HRIS to entitlements,
SCIM-bridged, audit-chained.
15 synthetic people across joiner / mover / leaver buckets · 6 pipeline anomalies (orphan keys, over-privileged movers, SCIM lag, Day-1 errors) · 8 connector health rows · ed25519-signed audit chain bridging Workforce events and Identity events.
JML pipeline — MomentumHR Inc.
15 synthetic people across joiner / mover / leaver buckets. Each row shows the HRIS event date, days-since-event, the provisioning narrative (Workday → Okta → entitled apps), and current status. 3 orphan accounts + 1 over-privileged mover currently flagged.
| Person | JML | Department | Role | HRIS event | Pipeline | Status |
|---|---|---|---|---|---|---|
| Aisha Tendero | Joiner | Marketing | Senior PMM | 2026-05-28 Day 1 | Workday → Okta → 4 apps | Current |
| Brendan Coatesworth | Joiner | Engineering | Staff Engineer | 2026-05-30 Day -1 (delayed) | Workday provisioned, Okta pending | IdP lag |
| Carla Reeves | Mover | Sales → Customer Success | VP CS | 2026-05-25 Day 3 | Okta groups updated, app entitlements 6/8 | In progress |
| Daniel Pham | Leaver | Engineering | Sr. SRE (terminated) | 2026-05-26 T+7d | Okta disabled, 2 apps orphaned | Orphan |
| Eva Hendricks | Joiner | Finance | Sr. FP&A | 2026-05-29 Day 2 | Workday → Okta → 6 apps | Current |
| Felipe Marchand | Mover | Engineering → Platform | Principal Eng | 2026-05-20 Day 8 | Old groups still attached (over-priv) | Over-privileged |
| Gianna Volkov | Leaver | Marketing | Lead PMM (resigned) | 2026-05-22 T+11d | Fully deprovisioned, all apps confirmed | Complete |
| Hiroshi Nakamura | Joiner | Sales | Enterprise AE | 2026-05-31 Day 0 | Workday created, Okta pending, no apps | IdP lag |
| Ines Marchetti | Mover | Operations → People Ops | Sr. People Partner | 2026-05-15 Day 13 | Approvals stalled (manager OOO) | Stalled |
| Jules Okafor | Joiner | Engineering | Sr. Security Eng | 2026-05-30 Day -1 | Workday provisioned, security review pending | In progress |
| Kim Pelletier | Leaver | Sales | AE (terminated) | 2026-05-24 T+9d | Slack still active (orphan #3) | Orphan |
| Luca Berkowitz | Joiner | Customer Success | Sr. CSM | 2026-05-28 Day 1 | Standard provision complete | Current |
| Maya Ferreira | Mover | Finance → Strategic Finance | Director | 2026-05-26 Day 7 | Entitlements aligned, MFA reconfirmed | Current |
| Nikhil Roy | Joiner | Engineering | Staff DevOps | 2026-06-02 Day 0 | Workday created today | Current |
| Olivia Strand | Leaver | Engineering | Sr. PM (offboarded) | 2026-05-18 T+15d | Personal AWS access keys still active | Orphan |
Pipeline anomalies — 6 patterns surfaced
SCIM 2.0 does most of the work, but the gaps that survive are exactly the gaps audit findings live in: orphan accounts (personal keys, Slack lag), over-privileged movers (old groups retained), stalled approvals (single-approver fragility), and Day-1 lag (SCIM UserAlreadyExists on rehires/contractor-conversions).
Daniel Pham still in 2 SaaS apps
Daniel Pham (terminated 2026-05-26) is disabled in Okta but retains active sessions in Slack and AWS console (personal access key AKIA...XY42 last used 6h ago). Auto-deprovision didn't fire because tokens were issued before Okta SCIM webhook. Force-revoke now.
Olivia Strand AWS keys still active
Olivia Strand (offboarded 15 days ago) has personal IAM access keys still tagged active in AWS. SCIM doesn't deprovision personal keys — manual revocation required. CIS Control 6.4 violation.
Kim Pelletier Slack still active
Kim Pelletier (terminated 2026-05-24) — Slack workspace still shows active member (Slack SCIM bridge has known 72-hour lag). Manually deactivate. Validate the SCIM job ran.
Felipe Marchand retains old Engineering groups
Felipe Marchand moved Engineering → Platform 8 days ago but still has old Engineering Okta groups (eng-sre, eng-incident, eng-deploys). New Platform groups added without removing old. SOX SoD requires role-transition cleanup within 5 business days.
Brendan Coatesworth Day -1 (delayed)
Brendan Coatesworth Workday hire-date was yesterday but Okta provisioning is still pending. Day-1 productivity blocker. SCIM job logs show UserAlreadyExists error (orphan from prior contractor stint). Manual merge required.
Ines Marchetti waiting 13 days
Ines Marchetti moved Operations → People Ops 13 days ago. Manager-of-new-role is OOO; access-review approval stalled. ISO 27001 A.9.2.5 requires periodic re-validation — but blocking on a single OOO manager is process-fragile. Recommend backup approver in the workflow.
SCIM connector health
SCIM 2.0 (RFC 7644) is the standard provisioning protocol. Healthy connectors sync within minutes; lag warnings fire at 1-hour, escalate at 24-hour. Personal access keys (AWS, GitHub PATs, etc.) are NOT covered by SCIM — manual revocation is the only path, which is where orphans accumulate.
| Connector | Protocol | Pending changes | Last sync | Status |
|---|---|---|---|---|
| Workday → Okta | SCIM 2.0 | +2 added (Daniel removed too late) | 8h ago | Operational, 1 lag warning |
| Okta → Slack | SCIM 2.0 | 1 deprovision pending (Kim Pelletier) | 72h delay (known) | Lagging |
| Okta → Salesforce | SCIM 2.0 | All synced | 12m ago | Healthy |
| Okta → GitHub | SCIM 2.0 | All synced | 23m ago | Healthy |
| Okta → AWS SSO | SAML + SCIM | Personal keys NOT covered by SCIM | 1h ago | Partial — manual gap |
| Okta → Datadog | SCIM 2.0 | All synced | 8m ago | Healthy |
| Okta → Snowflake | SCIM 2.0 | All synced | 2h ago | Healthy |
| Okta → 1Password | SCIM 2.0 | All synced | 44m ago | Healthy |
Workforce ↔ Identity audit chain
Two co-mingled event streams: workforce.event.* (HRIS-side) and identity.* (IdP-side). When they synchronize cleanly, no human-readable report is needed. When they drift, the gap IS the audit finding.
Why this surface exists
The hardest part of identity governance is not the IdP itself — it's the seam between HRIS (Workday, UKG) and IdP (Okta, Entra ID), and the further seam to apps that bypass SCIM (personal access keys, legacy SAML, manual provisioning). This surface visualizes both seams in one view so the gaps that become audit findings stop hiding.
Buyer: HR Ops · IT Identity teams · Compliance (SOX / Sarbanes / ISO) running access-review cycles · Internal audit during quarter-close.
Regulatory anchors: SOX ITGC · ISO 27001 A.9.2 · NIST 800-53 AC-2/PS-4/PS-5 · GDPR Art 32 · CCPA · SCIM 2.0 (RFC 7644).
KG Suite tie-back: Every operator decision on this surface emits an audit-stream event (hash-chained, ed25519-signable). Vault-contract data classification follows the Decision Card v0.3 pattern (data_vault_targets + retention_envelope). Incident escalations match the AI Incident Card profile shape. Evidence bundles align with the AI Evidence Format spec.
Static-only doctrine: No backend. No login. No telemetry. All synthetic data is baked into this HTML page as JavaScript constants. Nothing leaves the tab. Frame as readiness / evidence / posture / controls / scaffolding — never "compliant" or "certified" without an externally-attested audit.