Pages
01Home 02Sales One-Pager 03Operational Loop 04Ontology Matrix 05Zachman Review
This Page
§01The Problem §02The Method §0390-Day Arc §04Outcomes §05Metrics §06Fit §07Engage
A 90-Day Identity Architecture Consult For CIOs & CISOs on Microsoft Identity Q2 / Q3 2026 Availability
VeriDM

Microsoft Entra ID and Zero Trust Identity Architecture

VeriDM helps Microsoft 365 and Azure enterprises modernize identity security through evidence-driven Microsoft Entra ID assessments, Zero Trust identity roadmaps, Conditional Access strategy, and CAB-ready remediation plans.

Request a 30-Minute Identity Roadmap Review See the 90-Day VeriDM Methodology
Live Gap Detection · Sample 1 Gap
Policy All admin accounts require MFA at sign-in. Documented
Telemetry Three privileged accounts signed in without MFA challenge in the last 30 days. Gap
Source auditLogs/signIns · CA Policy CA-003 Cited
!
Silence is absence. What the corpus cannot cite, VeriDM reports as a finding — not as compliance.
§ 01 / PROBLEM
The underlying problem

Assumption-based identity governance does not survive audit.

Most enterprises can describe their identity posture in policy. Almost none can prove it on demand. The gap between what is written and what is enforced is where breach findings, audit failures, and regulatory exposure live.
01 · The Audit Gap

Your documents describe a posture your telemetry can't prove.

Policy libraries, Conditional Access exports, and DSC templates describe intent. They do not prove enforcement. When the auditor asks for evidence, the interval between question and answer is measured in weeks — or in consultant retainers.

02 · The Drift Gap

Controls drift from policy faster than humans can reconcile.

Conditional Access shifts. Privileged role assignments change. Named Locations expire. Every hand on the keyboard is a potential divergence — and no dashboard reconciles intent to enforcement unless someone explicitly builds it.

03 · The Silicon Gap

AI agents now make decisions your framework was never designed to govern.

Copilot Studio agents and non-human identities consume the same controls as employees, at machine speed. Without a corpus that governs both humans and silicon colleagues, your identity perimeter has already been redefined — just not by you.

§ 02 / METHOD
Three non-negotiable principles

The VeriDM method is deterministic by design.

We do not infer posture. We cite it. Every claim the practice produces must trace back to a documented artifact or to live tenant telemetry. When neither exists, the silence itself becomes the finding.

These three principles are not branding. They are the operating constraints that make the practice defensible in front of auditors, boards, and regulators. Every deliverable — every session, every dashboard, every handover — is built on them.

I.

Silence = Absence

Axiom · No inference

If the corpus cannot produce an artifact that supports a claim, the control does not exist. Not "assumed." Not "likely." Absent. This is the rule that converts governance from a narrative exercise into a falsifiable one.

claim artifact.cite() verified
claim paraphrase() rejected
claim inference() finding
II.

The Truth Hierarchy

Evidence ordering

Not all sources are equal. Direct artifacts outrank summaries; summaries outrank external references; external references outrank inference — and inference is not permitted. The order is the whole point.

1. Artifacts   DSC · CA policy exports · role assignments · Graph logs
2. References   NIST · CAF · ISO · SOC 2 · internal standards
3. Inference   "based on general best practice…"
III.

Intent vs. Enforcement

The primary work product

Documented intent lives in SharePoint, policy libraries, and architecture diagrams. Actual enforcement lives in Microsoft Graph, sign-in logs, and device telemetry. The delta between them is the real finding — and that delta is what VeriDM systematically surfaces and measures.

INTENT   "Admin MFA required"     ENFORCEMENT   "3 admins · 0 MFA"
 
GAP REGISTER · Priority 1 · CA-003 · 2026-04-23
§ 03 / ENGAGEMENT
The 90-day arc

Three phases. Three artifacts you take to the board.

Each phase produces a specific, durable asset. The engagement is complete when your team can operate the loop without us — and your board has evidence that survives external scrutiny.

01
Days 1 – 30

Corpus Formation

Ingest · Tag · Structure
You Walk Away With
A queryable identity architecture, tagged against NIST 800-207, CAF, ISO 27001, and SOC 2.
  • Ingest existing identity artifacts into a governed corpus
  • Map every artifact to the Zachman framework and canonical tags
  • Overlay NIST 800-207, CAF, ISO 27001, SOC 2 control mappings
  • Establish the Truth Hierarchy for this tenant
  • Stand up the corpus in your SharePoint — not ours
02
Days 31 – 60

Gap Detection

Intent ↔ Enforcement
You Walk Away With
A prioritized Gap Register — every divergence between policy and telemetry, scored by risk.
  • Run intent-vs-enforcement analysis on priority control domains
  • Reconcile CA policy against Graph sign-in and audit logs
  • Surface drift in privileged role assignments and device trust
  • Score every gap by control weight, audit exposure, and effort
  • Deliver the register in formats your CAB and auditor both accept
03
Days 61 – 90

Operating Model Transfer

Handoff · Cadence · Audit readiness
You Walk Away With
An audit-ready team running the loop — without VeriDM in the room.
  • Train your team to query and extend the corpus independently
  • Install the ongoing gap-detection cadence in your operating rhythm
  • Establish the reconciliation ritual between engineering & GRC
  • Hand over the named Corpus Owner with admin capability
  • Document the escalation path and quarterly posture review
§ 04 / OUTCOMES
What changes on day 91

The same question. A different kind of answer.

These are the questions your team, your auditor, or your board asks today. The left column is how long it takes now. The right column is what changes.

Today

Days to weeks
Prove that every admin account enforces MFA.
Export CA policies → manually reconcile with PIM assignments → request sign-in log extract → spreadsheet → meeting → maybe.
Map our controls to NIST 800-207.
Nobody knows. An analyst will try. The mapping will be partial, undated, and nobody will trust it.
Where do we permit legacy authentication?
Open Entra admin center → inspect each CA policy → take notes → hope you didn't miss one.
Has anything drifted since the last review?
No way to answer without redoing the entire review.

On day 91

Minutes · with citation
Prove that every admin account enforces MFA.
→ 12 admin accounts · 12 enforced · 0 gaps · cited to CA-003 and signIns. Answer produced in under a minute, signed by the corpus.
Map our controls to NIST 800-207.
→ Control coverage table, timestamped, with silence explicitly flagged where no artifact backs the claim. This becomes the audit response.
Where do we permit legacy authentication?
→ Two policies identified · scoped groups enumerated · risk statement attached. Remediation lands in CAB, not a consultant engagement.
Has anything drifted since the last review?
→ Continuous drift reconciliation runs on cadence. The question stops being annual. It becomes a posture reading.
§ 05 / METRICS
Board-ready measurement

Metrics your audit committee will actually recognize.

The engagement succeeds or fails on these numbers. They are tracked from day one, baselined by day fifteen, and reported monthly for the life of the operating model.

METRIC 01
 trending
Intent–Enforcement Gap Count
Total open gaps between documented policy and live telemetry. Trended monthly. The headline board number.
METRIC 02
% covered
Corpus Coverage
Share of in-scope controls backed by a cited artifact — by framework (NIST, CAF, ISO, SOC 2).
METRIC 03
‹5 min
Time-to-Evidence
Median time to answer an audit-grade question with citation. Target: under five minutes by day 90.
METRIC 04
% cited
Deterministic Answer Rate
Share of corpus queries answered with direct artifact citation — not paraphrase, not inference.
§ 06 / FIT
Who this is for

We don't work with everyone.

The 90-day consult is designed for a specific operating context. If this sounds like your environment, we will almost certainly be able to help. If it doesn't, we'll tell you.

Microsoft identity estate

Entra ID tenant with Conditional Access, Intune, and Defender for Endpoint in production. On-prem AD integration is common and supported.

Mid-to-large enterprise scale

Typically 2,500+ identities, multiple business units, and an identity team that is competent but structurally under-tooled for evidence-based governance.

A concrete triggering event

Upcoming audit, regulatory deadline, M&A integration, post-incident remediation, or a board directive to improve posture. Curiosity alone is rarely enough.

Executive sponsorship

A named CIO, CISO, or Chief Architect with calendar time and authority to make decisions. Handoff only works if someone on your side owns it.

§ 07 / ENGAGE
The scoping conversation

If you can't answer these three questions in under a minute, we should talk.

The scoping call is forty-five minutes. It is not a sales call. It is a qualification for both sides — and it ends with a clear recommendation whether the 90-day consult is the right instrument for your situation.

Q.01
Can you prove — today, with evidence — that your MFA enforcement matches your MFA policy?
Q.02
If an auditor asked for your Zero Trust control coverage mapped to NIST 800-207, how long would it take?
Q.03
Where does your identity architecture actually live — and who on your team can read it?
Direct

Skip the form.

If you'd rather write a line yourself, reach Neal directly. Replies land same-day, Monday through Friday.

RESPONSE Within one business day
SCOPE 45-minute scoping call
REGION North America · EU · UK
AVAILABILITY Q2 / Q3 2026
Scoping request

Start the conversation.

Neal will reply within one business day
Submitting opens your email client pre-filled. No data leaves your browser until you hit send.
§ 08 / FAQ
Executive FAQ

Microsoft identity architecture, answered plainly.

VeriDM converts Microsoft tenant evidence into a Zero Trust identity roadmap, governance-validated remediation plan, and operating model your CAB can review.

01 · Identity Architecture as a Service

What is Identity Architecture as a Service?

Identity Architecture as a Service gives organizations access to practitioner-led identity architecture, tenant evidence analysis, governance mapping, and remediation sequencing without hiring a full-time identity architect.

02 · Microsoft Entra ID roadmap

What is a Microsoft Entra ID roadmap?

A Microsoft Entra ID roadmap is a prioritized identity security plan covering Conditional Access, privileged access, legacy authentication, lifecycle governance, device trust, and audit readiness.

03 · MSSP distinction

How is VeriDM different from an MSSP?

VeriDM differs from an MSSP by producing deterministic architecture roadmaps and governance-ready remediation plans rather than simply operating security tools.

04 · CAB-ready remediation

What does CAB-ready remediation mean?

CAB-ready remediation means each change is sequenced, risk-mapped, evidence-supported, and prepared for change advisory board review.

05 · Engagement duration

How long does a VeriDM engagement take?

Foundational VeriDM engagements are designed for 22-30 days.

06 · Closed-domain AI

How does VeriDM use closed-domain AI?

VeriDM uses closed-domain AI to normalize evidence, classify artifacts, identify gaps, and accelerate executive-ready outputs while keeping findings grounded in tenant evidence.

07 · Existing tools

Does VeriDM replace identity tools?

VeriDM does not replace identity tools; it turns existing Microsoft tenant evidence into a governed architecture and remediation plan.