Adcyma vs Doing Nothing
You've been handling identity management manually - portal clicks, ad-hoc processes, maybe a spreadsheet. And honestly, it's been fine. But at some point, "fine" starts costing more than you think. This page is about figuring out if you've hit that point.
Start free trial - see what governance looks like in your environmentThis isn't a scare piece
If you have 30 users, low turnover, and no compliance requirements - you probably don't need an IGA tool. Manual management works fine at that scale. We'd rather you spend money where it matters.
But if you're growing, hiring more frequently, or staring down a compliance audit, the manual approach starts breaking in ways that aren't obvious until something goes wrong.
This page walks through what the status quo actually looks like, where it stops working, and what changes when you add a governance layer.
What the status quo actually looks like
Most companies under 200 employees manage identity roughly like this:
New hire arrives.
Someone in IT creates the account in Entra ID. They assign groups, licenses, and app access based on what they remember, a wiki page (possibly outdated), or by copying another user's setup. The new hire gets their credentials and starts working.
Someone changes role.
A manager sends an email or Teams message to IT. IT adds the new groups and maybe removes some old ones. Usually the old access stays because nobody wants to break something.
Someone leaves.
HR tells IT (sometimes on time, sometimes not). IT disables the account. Maybe they revoke group memberships. Maybe they don't - the account is disabled anyway, so it feels safe enough.
An auditor asks questions.
IT pulls logs from multiple portal blades, cross-references spreadsheets, and hopes the data tells a coherent story. It takes days. Nobody enjoys it.
Where it starts to break
These problems don't arrive all at once. They build up gradually, usually between 50 and 200 users:
Inconsistent onboarding.
Different admins set up users differently. One assigns all the right groups, another misses two, a third follows documentation from last year. New hires end up with different access levels for the same role. Nobody notices until someone can't do their job or has access they shouldn't.
Orphaned accounts and lingering access.
Disabled accounts still appear in group memberships. Former employees have lingering access to shared mailboxes or Teams channels nobody thought to remove. This is consistently one of the most common findings in security audits.
Access accumulation.
People change roles but keep their old access. After two years and a couple of role changes, someone in marketing has access to the finance team's SharePoint site, the engineering team's Azure resources, and a shared mailbox from a project that ended six months ago. Nobody reviews this.
Audit panic.
When your SOC 2 or ISO 27001 auditor asks "show me all access changes in the last quarter" or "prove that every department's access was reviewed," you're assembling evidence manually from scattered sources. It takes days of work, and there are always gaps.
Knowledge silos.
One or two people know how things work. They know the group naming conventions, the licensing quirks, the workarounds for that one team that needs special access. When they're on holiday or leave, everyone else is guessing.
The hidden costs nobody budgets for
Manual identity management doesn't show up as a line item. But the costs are real:
Time: at 200 users with normal turnover, a growing company spends 8-15 hours per week on manual identity tasks - onboarding, offboarding, access requests, troubleshooting. That's a quarter of an FTE doing repetitive work that could be automated.
Security exposure: orphaned accounts, accumulated privileges, and inconsistent offboarding create attack surface. The average cost of a security incident involving compromised credentials is significant - and "we didn't revoke a former employee's access" is one of the most common root causes.
Compliance gaps: manual processes produce inconsistent evidence. Auditors notice. What should be a straightforward audit becomes a multi-week scramble to assemble documentation that proves you're doing what you say you're doing.
Key person dependency: when your identity management process lives in one person's head, you have a single point of failure. And unlike servers, people don't have automated failover.
What governance actually gives you
Identity governance isn't just a fancier way to create user accounts. It's a system that answers questions your current process can't:
Who has access to what, right now?
Not what they were assigned at onboarding - what they actually have today, including everything that was added manually along the way.
Is that access still appropriate?
Structured access reviews where managers confirm their team's access is correct. Not a spreadsheet exercise - a tracked process with deadlines, escalation, and an audit trail.
What changed, when, and why?
A complete, immutable record of every access change. Not reconstructed from scattered logs after the fact - recorded as it happens.
Can you prove it?
Pre-built compliance reports that map directly to what auditors ask for. SOC 2, ISO 27001, NIS2 - evidence that exists because the process creates it, not because someone assembled it manually.
What Adcyma adds on top of what you already have
Adcyma connects to your existing Entra ID tenant and Active Directory. It doesn't replace what's already working - it adds the governance layer that's missing.
Automated lifecycle management.
Define what each role needs once. Every onboarding and offboarding runs the same way, every time. No wiki pages, no guessing, no inconsistency.
Complete offboarding.
Adcyma revokes everything - including access that was added manually outside of your defined processes. Disabled accounts don't just sit there with lingering group memberships.
Structured access reviews.
Run review campaigns with clear ownership and deadlines. Every decision logged. Every completion tracked. Results your auditor can actually use.
Compliance reporting.
Pull reports for SOC 2, ISO 27001, and NIS2 from one place. No spreadsheet assembly. No portal-hopping.
Deploys in a day, not months.
Connect your Entra ID tenant. See your current state. Start governing. No implementation partner. No infrastructure. No disruption to what's already working.
Status quo vs Adcyma
| Manual / Status Quo | Adcyma | |
|---|---|---|
| Onboarding time per user | 30-60 min (varies by admin) | Minutes (automated, consistent) |
| Offboarding completeness | Account disabled, access lingers | Full revocation, including manual additions |
| Access review process | Doesn't exist or spreadsheet-based | Structured campaigns with audit trail |
| Compliance evidence | Assembled manually before each audit | Generated continuously, always ready |
| Bus factor | 1-2 people | Process-based, not person-based |
| Time to detect over-privileged users | Unknown (usually after an incident) | Visible at any time |
| Cost of a missed offboarding | Security incident, audit finding, or both | Prevented by automation |
| Weekly IT time on identity tasks | 8-15 hours (200 users) | 1-2 hours (oversight, not execution) |
| Annual cost | "Free" (but your time isn't) | Fraction of an FTE's salary |
Should you keep doing what you're doing, or add governance?
Stay with the status quo if:
- You have fewer than 50 users and low turnover
- No compliance audits on the horizon (SOC 2, ISO 27001, NIS2)
- Access needs are simple and don't change often
- You have reliable processes that scale with your current growth rate
- Manual work isn't consuming significant IT time
Consider Adcyma if:
- You have 50+ users and onboarding is getting inconsistent
- Offboarding has produced at least one "former employee still had access" moment
- A compliance audit is coming and evidence is scattered
- Access reviews happen in spreadsheets - or don't happen at all
- One or two people hold all the identity management knowledge
- Your IT team's time on manual identity work is growing with headcount
Common questions from teams considering governance
No. Adcyma connects to your existing Entra ID tenant and Active Directory. Your current setup stays exactly as it is. Adcyma adds a governance and automation layer on top - it doesn't replace the infrastructure underneath.
Then you probably don't need this yet. Adcyma is free for up to 25 users if you want to try it, but at 30 users with simple needs, manual management is usually fine. Revisit when you grow past 50 or when compliance requirements appear.
A day. Connect your Entra ID tenant, review your current state, define your first role-based access policies. No implementation partner. No infrastructure to deploy. No disruption to what's already working.
Adcyma provides pre-built reporting for SOC 2, ISO 27001, and NIS2. The access reviews, audit trails, and lifecycle management create the evidence these frameworks require - automatically, as part of normal operations.
Maybe you shouldn't. If your current process works and scales with your growth, changing for the sake of change doesn't make sense. The question is whether your process will still work at 2x your current size, or when an auditor asks for evidence you don't have. If the answer is yes, keep going. If you're not sure, that's worth exploring.
Free for up to 25 users. Beyond that, pricing scales with your actual headcount. No per-user P2 licensing. No implementation fees. No surprise costs. Check the pricing page for details.
See what governance looks like for your setup
Free for up to 25 users. Connect your existing Entra ID tenant or Active Directory - Adcyma shows you what's happening in your environment and what governance could look like. No disruption. No commitment.