Real-World Use Cases
See how Activitee solves identity governance, AI-powered security assessment, and continuous compliance challenges across industries.
Government & Defence
IRAP assessments, ISM control compliance, PROTECTED-level evidence management, Essential Eight maturity
IRAP Assessment for a Federal Agency Cloud Migration
A federal agency migrating from on-premise Active Directory to Microsoft Entra ID needs to complete an IRAP assessment at PROTECTED level. The project involves 4,500 identities across 3 AD domains, 12 business applications, and a hybrid cloud environment with both Azure and AWS workloads.
Identity & Access Governance
Activitee connects to all 3 AD domains and the new Entra ID tenant. The analysis engine identifies 340 access inconsistencies across the legacy domains — accounts belonging to former contractors and employees whose departures were never processed. The access review dashboard categorises each by risk level, last login date, and group memberships. The agency resolves all 340 anomalies in 2 weeks instead of the estimated 3 months of manual spreadsheet work.
AI-Powered Security Assessment
The IRAP assessor configures Activitee's AI intelligence to analyse the agency's identity fabric. The AI risk scoring engine flags 23 accounts with excessive privileges — users who accumulated permissions across role changes but never had old access revoked. Risk analysis reveals that 4 of these accounts could be used to escalate from standard user to Domain Admin in 3 hops.
- AI gap analysis auto-identifies 47 ISM controls requiring remediation based on current Entra ID configuration
- Access analytics flags 12 users with access patterns inconsistent with their role — all confirmed as privilege accumulation
- Impact simulation models the impact of implementing Conditional Access policies before deployment
- Automated evidence collection captures MFA enrollment status, Conditional Access configs, and privileged role assignments every 24 hours
Workflow & Cross-Framework Mapping
The 8-stage workflow guides the IRAP assessor team of 3 through scoping, control assessment, internal review, remediation, and reporting. Each stage has pre-populated tasks with due dates. Because the agency also needs Essential Eight maturity level 2 compliance, Activitee maps ISM controls to Essential Eight strategies — evidence collected for ISM-1503 (MFA) automatically satisfies Essential Eight's "Multi-factor Authentication" strategy at ML2.
ISM-1503 → E8 MFA ML2 · ISM-1507 → E8 Restrict Admin · ISM-1404 → E8 User App Hardening · ISM-0421 → E8 PatchingEvidence Vault
Over the 12-week assessment, the vault accumulates 280 evidence artifacts. Auto-collected cloud monitoring evidence (MFA status, Conditional Access policies, privileged role snapshots) runs daily. Manual uploads include policy documents, interview notes, and architecture diagrams. When the IRAP assessor requests evidence for ISM-1503, the team delivers it in 30 seconds — it's already versioned, timestamped, and mapped to the control. The audit trail shows exactly who collected it, when, and whether it was MFA-verified.
Financial Services
SOC 2 Type II, ISO 27001, access reviews, SoD controls, continuous compliance posture
SOC 2 + ISO 27001 Dual Assessment for a Mid-Tier Lender
A mid-tier lender with 2,200 employees uses Okta for SSO, AWS for infrastructure, and Entra ID for Microsoft 365. They need both SOC 2 Type II and ISO 27001 certification, and their auditor has flagged that the previous year's evidence package was incomplete, manually assembled, and lacked version tracking.
Cross-Framework Assessment Mapping
Activitee runs both assessments simultaneously. When the team assesses SOC 2 CC6.1 (Logical Access Controls) and documents MFA enforcement, that same evidence auto-maps to ISO 27001 A.9.4.2 (Secure Authentication). Of 64 SOC 2 criteria and 93 ISO 27001 controls, Activitee identifies 41 overlapping requirements. The team assesses these once, producing evidence that satisfies both frameworks — cutting assessment effort by 35%.
CC6.1 ↔ A.9.4.2 · CC6.2 ↔ A.9.2.1 · CC6.3 ↔ A.9.2.3 · CC7.2 ↔ A.12.4.1 + 37 moreAI-Driven Continuous Monitoring
With connectors to Okta, AWS IAM, and Entra ID, Activitee runs 20 agentless checks daily. The AI intelligence layer correlates check results across platforms:
- Entra ID MFA check + Okta MFA enrollment check = combined MFA posture score across both identity providers
- AWS root MFA + Okta Super Admin count + Entra privileged roles = unified privileged access risk score
- SoD engine detects 8 toxic combinations between Okta app assignments and AWS IAM roles — flagged before auditor review
- AI predicts which controls will drift based on historical check patterns and upcoming personnel changes
Quarterly Access Reviews
The compliance team runs quarterly access certification campaigns. 12 department managers review their team's access across Okta apps, AWS roles, and AD groups. Decisions (approve/revoke/reassign) are captured with mandatory justification. Campaign results auto-export to the Evidence Vault as SOC 2 CC6.1 evidence with 180-day retention. The SoD engine validates that no approval creates a new toxic combination.
Healthcare
High-turnover identity management, clinical system access governance, NIST CSF compliance, evidence for accreditation
NIST CSF Assessment for a Regional Health Network
A regional health network with 6 hospitals, 8,000 clinical staff, and 45% annual contractor turnover struggles with access inconsistencies in their EMR, AD, and Google Workspace environments. Clinical staff rotate between facilities, accumulating access that's never revoked. Their NIST CSF assessment is due in 8 weeks.
Access Anomaly Crisis
Activitee connects to AD and Google Workspace across all 6 hospitals. The analysis engine processes 8,000 authoritative identities against 11,400 target accounts and identifies 2,100 anomalies — accounts for departed contractors, rotated staff, and shared service accounts with no owner. The access review dashboard categorises by hospital, department, last access date, and clinical system access level. The IT security team resolves the top 500 high-risk anomalies (those with EMR access) in week 1.
AI Assessment for Clinical Access
- Access analytics groups staff by clinical role (nurses, doctors, pharmacists, admin) and flags 180 users with access beyond their access baseline
- AI gap analysis identifies that NIST PR.AC-1 (Identities and credentials are issued, managed, verified, revoked, and audited) has 12 sub-requirements — 4 are non-compliant due to the access anomaly problem
- Risk analysis reveals that 3 access inconsistencies retain VPN access + EMR admin roles — a direct patient data breach vector
- Auto-evidence collection captures Google Workspace 2SV enrollment status nightly across all 6 hospital domains
Evidence for Accreditation
The Evidence Vault stores access remediation records, access review certifications, MFA enrollment reports, and policy acknowledgments. Each artifact is versioned and mapped to NIST CSF subcategories. When the accreditation body requests evidence for PR.AC-1 through PR.AC-7, the compliance officer exports a filtered evidence package in under 5 minutes — 67 artifacts, all with audit trails showing collection date, collector, and MFA verification status.
Higher Education
Massive identity management churn, research data protection, ISO 27001 compliance, multi-campus governance
ISO 27001 Certification for a Multi-Campus University
A university with 3 campuses, 60,000 students, 5,000 staff, and 2,000 researchers runs Active Directory, Google Workspace (students), Entra ID (staff), and a custom research portal. Each semester produces 15,000 identity management events (enrolments, graduations, visiting researchers). They're pursuing ISO 27001 certification for the first time.
8-Stage Assessment Workflow
The CISO assigns a team of 5 across the 8-stage workflow. The task board generates 30+ default tasks per stage. Each campus IT lead owns specific control domains — Network Security for Campus A, Access Control for Campus B, Physical Security for Campus C. The workflow enforces dependencies: Internal Review cannot start until Assessment is 80% complete. Notification rules alert stage owners 7 days before due dates and escalate to the CISO if overdue by 3 days.
AI for Semester Lifecycle Management
- AI analyses 15,000 identity management events per semester and auto-flags access anomalies — 200 students who graduated but retained research portal access
- Impact simulation models the access impact of a new faculty-wide Google Workspace policy before rollout to 60,000 accounts
- Cross-framework mapping reuses ISO A.9.2.1 evidence (User Registration) for NIST PR.AC-1, saving 40% assessment effort on the planned NIST assessment next year
Energy & Utilities
Critical infrastructure protection, AESCSF compliance, OT/IT identity convergence, Essential Eight
Essential Eight + IRAP for a State Energy Utility
A state-owned energy utility with 3,500 employees operates critical infrastructure under AESCSF requirements. Their OT environment has 400 SCADA-accessible accounts. The board mandates Essential Eight maturity level 2 and an IRAP assessment for their cloud-hosted corporate environment before year-end.
Continuous Compliance Monitoring
Activitee monitors the corporate Entra ID environment with 8 agentless checks running hourly. MFA enforcement is checked every hour (Essential Eight ML2 requirement). When a new Global Admin is assigned without following the privileged access procedure, the system detects the change within 60 minutes, auto-creates a CRITICAL finding mapped to ISM-1507, sends an alert to the CISO, and stores the evidence snapshot in the vault.
AI for OT/IT Convergence Risk
The AI risk analysis engine analyses the relationship between corporate AD accounts and SCADA-accessible service accounts. It discovers that 6 IT administrators have group memberships that chain through 3 nested AD groups to OT system access — a lateral movement path from corporate email compromise to SCADA control. These risk analysiss are flagged as CRITICAL findings in the IRAP assessment and mapped to ISM-1507 and ISM-1055.
MSSPs & Security Consultancies
Multi-tenant client management, concurrent assessments, branded PDF reports, evidence lifecycle per client
MSSP Managing 15 Client Assessments Concurrently
A Sydney-based cybersecurity consultancy with 12 assessors manages 15 concurrent compliance assessments across government (IRAP), financial (SOC 2 + ISO 27001), and healthcare (NIST CSF) clients. Before Activitee, each assessor maintained their own spreadsheets, evidence folders, and report templates.
Multi-Tenant Client Isolation
Each client operates as an isolated Organisation within Activitee. Client A's identities, assessments, evidence, and monitoring data are completely invisible to Client B. Assessors are assigned to specific client orgs with role-based access. The MSSP's principal consultant has Super Admin access across all orgs for oversight without mixing data.
Standardised Assessment Workflow
Every client assessment follows the same 8-stage workflow with consistent quality gates. The task board shows each assessor's workload across their assigned clients. When an assessor completes the Assessment stage for Client A, the notification rule auto-alerts the senior assessor to begin Internal Review. PDF reports are generated in a consistent professional format across all clients — branded, structured, and auditor-ready.
AI-Powered Efficiency Across Clients
- Cross-framework mapping means assessors working on a client's SOC 2 can reuse 41 control assessments when the same client needs ISO 27001 next quarter
- AI gap analysis identifies common patterns across clients — if 10 of 15 clients fail the same MFA control, the MSSP creates a standardised remediation playbook
- Evidence Vault per client maintains independent retention, versioning, and audit trails — each client's evidence package is self-contained for auditor handoff
- Cloud monitoring provides ongoing value between assessments — clients retain Activitee to continuously monitor their posture, creating recurring MSSP revenue
Technology & SaaS
SOC 2 for customer trust, developer access governance, API key lifecycle, cloud-native IAM
SOC 2 Type II for a B2B SaaS Platform
A 200-person B2B SaaS company uses Okta for workforce IAM, AWS for production infrastructure, and Google Workspace for collaboration. Enterprise customers require SOC 2 Type II before signing contracts. The SOC 2 observation period is 6 months — they need continuous evidence collection, not point-in-time assessments.
6-Month Continuous Evidence Collection
Activitee's compliance monitoring runs 20 checks daily across Okta, AWS IAM, and Google Workspace for the full 6-month observation period. Every check stores evidence in the vault with automatic 365-day retention. When the SOC 2 auditor asks for evidence of MFA enforcement over the observation period, the team delivers 180 daily snapshots — each timestamped, versioned, and showing actual vs expected values. No manual evidence gathering required.
AI for Developer Access Risk
- AI risk scoring identifies 8 developers with production AWS access who haven't completed their quarterly access review — auto-escalated to engineering managers
- AWS IAM overly-permissive policy check flags 3 service accounts with AdministratorAccess — auto-finding created, mapped to CC6.3
- Access analysis compares backend engineers' AWS IAM policies and finds 2 engineers with S3 bucket policies 4x broader than peers
Retail & Hospitality
High-volume identity management, seasonal workforce, PCI-adjacent controls, store-level access governance
ISO 27001 + SOC 2 for a National Retail Chain
A national retail chain with 450 stores, 18,000 employees, and 6,000 seasonal workers manages identities across Entra ID (corporate), a POS system, and a workforce management platform. Seasonal hiring creates 6,000 accounts in October that should be deprovisioned by January — but historically 30% remain active months later.
Seasonal Workforce Governance
Activitee's access anomaly detection runs weekly. In February, it flags 1,800 seasonal accounts that should have been deprovisioned. The system auto-categorises by store, POS access level, and days since last login. The retail IT team uses the bulk disable workflow to deactivate all 1,800 accounts in a single operation, with evidence auto-captured in the vault for ISO 27001 A.9.2.6 (Removal of Access Rights) and SOC 2 CC6.2.
Evidence Vault for Dual Certification
The vault stores access removal evidence, access review certifications, MFA enrollment reports, and seasonal workforce lifecycle records. Cross-framework mapping means the seasonal access removal evidence satisfies both ISO A.9.2.6 and SOC 2 CC6.2 simultaneously. The auditor receives a unified evidence package — 340 artifacts, all version-controlled with immutable audit trails.
See Your Industry's Use Case In Action
Book a personalised demo and our team will walk you through a use case tailored to your industry, compliance requirements, and identity environment.