Identity governance, meaning who gets access to what and when, is one of the most expensive and complex areas of IT. Commercial solutions like SailPoint, Saviynt, and One Identity typically cost six figures. Implementation takes months.

I built a working IGA platform in two weeks. Alone.

EuroID is not a production-ready product. It's a proof of concept — a working demonstration that with modern architecture and the right principles, the core of such a platform can be built in a fraction of the traditional time and budget.

In this article, I'll walk through the architecture and explain in plain language what the platform does and why it matters.

EuroID: Governance Overview dashboard

The problem: nobody knows who has access to what

Every company has the same fundamental problem: people arrive, leave, and change roles. Each time, accounts need to be created, access granted, updated, and eventually revoked.

In practice, this happens manually. HR notifies IT about a new hire by email. IT support creates accounts one system at a time. When someone changes departments, their permissions stay unchanged. When someone leaves, old accounts linger.

The result: nobody knows who has access to what. A security problem, a compliance problem, and an operational risk.

The solution: automated lifecycle

EuroID automates the entire user lifecycle:

Employee starts: the HR system sends the data, and accounts are created automatically across all required systems: cloud environment, directory service, communication tools, cloud infrastructure.

Role changes: access rights update automatically according to policies. No tickets, no manual work.

Employment ends: all accounts are deprovisioned in a controlled manner, leaving nothing behind.

And throughout, the system monitors itself: if someone makes a manual change in a target system, the platform detects it and corrects the drift.

Architecture: six organs

The architecture is built around a body metaphor. Each part does one thing well:

Heart: Identity. Every user is a single "Golden Record" where all HR sources converge. One truth, not dozens of copies across different systems.

Brain: Policy. A rules engine that automatically determines what access a user gets based on their role, department, and location. No manual work, no guesswork.

Hands: Connectors. "Dumb pipes" that write to target systems. A connector doesn't decide what to do. It just executes. All intelligence lives in the policy layer. Currently five connectors: cloud environment, directory service, messaging, cloud infrastructure, and cloud entitlement management.

Eyes: Reconciliation. Continuously compares the desired state with the actual state. If someone manually changes permissions in a target system, the eyes detect it and trigger a correction.

Safety: Simulation. Every change runs through a dry-run analysis first. The system calculates the blast radius before anything happens in production.

Nerves: Orchestration. Temporal workflows control the entire chain: onboarding, offboarding, role changes, cloud analysis. Every step is traceable and re-runnable.

Main flow: what happens when a new employee starts

Concretely, the chain works like this:

  1. The HR system sends data about a new employee
  2. Data is validated and merged into a Golden Record (Heart)
  3. The policy engine determines access rights based on role (Brain)
  4. Simulation calculates impacts and ensures nothing unexpected happens (Safety)
  5. The orchestrator launches the onboarding workflow (Nerves)
  6. Connectors create accounts in target systems (Hands)
  7. Reconciliation verifies everything went correctly (Eyes)

The entire chain is automatic. No tickets, no emails, no "Pekka will handle it when he has time."

Scope

This is not a hello world demo. The platform's scope in numbers:

Backend: approximately 20 modules (identity, policy, connectors, reconciliation, cloud entitlements, privileged access, risk scoring, and more). Five connectors to target systems. Four Temporal workflows. Frontend: React dashboard with analytics. 19 security rules in code. Compliance mappings: GDPR, SOC 2 Type II, NIST 800-53.

Why this matters

Not because I'm building a competitor to SailPoint. But because this says something essential about where technology is right now.

One person, two weeks, a working system. Modern tools and AI make things possible that just a couple of years ago required a team and months of work. But only if you know what you're building.

Architecture wins, not budget. With the right fundamentals (Golden Record, policy-based provisioning, dumb connectors, simulation before execution) you can build a working core at a fraction of what a commercial solution costs. AI speeds up implementation, but it doesn't replace experience with use cases and system architecture.

IAM is not mysterious. It's process management: who gets what, when, and why. When the principles are sound, technology is just a tool.

In closing

The best part of this project isn't any single feature. It's that the entire chain works: an HR change flows through validation, policy, simulation, and provisioning automatically — and the system corrects itself if someone makes a manual change in a target system.

This is the "self-healing IT environment" in practice.

If identity governance or access automation interests you, or you want to find out where your environment's IAM situation stands, let's start with a conversation.

Want to know where your environment's identity management stands? An IT Health Check covers IAM too. Independently.