Knowledge Center

Plain-English writing about identity governance.

Three things live here. Framework guides covering what auditors actually ask for, field notes from the desk on the work I do with clients, and docs for Narrative IGA, the identity governance product we are building.

01  /  Audit Framework Guides

Every framework I get hired to solve for

Framework 0111 min read

SOC 2

CC6.1 – CC6.8

A plain-English walkthrough of the SOC 2 access control criteria, explained for executives. What CC6 tests, which adjacent criteria matter, where most companies fail, and the playbook to get audit-ready.

Logical & physical access controlsRead the guide
Framework 029 min read

HIPAA

164.312 Technical Safeguards

The HIPAA Technical Safeguards explained for executives. What OCR actually looks for, where healthcare teams fail, and the playbook that keeps unique ID, break-glass, and audit logging defensible.

Access control for ePHI systemsRead the guide
Framework 039 min read

ISO 27001

Annex A.9, Access Control

ISO 27001 certification in plain language. What Annex A asks for on access, how Stage 1 and Stage 2 audits test your controls, and the playbook for getting through certification without surprises.

Information security management system (ISMS)Read the guide
Framework 049 min read

NIST 800-53

AC family, 25 controls

The AC family of NIST 800-53 in plain language. What system-enforced really means, which enhancements apply at moderate baseline, and how to keep the System Security Plan matching reality.

Federal information system access controlsRead the guide
Framework 059 min read

CMMC

AC domain, 22 practices

CMMC Level 2 certification in plain language. How to scope the enclave correctly, what the 22 Access Control practices ask for, and how to build the maturity evidence a C3PAO assessor expects.

Controlled Unclassified Information (CUI) protectionRead the guide
Framework 068 min read

PCI DSS

Req 7, 8 & 10

PCI DSS Requirements 7, 8, and 10 under v4.0 in plain language. Unique IDs, multi-factor everywhere, service account governance, and the Cardholder Data Environment architecture that keeps assessments boring.

Payment card data access controlsRead the guide
Framework 079 min read

FedRAMP

AC, IA & AU families

FedRAMP authorization in plain language for cloud service providers. Boundary design, the dual identity plane, the Customer Responsibility Matrix, and the continuous monitoring that pre-populates every annual assessment.

Federal cloud service authorizationRead the guide

02  /  Narrative IGA

The identity governance product we are building

Launching Alpha, June 2026

Narrative IGA goes live for alpha users this June.

A context-aware identity engine built around ABAC and exception access. Where every access request, approval, and policy change lands in a searchable timeline your auditors will actually enjoy reading. Alpha seats are limited.

SOC 2, HIPAA, ISO 27001 readyOkta, Entra ID, Google WorkspaceMulti-tenant, built on Supabase

Join the waitlist

Get a seat in the June alpha cohort. We send one email when your access is ready. Nothing else.

Mission

What Narrative IGA is, and why we built it

A context-aware identity engine built around ABAC and exception access. The positioning, the architecture, and what makes it different from SailPoint, Saviynt, and Okta IGA.

Read the full mission

03  /  Blog

Field notes from the desk

Posts in progress. Check back soon, or subscribe below to get them in your inbox.

New guide, roughly every other week

When I publish a new framework guide or a field note from a client engagement, you get it in your inbox. That's the whole list. No drip sequence.