Dual-Strike XISEM now ships a full Managed Identity Provider — including NHI governance
Subtitle: Humans get lifecycle and reviews. Service accounts, API keys, and OAuth grants get the same discipline.
Identity programs usually stop at people.
Meanwhile, the breach story moved to non-human identities (NHIs) — service principals, API keys, OAuth consents, workload identities, automation accounts, and “temporary” integration users that never left.
Dual-Strike XISEM Managed Identity Provider (MIP) is our answer: one console for joiner-mover-leaver, privileged access, access reviews, ITDR, and NHI governance — without replacing Microsoft Entra, Okta, or Google Workspace. We correlate and govern across them.
What MIP is (one sentence)
MIP is identity governance and ITDR posture for scoped clients — lifecycle rollups, risk signals, certifications, and evidence bound to frameworks — in /identity/mip.
The pillars operators care about
Identity lifecycle (JML)
Joiner → Mover → Leaver state machine with visibility into who’s active, suspended, or still licensed after offboarding. Stale leavers are where auditors and attackers overlap.
SCIM 2.0 provisioning
Bidirectional connectors for Entra ID, Okta, and Google Workspace. One MIP fabric; multiple directories.
Privileged Identity Management (JIT)
Just-in-time elevation with ticket-bound approval, time limits, and automatic revocation — standing privilege trending toward zero.
Access reviews & certification
Quarterly (or custom) campaigns: approve, deny, delegate. Decisions land in a tamper-evident audit warehouse — not a spreadsheet.
ITDR — identity threat detection
Detect-first, recommend-first signals: token theft patterns, OAuth consent abuse, MFA fatigue, dormant accounts, weak-MFA exposure — with analyst-ready actions (session revoke, MFA reset, role drop).
OAuth & SaaS app risk
Continuous discovery of consented apps and third-party connectors — publisher trust, scope risk, and footprint in one tier.
Role mining & Segregation of Duties
Jaccard clustering suggests roles from entitlement patterns; SoD rule packs flag toxic combinations (finance vs IT admin vs audit).
NHI governance — the part most “IG” products hand-wave
Non-Human Identity governance in MIP covers:
NHI typeWhat MIP tracks Service principals & app registrationsOwnership, last use, excessive scopes API keys & secretsRotation age, stale credentials OAuth grants & workload identitiesOrphan detection, consent drift Automation / integration accountsDormant flags, privilege weight
Why it matters: NHIs don’t show up in HR offboarding. They accumulate in Azure, SaaS marketplaces, and PSA webhooks — until something exfiltrates data with a key that “was always there.”
MIP gives NHIs inventory, risk context, and audit lineage next to human identities — so your access review program isn’t blind to half the attack surface.
Compliance binding (without a separate GRC project)
MIP actions map to evidence for NIST 800-53, CMMC 2.0, SOC 2, and ISO 27001 — AC, IA, AU, and IR families — auto-bound where the platform observes identity events.
Who this is for
MSPs/MSSPs standardizing identity posture across clients
vCISOs who need one pane for lifecycle + ITDR + certification
Regulated clients (defense, finance, healthcare) where NHI and SoD are examiner questions — not trivia
Getting started
Connect identity infeeds (Microsoft GDAP / Entra, Okta, Google Workspace, Petra ITDR where used)
Open Identity (MIP) at client scope — review lifecycle outliers on the overview rollup
Enable access review campaigns and NHI inventory for high-risk clients first
Learn more: dual-strike.com · request a Managed Identity Provider demo
MIP detects and recommends; your IdP remains authoritative for authentication. Dual-Strike XISEM is the intelligence and policy layer — not a replacement directory.

