Process - How we work
Every engagement has a defined scope, a defined end date, and a clear handoff. Here is how the work actually runs.
Engagement model
| Model | When | Pricing |
|---|---|---|
| Fixed scope | Scope is clear up front | Fixed price, defined before work starts |
| Time and materials (capped) | Discovery-heavy, scope unclear | Hourly with a not-to-exceed cap |
| Retained advisory | Ongoing support after implementation | Monthly retainer, minimum 3 months |
Fixed-scope engagements are the default. Deliverables and price are defined up front, and the price does not change unless the scope does.
When scope genuinely cannot be nailed down before work starts, persona.how uses time-and-materials with a not-to-exceed cap. You still get a ceiling on cost.
Retainers cover ongoing advisory and post-implementation support. Minimum three-month commitment with defined hours per month. Scope is reviewed quarterly so the retainer stays useful.
Every engagement has a defined end date. The goal is to hand off a system your team can run.
Where we advise vs. implement
Both. Assessment and roadmap engagements are advisory. persona.how reviews your environment and delivers a prioritized plan with specific gaps called out. You decide what to do with it.
Automation, migration, and governance engagements include hands-on implementation. Configuration, code, testing, and deployment.
Most engagements chain naturally: assessment first, then implementation based on the findings. You can start at either point.
How we work day-to-day
- Weekly status meetings Thirty-minute weekly check-in with your working team. What got done, what is in progress, what is blocked, and what we need from you.
- Incremental delivery Work ships in pieces. You see working output every week — not a big reveal at the end where half of it needs rework and the timeline is already spent.
- Communication Slack, Teams, or whatever your team already uses. Async by default, synchronous when it matters.
- Written status updates A written update every week: what shipped, what is in progress, what is blocked, and what decisions we need from you.
- Milestone reviews At each phase gate, we demo what was built and walk through the details. You sign off before we move to the next phase.
- Scope management If something changes (new complexity, a dependency we did not anticipate) you hear about it immediately. Changes are handled through scope trades or change orders.
What access we typically need
For assessments: read-only access to your identity provider, connected applications, and directory services. Enough to see the configuration and pull data, not enough to change anything.
For implementations: admin access scoped to the systems the engagement covers. We do not ask for access we do not need.
All credentials are handled per the Security & Privacy page. Stored in 1Password, never in plaintext, deleted after use. Access is time-bound to the engagement duration and revoked at engagement close.
What we do not take on
Endpoint security — device management, EDR, mobile device policies. We know good people and can make introductions.
Network security — firewalls, VPNs, network segmentation. Not our scope.
SOC and MDR — security operations, managed detection and response. Different tooling and staffing model.
General IT — help desk, hardware, office infrastructure. Happy to point you in the right direction.
Reselling — we build systems, not sell licenses. Vendor evaluation is part of our assessment work.
Outside identity — provisioning, access, governance, authentication, compliance. That is the boundary.
Handoff and documentation
The handoff is not a formality at the end. It is built into the engagement timeline from the start — we have inherited enough systems with no documentation to know how that goes.
Documentation lives in your systems (not ours): runbooks, configuration guides, admin training on anything we built. The test is simple — can your team operate this on a Tuesday morning without calling anyone?
After handoff, persona.how checks in at two weeks and six weeks to answer questions that come up once your team is running things day-to-day. Quarterly touchpoints after that, but only when we have something relevant to share.
The engagement is done when we are not needed.
AI agents in our work
persona.how uses AI agents for drafting, code generation, research, and analysis. This is disclosed to every client and stated in every SOW and MSA.
Agents are good at drafting and analysis. They will also invent plausible-looking details that are wrong and cheerfully agree to scope they cannot deliver. Only the practitioner commits to timelines, cost, and scope.
All agent-generated deliverables are reviewed by a human before delivery. We have seen what goes wrong without these rules:
- Communication Everything a client reads has been reviewed by a human first. Agents draft — they do not send.
- Commitments Agents will cheerfully agree to deliver something in two days that takes two weeks. Only the practitioner commits to scope, timeline, or cost.
- Production access Agents do not have autonomous access to client environments. Every action against a live system gets explicit, per-task sign-off.
- Credentials Agents do not store or persist client credentials. Used in the moment, then gone.