Operations · Continuity

Go-live is day one, not
the finish line.

Consultants leave, the project channel gets archived, and six months later nobody remembers why the MFA lifetime was set to 30 days. Panaptico keeps the implementation graph alive — decisions, configs, approvals, and evidence — queryable for the life of the system.

IMPL-GRAPH · ALIVE
Workday finance rolloutDay 184 since go-live14 connectors live1,427 decisions retainedlast sync · 48s

Go-live

2025-10-20

+30d

2025-11-19

+90d

2026-01-18

+150d

2026-03-19

Today

2026-04-22

Day 000LAUNCHWorkday finance cutover — 4,218 users migrated
Day 012DRIFTOkta MFA lifetime changed · 30d → 45d · CHG-00618
Day 034DECISIONVendor swap — Fivetran → Airbyte · DR-2025-0892
Day 071ROTATIONConsultant handoff · Deloitte → in-house · 14 runbooks transferred
Day 108DRIFT3 admin accounts added to Workday Finance · no CHG record
Day 142DECISIONScope expansion — HR module added to graph · DR-2026-0104
Day 178EVIDENCESOC2 annual audit · 217 artifacts served from graph · 0 gaps

The same graph that shipped the rollout answers the audit, the change review, and the new-hire question.

IMPL-GRAPH-0491

What usually happens at go-live

The knowledge walks out
with the consultants.

01

The channel gets archived.

Slack archived. Confluence page ages. The five people who knew why the identity policy was written that way are off the account. You inherit a system with no memory.

02

Configs drift silently.

What was true at launch isn't true at day 184. Admin counts grow. Lifetimes get bumped for a single incident and never revert. No one is watching the diff against intent.

03

New hires start from zero.

A new engineer joins on day 190. Nobody remembers why the Workday integration uses a service account instead of SCIM. Decisions get relitigated every quarter.

Persistent record

Ask the graph why.

Every decision, config change, approval, and linked artifact is retained and queryable. No more "ask Karim" — the answer is in the graph with its evidence still attached.

Decisions · 1,427 retained
Evidence bundles · 892 sealed
Configs versioned · all connectors
QueryWhy was the Okta MFA lifetime set to 30 days?answered · 0.4s

Decision

MFA session lifetime fixed at 30 days for finance-scope user pools.

DR-2025-0714 · recorded 2025-09-04 · system phase: pre-cutover

Rationale

SOC2 CC6.1 control mapping required re-auth at least monthly for privileged finance access. 30d was the tightest lifetime compatible with the Workday SAML session TTL at rollout.

Approver

DP

Daniela Park · CISO

signed 2025-09-04 14:22Z

Evidence attached

soc2-cc61-control-mapping.pdf
okta-mfa-policy-export-2025-09-04.json
workday-session-ttl-reference.md

Affected systems · still bound by this decision

Okta · Finance pool
Workday Finance · 4,218 users
CrowdStrike · managed devices
Entra ID · federated backup
Record still authoritative · last verified 2026-04-22sha256 · 1d42…a9c7

Living baseline

Every drift linked to its reason — or flagged.

The go-live state is the baseline. Today's state is the reality. The graph shows the diff — and whether each change has a decision record behind it or walked in silently.

4 matches intent 2 authorized drifts 2 unauthorized drifts
BASELINE · IMPL-GRAPH-0491go-live 2025-10-20 → today 2026-04-226 baseline surfaces · 2 need review

Admin accounts · Workday Finance

Go-live

4

Today

4

match

Matches intent · DR-2025-0712

MFA session lifetime · finance pool

Go-live

30 days

Today

45 days

authorized

Authorized drift · CHG-00618 · approved D. Park

Service principals · Azure finance tenant

Go-live

11

Today

17

drift

6 new principals · no CHG record

Unmanaged endpoints · finance-scope

Go-live

0

Today

12

drift

12 endpoints enrolled outside MDM · no intent link

Ingestion pipelines · Snowflake finance

Go-live

9 pipelines

Today

9 pipelines

match

Matches intent · DR-2025-0801

Vendor · ELT ingestion

Go-live

Fivetran

Today

Airbyte

authorized

Vendor swap · DR-2025-0892 · approved procurement council

Unauthorized drifts open a review automatically · owners notified · graph stays the source of record

Team continuity

New hire, day one — not day ninety.

When someone joins the team or the on-call rotation shifts, Panaptico assembles their context from the graph — not from a Confluence scavenger hunt.

PM

Priya Menon · joined Identity team

day 1 · 2026-04-22

ONBOARD-PACK · auto-assembled · 4s

Systems you own

Okta · Finance & HR pools
Entra ID · federated backup
Vault · privileged secrets
Duo · step-up auth

Recent decisions in your scope

MFA lifetime · 30d → 45d · finance pool

DR-2026-0114 · approved D. Park · Day 12

Duo bypass codes · rotation increased to 72h

DR-2026-0208 · approved ID council · Day 94

Federated backup · Entra ID added as secondary

DR-2026-0311 · approved architecture review · Day 162

Open exceptions

3 service accounts · quarterly rotation overdue

finance scope · due in 6 days

6 Azure principals added without CHG record

review opened · owner unassigned

People & runbooks

ask · Daniela Park (CISO · final approver on identity policy)

ask · Marcus Alvarez (SRE · operates Vault)

runbook · okta-break-glass.md · last exercised Day 140

runbook · federated-failover.md · last exercised Day 162

Onboarding pack regenerates from the graph — no stale docs, no tribal knowledge transfer required

Operational intelligence

Every future change starts with the existing graph.

When a new initiative lands, Panaptico reuses the implementation graph to scope blast radius, surface prior decisions that apply, and tell you which evidence is still valid.

6 systems in blast radius · 4 already in-scope, 2 new
14 prior decisions still apply · SOC2 mapping reused
38 evidence artifacts still valid · 7 need refresh
SCOPE · NEW INITIATIVEAdd Workday HCM module for 2,100 EMEA usersDay 184 · graph-assisted
WORKDAY HCM+2,100 users · EMEAOktain-scopeEntra IDin-scopeSnowflakein-scopeCrowdStrikein-scopeBambooHRnew · EMEAGreenhousenew · EMEA

Decisions reused

14

SOC2 mapping, MFA policy, scope bounds

Evidence still valid

38

7 need refresh for EMEA residency

New work generated

27

sequenced · dependencies resolved

The graph outlives the project.

Decisions retained. Drift linked to reasons. New hires onboarded from the source of record. The next initiative built on what's already known — not on what someone remembers.

Try Panaptico freeBook a demo