Why I started Nubria
Date Published
Joiner-Mover-Leaver is hard because HR data is broken, not because IGA is hard.
That sentence is the founding observation behind Nubria. I spent ten years inside enterprise identity programs — financial services, manufacturing, healthcare, public sector — across every role you can hold without the title "CISO." Hands on the keyboard, sketching architecture on whiteboards, sitting in steering committees, owning audit findings. Different employers, different industries, different platforms. Same patterns.
The consultancy industry tells those patterns one story. I came to believe a different one. That's why Nubria exists.
Three things I came to believe
1. The hard part of identity is upstream of identity.
The standard narrative says IGA programs are hard because the tools are complex. That's not true. The tools are fine. What's hard is that nine times out of ten, the source HR data those tools rely on is wrong, late, or both.
Joiner workflows fail because the HR system creates the record three days after the person starts. Mover workflows misfire because nobody updates department codes when reorgs happen. Leaver workflows leak because contractors don't have terminations recorded the same way employees do — and sometimes don't have terminations recorded at all.
You can buy a brilliant IGA platform and configure it perfectly. If your HR data is broken, your program is broken. The platform isn't doing the wrong thing — it's doing exactly what you told it to, with the inputs you gave it.
Most stalled IGA programs I've seen weren't stalled because of the technology. They were stalled because the team kept trying to fix the symptoms inside the IGA tool, when the disease was three systems upstream.
2. The blast radius is the admin tier, not the perimeter.
Talk to a CISO about identity and the conversation drifts toward end users — MFA coverage, SSO rollout, conditional access for the workforce. Important work. Worth doing. But it's not where the catastrophic risk sits.
The catastrophic risk sits in your tier-zero accounts. The handful of identities that, if compromised, hand the attacker your entire estate. Most organizations protect production better than they protect the accounts that can rebuild production from scratch.
Tier-zero is where ransomware groups go. It's where nation-state actors go. It's where the worst breaches of the last five years all started. And it's where most identity programs spend the least disciplined attention — partly because the work is unglamorous, partly because it stops people from doing what they want to do.
A program that hardens the tier and gets the workforce to "good enough" beats a program that beautifully manages the workforce and leaves the tier wide open. Every time.
3. Microsoft Entra ID changed the math.
Most legacy IGA platforms were architected for a world where identity sources were fragmented, applications didn't speak SAML, provisioning was custom code, and Microsoft was a directory vendor. That world doesn't exist anymore at most organizations I see.
Entra ID, in 2026, is a credible IGA platform. Lifecycle workflows, entitlement management, access reviews, custom roles, automated assignments — it's all there, and it's improving every quarter. For a meaningful share of mid-market and large organizations, the question isn't "which legacy IGA platform should we deploy?" anymore. It's "what does an Entra ID-first identity program look like, and where do we still need something else?"
That's an uncomfortable conclusion if your business model depends on selling implementations of platforms that cost six figures and take eighteen months. It's a useful conclusion if your goal is identity programs that actually work.
What Nubria is, framed against all of that
Nubria is a small, independent identity consultancy. We are deliberately not a reseller, not a Microsoft Partner whose roadmap is shaped by quotas, and not a Big 4 practice trying to maximize billable hours.
We work on the parts of identity programs that move them forward and most engagements skip:
Cleaning the HR data and integration patterns that everything downstream depends on
Designing tier-zero protection that survives the next reorg, the next CISO, and the next incident
Helping organizations get honest about whether they need legacy IGA or whether Entra ID is now enough
Writing the runbooks, decisions, and architecture artifacts your team will still be reading three years from now
We work in tight engagements — 6 to 12 weeks, scoped to a clear outcome. We deliver written artifacts, not slide decks. We work alongside your team, not around them. Most of what we do is unglamorous; that's a feature.
If your identity program is stalled, expensive, or quietly humiliating, we'd like to hear about it. Initial conversations are free. We'll tell you honestly whether we can help — and what to do if we can't.