spreadsheets and tribal knowledge, and the next audit or growth milestone is about to expose that.
What persona.how does
Identity infrastructure rarely gets attention until something breaks or someone important asks about it. The trigger is different every time — a failed audit, a security incident, a board question nobody could answer, a new compliance requirement with a deadline. That is when we get the call. Architecture, provisioning automation, IDP migrations, governance systems, compliance controls wired in so audit evidence generates on its own. We stay until the system works. Then we leave.
Background
The work behind persona.how comes from building and running identity systems in production. Provisioning pipelines, entitlement governance platforms, FedRAMP IDP migrations, SSH certificate infrastructure, compliance automation. The kind of work where you find out what breaks at 2am and then design the system so it does not.
What we have built
Provisioning pipelines for thousands of users across 40+ SaaS applications. New hire starts Monday, HR enters them Friday, and by Monday morning every account exists, every entitlement is assigned, and their manager got a Slack notification. Nobody filed a ticket.
An entitlement management platform, built from scratch. Self-service access requests, approval workflows through Slack, audit logging that fed directly into SOC 2 evidence collection. Before that platform existed, access reviews took six weeks per cycle and still had gaps.
A FedRAMP High IDP migration — nobody got locked out. Re-federating every connected application, cutting over certificate-based SSH infrastructure, keeping production up the entire time. The things that broke were the ones that existed in no documentation.
Compliance automation wired into the identity layer so evidence generates as a side effect of the system working correctly. Auditors pull reports instead of chasing screenshots.
Approach
Compliance gets designed in from the start. If an identity change cannot produce clean evidence for an auditor, the design is not done yet.
Every workflow ships with validation, approval gates, and rollback — because automating a broken process just breaks things faster. The first question is always: what happens when this runs at 2am with bad input and nobody is watching?
We build in stages. The first version of a provisioning pipeline might cover the top ten applications. The production version covers all of them, handles the edge cases that only surface at scale, and has monitoring that tells you something broke before a user files a ticket about it.
Every engagement includes runbooks, training, and documentation — not as an afterthought, but because the whole point is that you don't need us after we're done.
Good fit
- Scaling past 100 employees The manual processes that worked at 50 people are starting to break. Onboarding takes too long, offboarding misses accounts, and your IDP is configured just enough to mostly work.
- Preparing for your first audit SOC 2, SOX, or ISO 27001 is coming, and assembling identity evidence currently means someone spending two weeks in spreadsheets.
- Integrating an acquisition You just inherited another company's identity environment. Two directories, overlapping groups, and no one on either side can tell you how it all fits together.
- Entering a regulated market FedRAMP, IL4/IL5, or a compliance framework where identity controls need to be right from day one — not retrofitted after someone flags a gap.
- Pre-IPO Your identity infrastructure needs to survive auditor scrutiny, and right now it would not.
- Migrating identity providers Moving from one IDP to another without breaking the 40 applications connected to it. We have done this in FedRAMP environments where the margin for error is zero.
Not a fit
Looking for a reseller — persona.how does not resell vendor products. We build systems.
Endpoint, network, or SOC work — we can refer you to people who specialize in those disciplines.
General IT staffing — help desk, hardware provisioning, office IT. We can help you scope the need, but it is not the work we do.
Need a full-time hire — persona.how runs defined engagements with clear end dates. If you need a permanent team member, we can help you scope the role, but we are not a recruiting firm.