Ask an operations director who has access to their systems and the honest answer, in most multi-site businesses, is "mostly the right people". Not because anyone is careless, but because access is managed by hand, site by site, and hands are busy.
Someone joins, a manager creates an account. Someone moves site, their old access stays. Someone leaves, and their login works until somebody remembers. Multiply that by thirty sites and a seasonal workforce, and "mostly the right people" becomes a genuine risk sitting quietly in the background. Invisible, like most operational risk is.
Access drift is an operations problem, not just an IT one
Security teams call this access drift: the gap between who should have access and who actually does. It grows fastest in exactly the environments ocapii serves, where staff turnover is high, sites run semi-independently, and the person who set up the account has often moved on themselves.
The consequences are not abstract. A leaver with live access is a data protection question. A shared login is an accountability question: if everyone signs in as "Kitchen", nobody signed the check. And when an auditor or a security questionnaire asks how access is controlled, "the site manager handles it" is not an answer that lands well.
The fix: let your directory decide
Enterprises already run a system whose whole job is knowing who works there: the identity directory, whether that is Google Workspace, Microsoft Entra ID, Okta or another provider. The fix for access drift is to make that directory the single source of truth for your operations platform too.
That takes two standards working together. Single sign-on over OpenID Connect means people sign in with the company account they already have, protected by the MFA your IT team already enforces. SCIM 2.0 provisioning means the directory creates, updates and deactivates accounts automatically. Nobody sets up users by hand, and nobody has to remember to remove them.
With ocapii, a leaver deactivated in the directory loses access within seconds: web sessions end and mobile tokens are revoked on every device, across every site. Directory groups map to roles and site access, so a promotion or a site move updates permissions without a ticket. And SSO never silently creates accounts: only people you provisioned can sign in.
Multi-factor authentication follows the same logic. Your IdP's MFA protects SSO sessions, so nobody is prompted twice, and authenticator-app 2FA covers anyone still on passwords, enforceable by role. When you are ready, password sign-in can be switched off entirely: passwords, reset emails and magic links all stop working for regular users, and the directory becomes the single front door. Break-glass admin access survives an IdP outage, because resilience planning is part of governance too.
Setup is deliberately self-serve. SSO configuration includes a live connection test that checks discovery, credentials and signing keys with exact pass and fail reporting, so your IT team connects the directory without a support ticket. Domain allow-lists then restrict which company accounts are ever accepted, keeping the edges of the estate as governed as the centre.
The front-line objection, answered
The usual pushback is that half the workforce does not have a company email address. Kitchen teams, housekeepers, seasonal staff. If SSO is the only door, they are locked out.
This is why ocapii pairs enterprise SSO with secure PIN access for front-line teams: admin-controlled, shown once, fully audit-logged, and unaffected when password sign-in is switched off for everyone else. The estate gets one access model with two front doors, both governed, and no one is left outside the system doing their checks on paper.
There is a deeper benefit underneath the security one. Operations platforms exist to prove that work happened: checks completed, temperatures taken, actions closed. That proof is only as strong as the identity behind it. When every sign-in is governed and every account belongs to a named person, every record in the system inherits that credibility. Attribution is not a security feature bolted onto operations. It is what makes operational evidence worth anything.
Access is one of those areas where the work was always happening; it was just invisible, manual and scattered across sites. Made visible and automated, it stops being a risk and starts being evidence.
If your IT team wants the detail, our Trust Centre covers the full identity model, or book a walkthrough and bring them along.