Automation, IaC & Zero-Trust Engineering
Scripting, infrastructure-as-code and the engineer's-mindset bar
Scripting & automation that ships
After this you can write the kind of automation a Cursor technical screen will ask for.
The first technical screen is a hands-on scripting round and the bar is not "can you write Python." It's whether you reach for code by default to make a manual IT process disappear and whether the script you write would survive contact with a real Okta tenant.
Cursor frames this role as software engineering applied to IT. The interviewer is reading for an engineer's mindset: you hit a SaaS REST API, you handle the pagination and the 429s and you make the thing safe to run twice. A candidate who writes a one-shot script that double-creates users on a re-run has told the interviewer they've never run automation in anger.
Interactive diagram. Tab through its regions; each focused region shows its detail in the panel below.
Read current state, diff against desired, gate on a dry-run, then apply only the delta - idempotent by construction.
The four properties graders look forwhat separates a script from a toy
- Idempotent
- Running it twice produces the same end state - you check-then-act, never blind-create
- Resilient
- Pagination, retries with backoff on 429/5xx, timeouts and a clear failure path
- Observable
- Structured logs, a summary of what changed and an alert when a run fails
- Safe
- A
--dry-runthat prints the diff without mutating and secrets pulled from a vault not the source
If you can name these four and show them in code, you've cleared most of the scripting screen before writing a single helper.
Talk to a SaaS API the way the API expectsOkta, Google, Slack all bite the same way
Every IT-facing API has the same three traps: it pages its results, it rate-limits you and it occasionally 500s mid-batch. A senior answer wires all three into a small reusable client rather than copy-pasting requests.get everywhere.
import os, time, logging, requests
OKTA = os.environ["OKTA_ORG_URL"] # injected, never hard-coded
TOKEN = os.environ["OKTA_API_TOKEN"] # from the secrets manager
S = requests.Session()
S.headers.update({"Authorization": f"SSWS {TOKEN}"})
log = logging.getLogger("jml")
def get_all(path):
"""Follow Okta's Link: rel=next paging, retry on 429/5xx."""
url, out = f"{OKTA}{path}", []
while url:
for attempt in range(5):
r = S.get(url, timeout=30)
if r.status_code == 429 or r.status_code >= 500:
wait = int(r.headers.get("Retry-After", 2 ** attempt))
log.warning("throttled, sleeping %ss", wait); time.sleep(wait); continue
r.raise_for_status(); break
else:
raise RuntimeError(f"gave up on {url}")
out += r.json()
url = r.links.get("next", {}).get("url")
return out
def converge_membership(group_id, desired_ids, dry_run=True):
current = {u["id"] for u in get_all(f"/api/v1/groups/{group_id}/users")}
add, remove = desired_ids - current, current - desired_ids
log.info("group %s: +%d -%d", group_id, len(add), len(remove))
if dry_run:
return {"add": sorted(add), "remove": sorted(remove)} # show the diff, change nothing
for uid in add:
S.put(f"{OKTA}/api/v1/groups/{group_id}/users/{uid}", timeout=30).raise_for_status()
for uid in remove:
S.delete(f"{OKTA}/api/v1/groups/{group_id}/users/{uid}", timeout=30).raise_for_status()
return {"added": len(add), "removed": len(remove)}Notice the shape: read the current state, compute a diff against desired and apply only the delta. That's a reconcile-and-converge loop and it's idempotent for free because a second run finds nothing to change.
Pick the right trigger for the jobreconcile loop vs. webhook vs. cron
Compares desired vs. actual state and converges the difference.
Self-healing: fixes drift even when an event was missed.
Your default for membership, access and provisioning sync.
Fires the instant the HRIS marks someone a leaver.
Lowest latency for offboarding - seconds, not the next cron tick.
Pair with a reconcile loop as a backstop for dropped events.
Cron / scheduled function for periodic sweeps.
Good for access reviews, drift reports, certificate checks.
Simple and predictable, but adds latency equal to its interval.
The strong pattern for joiner/mover/leaver is a webhook for immediacy plus a reconcile loop on a schedule as the safety net. Webhooks get dropped; a converge loop catches whatever the event missed.
The single fastest way to fail a security-adjacent IT screen is to paste an API token into the script. Even in a 60-minute exercise, read it from an environment variable and say out loud where it'd live in production - a secrets manager (1Password/Doppler/Vault/AWS Secrets Manager), injected at runtime, rotated and scoped to least privilege. The interviewer is watching for whether security is reflexive for you or an afterthought.
When handed the problem, narrate before you type: "I'll make this idempotent with a read-diff-apply loop, add a dry-run flag so we can review the change before it's live and handle paging and 429s in one client helper." Then build the dry-run path first and run it. Showing the diff before mutating anything is exactly the change-safety instinct that separates an IT engineer from someone clicking through an admin console.
Takeaway. Production IT automation is idempotent (read-diff-apply, safe to re-run), resilient (paging + retry/backoff), observable (logs + failure alerts) and safe (--dry-run plus secrets from a vault) - and a JML pipeline pairs a webhook for speed with a reconcile loop as the backstop.
Self-check
QIn a Python screen you're asked to write a script that adds new hires to an Okta group from an HRIS export. What design choices signal a production engineer rather than someone who's only clicked through admin consoles?
Infrastructure as Code for IT
After this you can treat IT systems as version-controlled, reviewable code.
This is the literal nice-to-have in the job description and the heart of the "transform traditional IT" pitch. The interviewer wants to hear that your Okta config, your Google Workspace settings and your fleet baselines live in Git and ship through a pull request - not in someone's memory of which checkbox they clicked.
Click-ops is the failure mode this role exists to kill. When an SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool. app is configured by hand, there's no review, no history of who changed the assertion attribute and no way to recreate it after a bad edit. Config-as-code gives you the same disciplines engineers already have for application code.
Five things Git gives IT configthe benefits to articulate by name
- Peer review
- A risky MFA-policy change gets a second set of eyes in a PR before it's live
- Change history
git blameanswers "who loosened this conditional-access rule and when"- Rollback
- Revert the commit and re-apply to restore the prior known-good state
- Reproducibility
- Stand up an identical tenant for a test org or an acquisition from the same code
- Drift detection
terraform planshows anyone who clicked a change out-of-band, so config can't quietly rot
These five are also the SOC 2 change-management story - a reviewed, logged, reversible change trail is audit evidence you get for free.
Pick the tool to the layerTerraform/Pulumi vs. Ansible
- Tool
- Terraform / Pulumi
- Model
- Declarative, state-tracked, desired-state
- Best fit in IT
- SaaS + cloud config where a provider exists: Okta-as-code, Google Workspace, GitHub orgs, AWS/GCP
- Watch-out
- State file is sensitive and must be locked + secured; provider coverage varies by app
- Tool
- Ansible
- Model
- Imperative-ish, agentless, push over SSH
- Best fit in IT
- Server and Linux-fleet state, package/config management, runbook-style orchestration
- Watch-out
- Not truly stateful - converges on run, but won't flag out-of-band drift the way a plan does
| Tool | Model | Best fit in IT | Watch-out |
|---|---|---|---|
| Terraform / Pulumi | Declarative, state-tracked, desired-state | SaaS + cloud config where a provider exists: Okta-as-code, Google Workspace, GitHub orgs, AWS/GCP | State file is sensitive and must be locked + secured; provider coverage varies by app |
| Ansible | Imperative-ish, agentless, push over SSH | Server and Linux-fleet state, package/config management, runbook-style orchestration | Not truly stateful - converges on run, but won't flag out-of-band drift the way a plan does |
Rule of thumb: Terraform/Pulumi for things with an API and a provider; Ansible for getting boxes into a known configuration.
You don't have to choose only one. A common setup is Terraform managing the Okta tenant and Google Workspace, with Ansible handling Linux server baselines, all in the same repo behind the same review gate.
Okta-as-code, concretelywhat a reviewer can read in a PR
resource "okta_app_saml" "datadog" {
label = "Datadog"
sso_url = "https://app.datadoghq.com/account/saml/assertion"
recipient = "https://app.datadoghq.com/account/saml/assertion"
destination = "https://app.datadoghq.com/account/saml/assertion"
audience = "https://app.datadoghq.com/account/saml/metadata"
subject_name_id_template = "$${user.email}"
subject_name_id_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
honor_force_authn = true
}
# Access is granted by group, not by user - least privilege, reviewable
resource "okta_app_group_assignments" "datadog" {
app_id = okta_app_saml.datadog.id
group {
id = okta_group.eng_observability.id
}
}A reviewer can see exactly which group gets the app and that the NameID is the email. If someone later loosens honor_force_authn in the console, the next terraform plan flags the drift and the PR history shows the intended state.
Once config lives in Git, you can assert on it. A CI check can fail any PR that grants an app to "Everyone" instead of a scoped group or that creates an admin role without an approval label. That progression - manual clicks, to declared config, to policy enforced in CI - is the "engineering-driven IT" story the role is built around. Say it as a trajectory, not a single tool.
If asked how you'd manage Okta or Workspace, don't describe the admin UI. Say: "I'd keep the tenant in Terraform, granted by group, reviewed in PRs, with plan running in CI to catch drift - so every access change is logged, reversible and audit-ready." Then name the honest limit: provider coverage isn't 100%, so a few corners stay manual and you document those gaps rather than pretending they don't exist.
Takeaway. Put IT config in Git: Terraform/Pulumi for API-backed SaaS and cloud (Okta-as-code, Workspace), Ansible for server/fleet state - buying peer review, history, rollback, reproducibility and plan-based drift detection, which doubles as your SOC 2 change-management evidence.
Self-check
QYour team currently configures Okta and Google Workspace by hand in their admin consoles. Make the case for moving to infrastructure-as-code and name one honest limitation.
Zero-trust architecture
After this you can design a defense-in-depth, perimeter-less access model.
The systems-design screen will likely ask you to design an access model end-to-end and the expected frame is zero-trust. The mental shift is from a castle-and-moat - trusted once you're on the VPN - to verifying identity, device and context on every single request.
The old model trusts the network. Get onto the corporate LAN or VPN and you're inside the walls, free to move laterally. Zero-trust deletes the inside: there is no trusted network, every resource sits behind a check and trust is recomputed per request from live signals.
The four principles, said plainlyname them, then show them in a design
- Never trust, always verify
- No implicit trust from network location; authenticate and authorize every request
- Least privilege
- Grant the minimum access for the task, time-boxed where you can, revoked when the need ends
- Assume breach
- Design as if an attacker is already inside; segment so one compromise doesn't reach everything
- Verify per request
- Re-evaluate identity + device posture + context continuously, not once at login
Combine signals - no single one is enoughidentity AND device AND context
A stolen password alone shouldn't open anything. The access decision is a function of several independent signals and the strong design fuses them rather than leaning on one.
Phishing-resistant MFA - passkeys/WebAuthn or hardware keys, not SMS.
SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool. through the IdP so every app inherits the same auth.
Risk-based step-up when the signal looks off.
Is this a managed, compliant device? MDM attests it.
Disk encryption on, OS patched, EDR running, not jailbroken.
An unmanaged laptop gets limited or no access, even with valid creds.
Location, time, impossible-travel, anomalous volume.
Sensitivity of the resource being requested.
Feeds a risk score that can demand step-up or deny.
ZTNA replaces flat VPN trustidentity-aware proxy + micro-segmentation
A VPN grants broad network access once connected, which is exactly the lateral-movement problem assume-breach warns about. ZTNA puts an identity-aware proxy in front of each application, so a user reaches only the specific apps their identity and device posture allow and reaches nothing else on the network.
- Dimension
- Trust granted
- Flat VPN (perimeter)
- Broad network access after connect
- ZTNA (zero-trust)
- Per-app access, re-checked each request
- Dimension
- Lateral movement
- Flat VPN (perimeter)
- Easy once inside the tunnel
- ZTNA (zero-trust)
- Contained - no implicit network reachability
- Dimension
- Device check
- Flat VPN (perimeter)
- Often none beyond a cert
- ZTNA (zero-trust)
- Continuous posture from MDM/EDR
- Dimension
- Blast radius of stolen creds
- Flat VPN (perimeter)
- Whole internal network
- ZTNA (zero-trust)
- Only what that identity + device is scoped to
| Dimension | Flat VPN (perimeter) | ZTNA (zero-trust) |
|---|---|---|
| Trust granted | Broad network access after connect | Per-app access, re-checked each request |
| Lateral movement | Easy once inside the tunnel | Contained - no implicit network reachability |
| Device check | Often none beyond a cert | Continuous posture from MDM/EDR |
| Blast radius of stolen creds | Whole internal network | Only what that identity + device is scoped to |
Micro-segmentation over a hard shell: many small checks beat one big wall you're trusted behind.
Roll it out without breaking everyone's dayphased enforcement, not a flag-day cutover
- 1Inventory and baseline. Map apps, who needs them and current device posture. You can't enforce policy on access you haven't mapped.
- 2Deploy in monitor mode. Run the proxy and posture checks logging-only first, so you see who would be blocked before anyone is.
- 3Enforce in rings. Start with IT and a friendly pilot team, expand by group, keeping a clear exception path for the legitimately-blocked.
- 4Communicate ahead of each ring. Tell users what's changing, why and how to get unblocked - surprise enforcement generates tickets and resentment.
- 5Tighten over time. Once steady, ratchet down: shorter sessions, stricter posture, fewer exceptions and retire the old VPN path.
The role partners with Security and Engineering - the JD is explicit. In the design round, claiming you'd unilaterally set the org's security policy is a flag. The right framing: Security defines the risk posture and the controls, you build and operate the identity, device and access plumbing that enforces them and Engineering integrates the apps. Show collaboration and a clear ownership line, not a hero who owns everything.
"I'd kill flat VPN trust and put each app behind an identity-aware proxy, so access is a live decision over three signals - phishing-resistant identity, device posture from MDM and request context. I'd roll it out in monitor mode first, enforce ring by ring with a clear exception path and do it alongside Security, who owns the risk posture while I own the plumbing that enforces it."
Takeaway. Zero-trust deletes the trusted network: never trust/always verify, least privilege, assume breach, verify per request - fusing identity + device posture + context, replacing flat VPN with an identity-aware proxy (ZTNA) and rolling out in monitor-then-ring phases with Security, not over them.
Self-check
Observability, reliability & runbooks
After this you can operate IT systems like production services.
The reframe that lands in this loop: IT systems are services with uptime, not a queue of one-off tasks. An offboarding pipeline that silently fails is a security incident, not a missed chore - and you find out from a dashboard, not from the ex-employee still in Slack a week later.
Once you've automated JML and access, those automations are infrastructure. They need the same operational treatment a production engineer gives a service: monitoring, alerting, SLOs, on-call thinking and postmortems that turn into permanent fixes.
Monitor the automations, not just the appsthe pipeline is the thing that breaks
- Failed provisioning
- A SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. push or API call errored - a new hire has no access or a leaver still does
- Drift
- Downstream app membership diverged from the IdP source of truth
- Access anomalies
- Privilege granted outside the normal flow or an admin role created without approval
- Pipeline liveness
- The reconcile job didn't run or ran and processed zero events when it shouldn't
Alert on the symptom an internal customer would feel ("the leaver still has access"), not only the machinery cause ("the cron didn't fire").
SLOs for internal serviceswrite the promise down
Internal IT deserves measurable targets the same way an API does. The sharpest example for this role is offboarding latency, because it's a security control with a clock on it.
- Internal service
- Offboarding
- Example SLO
- Access fully revoked within 15 min of the HRIS termination event, 99% of the time
- Why it matters
- Every minute a leaver keeps access is open risk; auditors will ask for this number
- Internal service
- Onboarding
- Example SLO
- New hire has core access by their start time, 95% of the time
- Why it matters
- A day-one employee who can't log in is a visible, expensive failure
- Internal service
- Access requests
- Example SLO
- Standard requests fulfilled within 1 business hour
- Why it matters
- Self-service speed is the internal-customer experience the JD asks for
| Internal service | Example SLO | Why it matters |
|---|---|---|
| Offboarding | Access fully revoked within 15 min of the HRIS termination event, 99% of the time | Every minute a leaver keeps access is open risk; auditors will ask for this number |
| Onboarding | New hire has core access by their start time, 95% of the time | A day-one employee who can't log in is a visible, expensive failure |
| Access requests | Standard requests fulfilled within 1 business hour | Self-service speed is the internal-customer experience the JD asks for |
Tier the promises - offboarding gets the tightest SLO and paging because it's the one with the security clock.
Runbooks and on-call for ITwhen SSO or offboarding breaks at 5pm Friday
- 1Detect. An alert fires on the symptom (provisioning failed, SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool. error rate up) with context: which system, which user, what changed.
- 2Triage and contain. If SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool. is down org-wide, that's a sev-1; if offboarding stalled, manually revoke the highest-risk access first while you fix the pipeline.
- 3Follow the runbook. Each critical system has a written runbook: how to detect, the manual fallback, who to escalate to and the rollback step.
- 4Restore and verify. Confirm the fix with the same check that should have caught it - re-run the reconcile loop and confirm convergence.
- 5Postmortem, blamelessly. Find the systemic cause, then convert the fix into automation or a new alert so this exact failure can't recur silently.
The engineer's-mindset tell in a postmortem: you don't close it by saying "I'll remember to check that next time." You close it by adding the alert that would have caught it earlier or the reconcile step that would have self-healed it. Every incident becomes a permanent improvement to the system, which is how a tiny IT team keeps scaling with a hypergrowth company without drowning in toil.
When asked about reliability or an incident, answer in production-engineering vocabulary: SLO, alert on symptoms, runbook, blameless postmortem, turn-the-fix-into-automation. Anchor it on offboarding latency as an SLO - "access revoked within 15 minutes of the HRIS event, paged if missed" - because it shows you think of IT as a measured service and you grasp that offboarding is a security control, not a courtesy.
Takeaway. Run IT systems like production: monitor the automations (failed provisioning, drift, access anomalies) and alert on the symptom a user feels; set SLOs for internal services with offboarding latency the tightest; keep runbooks with manual fallbacks; and end every incident by turning the fix into permanent automation.
Self-check
QWhy is it a strong move to define an SLO like "access is fully revoked within 15 minutes of the HRIS termination event, 99% of the time," and what should happen when it's missed?
AI-assisted internal tooling
After this you can show you build the AI-native IT the JD's sample projects describe.
The job description's sample projects literally name AI-assisted employee support and self-service IT. At a company that builds an AI code editor, there's an implicit authenticity bar: they want someone who already uses Cursor and AI daily and who has built - not just imagined - AI-assisted internal tooling.
Two things make this section land. First, concrete patterns you can describe at the design level. Second, real examples you've actually shipped, because the AI-native check is hard to fake and the interviewer will probe for specifics.
Patterns worth bringingwhat AI-native IT actually looks like
Retrieval over your IT docs/runbooks (RAG) answering employee questions in Slack.
Deflects the repetitive "how do I get access to X" tickets to self-service.
Cites the source doc so answers are checkable, not hallucinated.
An agent that handles "add me to the analytics Slack channel" end-to-end.
Reads the request, checks policy and executes the safe, pre-approved action.
Privileged or unusual requests route to a human instead of auto-running.
Generate first-draft runbooks and onboarding docs from existing scripts and configs.
A human reviews and owns the final - the AI removes the blank-page tax.
Write and review automation faster in Cursor; let the agent scaffold the API client.
Be ready to show it - a repo, a PR, a script you built AI-assisted.
Guardrails are the senior signalAI that touches access needs a leash
Anyone can wire an LLM to an API. The judgment the role wants is knowing where to put the human and the audit trail, because an agent with unsupervised access to your IdP is a liability, not a feature.
- Human-in-the-loop for privileged actions. Auto-execute the safe, reversible, pre-approved requests; route anything that grants elevated access, touches admin roles or deviates from policy to a human approval.
- Log and review AI-driven changes. Every action an agent takes lands in the same audit trail as a human change, tagged as AI-initiated, so it's reviewable after the fact.
- Bound the blast radiusHow much breaks if a change goes wrong; the scope of potential damage.. Give the agent a narrow, least-privilege scope of actions it's allowed to take - not your full admin token.
- Keep a kill switch and a clear fallback. If the agent misbehaves, you can disable it and the manual path still works.
The exciting version - "an agent that just provisions access on request" - is also the dangerous one. Pitching auto-provisioning of privileged access with no human gate signals you'd trade security for novelty, which is the opposite of what this role wants. The strong pitch pairs the AI capability with the guardrail in the same breath: agent-assisted for safe requests, human approval for privileged ones, full audit either way.
This section is also your AI-authenticity evidence, so bring an artifact, not a position. "I built a Slack bot that does RAG over our IT runbooks and deflects the top three ticket types; the access requests it can fulfill are limited to pre-approved, reversible ones and anything privileged routes to me with the request pre-filled." A specific thing you shipped, with the guardrail named, beats any amount of enthusiasm about AI.
Takeaway. Build AI-native IT the JD names - a RAG help-desk over your runbooks and agent-assisted handling of safe routine requests - but pair every capability with a guardrail: human-in-the-loop for privileged actions, full audit of AI-driven changes, least-privilege scope and a kill switch; then bring a real artifact as your AI-authenticity evidence.
Self-check
QYou're pitching an AI agent that handles routine IT access requests. What design earns trust from a security-conscious interviewer rather than alarming them?
Compliance & M&A integration as code
After this you can connect automation to audit readiness and integration work.
Two responsibilities collapse into one skill here: passing a SOC 2 / ISO 27001 audit and integrating an acquired company's IT. Both reward the same instinct - turn a manual, error-prone, point-in-time effort into version-controlled, automated, continuously-true systems.
Auditors and acquisitions both punish click-ops. If access reviews live in a spreadsheet and integrations live in someone's head, you get a fire drill every audit cycle and a risky scramble every deal. Automation makes both routine.
Map controls to your systemsspeak the auditor's language
- Control area
- Access management
- What it requires
- Least privilege, periodic access reviews, approvals on grants
- How you automate it
- Access granted by group as code; a job generates review reports; PR approvals are the access-grant evidence
- Control area
- Change management
- What it requires
- Changes reviewed, logged and reversible
- How you automate it
- Config-as-code in Git - the PR history is the change log auditors want
- Control area
- Offboarding
- What it requires
- Access removed promptly on termination
- How you automate it
- Automated JML with an offboarding-latency SLO and logs proving the timing
- Control area
- Device compliance
- What it requires
- Endpoints managed, encrypted, patched
- How you automate it
- MDM compliance baselines reporting posture per device on a schedule
| Control area | What it requires | How you automate it |
|---|---|---|
| Access management | Least privilege, periodic access reviews, approvals on grants | Access granted by group as code; a job generates review reports; PR approvals are the access-grant evidence |
| Change management | Changes reviewed, logged and reversible | Config-as-code in Git - the PR history is the change log auditors want |
| Offboarding | Access removed promptly on termination | Automated JML with an offboarding-latency SLO and logs proving the timing |
| Device compliance | Endpoints managed, encrypted, patched | MDM compliance baselines reporting posture per device on a schedule |
When evidence collection is a query against systems you already run, audit prep stops being a quarter-killing scramble.
If you have to build something to prove a control during audit season, the control isn't really running. The strong posture is that your day-to-day systems emit evidence as a byproduct: the PR history is your change log, the reconcile-loop output is your drift report, the JML logs are your offboarding proof. Continuous compliance, not a point-in-time snapshot you scramble to assemble.
The M&A integration playbookmerge identity, devices and SaaS
- 1Inventory the acquired stack. Catalog their IdP, domains, SaaS apps, devices and admins. You can't migrate or de-dupe what you haven't enumerated.
- 2Consolidate identity and domains. Decide the target IdP and email domain, then plan the identity migration - usually fold their users into your Okta/Workspace as the source of truth.
- 3Migrate identities and access. Provision accounts in the target, map groups to your RBACRole-Based Access Control. Granting permissions by role rather than configuring each person individually. model and grant least-privilege rather than copying their (likely looser) access wholesale.
- 4Re-enroll devices. Bring their fleet under your MDM - zero-touch where the hardware supports it (ABM/Autopilot), staged so people aren't all locked out at once.
- 5De-dupe SaaS and cut over. Find overlapping tools, consolidate licenses, migrate data and decommission the redundant tenants - with a rollback plan and a sequenced, not big-bang, cutover.
Sequence to minimize disruption and gapsthe part that shows you've done it
The risk in any cutover is twofold: locking people out of tools they need and leaving a security gap during the transition (two IdPs both live, stale admin accounts, devices half-enrolled). Sequence so each step is reversible and the window where both old and new systems are active is as short as you can make it.
- Phase, don't flag-day
- Migrate by team or app, validate each wave before the next
- Rollback per step
- Every cutover step has a defined undo, so a bad wave doesn't strand people
- Close the seams
- Disable the old IdP path and stale admin accounts the moment a wave completes - don't leave both live
- Communicate relentlessly
- Acquired employees are anxious; clear comms on what changes and when reduces tickets and friction
Expect a scenario like "how would you integrate a 40-person acquisition in 30 days." Don't dive into one tool - walk the playbook: inventory, consolidate identity/domains, migrate to least-privilege (not a copy of their access), re-enroll devices via MDM, de-dupe SaaS. Then volunteer the two risks you're managing - lockout and the security gap of running two IdPs - and your phased, reversible sequencing with relentless comms. Naming the failure modes unprompted is what shows you've actually done an integration.
Takeaway. Treat compliance and M&A as automation problems: map SOC 2 controls (access, change, offboarding, device) to systems that emit evidence as a side effect and run acquisitions through a sequenced playbook - inventory, consolidate identity/domains, migrate to least-privilege, re-enroll devices, de-dupe SaaS - with per-step rollback and closed security seams.