About

Practitioner-Led IAM Consulting

Identity and access management delivered by people who've actually done the work — not just advised on it.

With over 17 years of experience across enterprise technology and cybersecurity, our practice is grounded in hands-on delivery within highly regulated environments including financial services, telecommunications, and insurance. We've operated inside large-scale transformation programs involving 150+ stakeholders, spanning internal teams, offshore delivery centres, and complex vendor ecosystems.

What we deliver

  • Large-scale IGA implementations and migrations (SailPoint, One Identity) supporting tens of thousands of users and millions of entitlements
  • Active Directory remediation and hybrid identity uplift, including post-incident security recovery
  • Privileged Access Management optimisation and scaled onboarding frameworks (CyberArk, Safeguard)
  • Access certification programs, SoD policy design, and reconciliation automation
  • Security Operations uplift, modernising logging and monitoring standards while partnering with CISOs to identify and protect organisational crown jewels

We've delivered alongside leading global cyber consultancies including Deloitte, KPMG, EY, PwC, and Mandiant (Google Cloud) — and understand how to operate effectively within complex, multi-vendor environments without slowing delivery or diluting accountability.

Delivering against regulatory outcomes

Our work is often undertaken in environments under heightened regulatory scrutiny — where success is measured not by tools deployed, but by whether organisations can demonstrably meet regulator-defined objectives.

We have supported remediation and uplift initiatives aligned to enforceable undertakings, post-incident reviews, and supervisory expectations set by regulators including the Office of the Australian Information Commissioner, APRA, ASIC, ASD, and ACMA.

This includes delivering identity-centric remediation initiatives for large Australian enterprises following material cyber events and regulatory interventions.

Our focus is not on the incident itself — but on ensuring identity, access, and control frameworks are uplifted in a way that satisfies regulatory intent, withstands independent assurance, and remains operationally sustainable.

We operate vendor-neutral. Our recommendations are based on what works for your environment — not what earns commission. Every engagement is led by senior practitioners who can move seamlessly between technical detail and executive-level conversations to get initiatives funded, delivered, and operationalised.

Based in Sydney. Trusted by Australian enterprises.

Delivered alongside

Deloitte KPMG EY PwC Mandiant / Google Cloud

Ready to talk?

Share your challenge and we'll respond with clear next steps and options.

Start a conversation