How We Rebuilt Three Identity Platforms in Six Months Without Interrupting Healthcare Operations

Engaged to operate a SailPoint, CyberArk, and Ping Identity estate, we found deployments that had to be re-engineered. After emergency stabilization, all three were rebuilt in a single intensive cycle while the identity services healthcare operations depend on kept running.

Agency and system names anonymized for security. Full briefing available under mutual NDA.

9 min read

Client
National healthcare supply chain and logistics organization (anonymized)
Domain
Identity governance and privileged access management
Engagement
Managed IAM and PAM operations through resident engineering, expanded into a full re-implementation of the identity estate
3
Platforms rebuilt: SailPoint, CyberArk, Ping
6 months
Re-implementation cycle
Zero
Unplanned identity service disruption

The situation

The client runs a large-scale healthcare supply chain and logistics ecosystem supporting critical national healthcare services. There, identity and access management is not an IT convenience; it is a core control layer for continuity, security, and regulatory compliance. If identity services stall, the people who keep medical supplies moving lose their access, and the supply chain slows with them.

ExeQut was engaged as a resident engineering partner to operate and optimize the existing identity estate: SailPoint for identity governance, CyberArk for privileged access, and Ping Identity for SSO. The onboarding assessment changed the assignment. The original implementation was poorly designed and never built for enterprise scale: components were outdated, integration between the three platforms was incomplete, provisioning and access certification workflows were inefficient, and the architecture ignored established governance and privileged access practice.

The engagement had to become something else: a full modernization and re-engineering program executed without taking identity services down. The expanded scope was evidenced by the assessment, agreed with the client before the rebuild began, and delivered inside the resident engineering engagement rather than through a separate systems-integration procurement.

We were hired to operate three identity platforms. The onboarding assessment said all three had to be rebuilt.

The challenge

The rebuild had to succeed against hard constraints:

  1. Mission-critical healthcare operations depending on uninterrupted identity services throughout the transformation.
  2. Structurally deficient prior implementations across all three platforms, not just configuration drift.
  3. Broken and incomplete integration between SailPoint, CyberArk, and Ping Identity, undermining governance workflows and access certification.
  4. Strict regulatory and audit requirements: access controls the organization must be able to evidence under a national cybersecurity controls framework and sector audit regime, and the deficient implementation could not reliably produce that evidence. In a nationally critical healthcare sector, that gap is an audit finding waiting to be written.
  5. A growing user base and application ecosystem steadily adding complexity while the foundation was being rebuilt.

The approach

ExeQut converted the engagement from support-only to a phased stabilize, rebuild, and operate program, executed against live production throughout.

Stabilize before you optimize

A deep technical assessment across the three platforms identified the architectural gaps, inefficiencies, and integration failures. Emergency remediation came first: system upgrades, performance stabilization, and correction of critical configuration issues, coordinated through a joint governance structure with the client's IT and security teams and application and infrastructure owners. The rule was firm: upgrades precede optimization, because tuning a structurally outdated system is wasted effort.

Rebuild, don't patch

The six-month accelerated cycle re-implemented the core of each platform: SailPoint redesigned and reconfigured for enterprise-scale identity lifecycle management and access governance, CyberArk restructured for privileged account vaulting, session control, and monitoring, and Ping Identity SSO re-implemented for centralized authentication and federation across applications. Integrations between the layers were rebuilt rather than patched; the team treated surface repairs of broken workflows as deferred failures.

Governance rebuilt into the lifecycle

Provisioning and deprovisioning workflows were reconstructed against governance policy. Access certification and review processes were redesigned, standardized into the IAM lifecycle, and run with ExeQut execution support, not left as designed-but-idle documents. Role-based access control and least privilege were enforced, and logging and auditability were strengthened across all three platforms.

Operate while transforming

Delivery ran through a resident engineering model: engineers embedded in the client environment, continuous 24/7 operational support, daily monitoring and incident response, and weekly architecture reviews. Rebuild work moved in cycles coordinated with application and infrastructure owners, with incident handling and operational continuity management wrapped around every change. The joint governance structure kept rebuild work and daily operations from colliding, while knowledge transfer and operational training for client teams ran alongside delivery.

Zero disruption was not asserted at the end of the rebuild. It was tracked daily and reviewed with the client's IT and security teams inside the joint governance structure.

The outcome

The first return is a rescued platform investment. The client had already paid for three enterprise identity products and the implementation behind them; rebuilding in place recovered that investment and avoided the alternative: a new procurement cycle, a new vendor, a multi-year rip-and-replace, and the exposure of running a deficient identity layer while waiting for it. On top of that recovered investment:

  • Provisioning, certification, and audit workflows rebuilt and running where the prior implementation left them incomplete or idle, shifting identity operations away from manual, reactive effort.
  • Privileged access moved onto restructured CyberArk vaulting, session control, and monitoring, so privileged activity is monitored and reviewable rather than assumed to be under control.
  • Audit traceability built into daily operation: standardized certification processes executed in practice, privileged session monitoring, and strengthened logging across all three platforms, producing the access-control evidence the prior implementation could not reliably supply.
  • Knowledge transfer and operational training for client teams, which now work alongside ExeQut resident engineers in steady state rather than depending on a vendor by default.

Designed for the future

The rebuilt ecosystem is the foundation for what comes next: Zero Trust identity architecture, privileged access analytics, SOC and orchestration integration, and progressive automation of the identity lifecycle. Each now builds on a sound platform instead of paying a rescue premium first, the difference between a security roadmap and a remediation backlog.

What we took from it

  1. Audit the environment before you agree to operate it. Onboarding assessment is what separates a support contract from a rescue mission discovered too late.
  2. Poor implementation compounds. Deficient identity foundations quietly amplify operational and security risk every year they are left alone.
  3. Upgrade before you tune. Optimization on structurally outdated components is effort spent making the wrong thing faster.
  4. Integration is the product. IAM, PAM, and SSO deliver governance only when the connections between them work; that is where rebuilds must focus.
  5. Resident engineering makes zero-downtime rebuilds real. Continuous embedded presence is what lets one team rebuild the platforms it is simultaneously operating, without dropping either job.

Want the unredacted briefing?

Agency, systems, architecture, vendors, and outcomes. We walk you through the full engagement under mutual NDA.

Request a private briefing