Orendyr
NewOpen-source audit verifier is live →

Identity governance,
without the rip-and-replace.

Orendyr sits on top of Microsoft 365, Okta, and the rest of your SaaS — adding the workflow, policy, and evidence layer auditors ask for. No parallel directory. No shadow access state. If we're removed, your platforms stay coherent.

Book a 20-min demoRead the docs
  • SOC 2 Type II · ISO 27001
  • 99.99% rolling availability
  • Open verifier on GitHub
  • Frontier-model agentic workflows
orendyr.app / posture / acme-corp
live
Orendyr · overlay
workflows · policy · evidence · warden
Workflow engine
Policy + SoD
Audit chain
Warden
Native admin APIs · Microsoft Graph · Okta Management · SCIM · REST
Your platforms · systems of record
unchanged · no parallel directory
Microsoft 365
Okta
HRIS
SaaS apps

Orendyr adds a layer. It never becomes the layer.

The thesis

Legacy IGA tools try to become the directory.
We refuse.

The reason SailPoint, Saviynt, and One Identity projects stall for 18 months is the same reason they cost seven figures: they want to be the new source of truth. That's a migration, not a product. Orendyr ships as an overlay — a clean seam between your platforms and the governance layer on top of them.

Legacy IGA says
We'll import your users into our directory.
Orendyr says
Your directory stays the system of record. We read through Microsoft Graph and Okta Mgmt — and write back the same way.
Legacy IGA says
You'll maintain entitlements in our UI.
Orendyr says
We document and govern the entitlements you already have. When we mutate, we mutate natively.
Legacy IGA says
Our agent runs on your endpoints / AD DC.
Orendyr says
No agents. No domain controllers. Delta-sync connectors over published APIs with least-privilege app registrations.
Legacy IGA says
Removal means a 6-month offboarding project.
Orendyr says
Remove the overlay and your platforms keep working unchanged. We were never in the critical path.
Read "What Orendyr is, and what it isn't"
Three modes · not three packages

You don't pick a tier. You map each resource to one of three behaviors.

Observed, Hybrid, and Managed aren't plans you buy. They're what Orendyr does on any single resource — a group, an app, a HRIS feed, a privileged role. Most customers run all three at once and promote resources over time.

observed

Read, never write. Orendyr sees it, governs it in reports, touches nothing.

hybrid

Native rule stays intact. Orendyr governs only the attributes the rule keys on.

managed

Orendyr owns the join condition end-to-end. Every mutation writes via native APIs.

settings / connectors · acme-corp
observed · hybrid · managed
Entra IDDynamic security groups
observed
hybrid
managed
OktaApp assignments · SaaS
observed
hybrid
managed
WorkdayHRIS joiner/leaver feed
observed
hybrid
managed
NetSuiteFinance roles
planned → hybrid Q3
observed
hybrid
managed
GitHub EnterpriseTeam membership
observed
hybrid
managed
SalesforceProfiles + permission sets
observed
hybrid
managed
CoupaApprover chains
observed
hybrid
managed
Microsoft 365Privileged directory roles
observed
hybrid
managed
3 observed · 2 hybrid · 3 managed —  60/30/10 is a typical starting shape.promotions are reversible · every transition signed
Per connector
Set a default mode when you connect a new platform. Promote resources from there.
Per resource
Pin a single group, role, or app to a different mode. Granular override, no forks.
Per day
Promote, demote, roll back. Every transition emits an orendyr.mode.changed event.
What your team stops doing manually

The six jobs that eat your IT team's week.

If your identity program runs on a mix of spreadsheets, Jira tickets, and brave people clicking fast, you already have the use-cases. Orendyr takes them off the humans — without handing the directory to a vendor.

Joiner, mover, leaver

HRIS-triggered onboarding. Role changes reconcile in minutes, not quarters. Leavers soft-suspend in 24h, then revoke — every step a signed step.

workdaybambooukg
Quarterly access reviews

Auto-assemble reviews from the warehouse. Managers approve in one click with risk-weighted context. Evidence packs ship straight to your auditor.

soc2iso 27001hipaa
Cross-platform SoD

NetSuite AP Approver paired with Coupa Vendor Setup. Entra privileged role paired with anyone who signed a policy exception. Detection is continuous.

soxfinancial
Privileged, just-in-time

Elevate for 60 minutes, with a reason string on the audit record. Auto-revoke on timeout. Scheduled break-glass drills prove the drill actually works.

pimpamjit
Orphaned & stale cleanup

Weekly sweep finds disabled users still holding privileged roles, groups without owners, and grants nobody's touched in 90 days. Orendyr drafts the revoke — you approve.

hygiene
Drift & reconciliation

Someone added an admin in the portal? We notice. Orendyr diffs observed state against intended state and surfaces every delta in the posture dashboard.

native-apicontinuous
Your IT lead spends ~9 hours a week on the six items above. Orendyr gives that week back.
See how adoption works →
Workflows

State machines. Not YAML nightmares.

Six block kinds. Every block documents the native APIs it touches and the audit events it emits. Every run is replayable with a correlation id. Drag on a canvas, version in git, approve in a review.

workflows/joiner · finance · v12
published
HRIS joiner
workday.employees.hired
Elevated role?
decision
Request role
access.request
Awaiting
24h · escalate
Grant role
roles.activate
Birthright
graph.groups.add
Licenses
graph.licenses.set
Onboarded
evidence.sealed
correlation: 7f3c…a219
Six blocks. That's it.
  • Trigger
    HRIS event, schedule, policy violation, access request.
  • Decision
    Yes/no branch over identity attributes, risk, or time.
  • Action
    Native mutation — grant, revoke, request approval.
  • Notify
    Teams, Slack, email, webhook. Quiet hours honored.
  • Wait
    Pause for approval or duration with escalation.
  • Outcome
    Success or denied, with evidence attached.
Every block emits orendyr.workflow.step with a step id and correlation token. Replay any run from the audit log.
Tamper-evident audit

Evidence an auditor can verify without us.

Every action appends to a per-tenant SHA-256 hash chain. A daily Merkle batch anchors to WORM storage (S3 Object Lock or Azure Immutable Blob) and, optionally, to Bitcoin via OpenTimestamps. The verifier is open source. No blockchain hype, no vendor lock-in on your evidence.

SHA-256 hash chain

Every event carries the hash of the previous event. A single mutation anywhere in the chain invalidates every hash that follows.

event_n.hash = sha256(event_n-1.hash || event_n.body)
WORM storage anchor

S3 Object Lock or Azure Immutable Blob. Retention periods are tenant-configurable. The anchor isn't ours — it's yours.

OpenTimestamps (optional)

A free, globally-verifiable Bitcoin timestamp. No wallet. No gas. Just a proof you can re-check on any laptop in 2035.

Open verifier

github.com/orendyr/verify re-checks the chain with just the signed JSON bundle and the anchor proof. Hand your auditor a USB stick. We don't need to exist.

audit · acme-corp · chain head
verified
14:02:17.441workflow.step
joiner/finance · grant.birthright · wf_7f3c
sha256: a21f…9b02
14:02:17.612graph.groups.add
u:cora.m → g:fin-birthright · Microsoft Graph
sha256: b402…71ee
14:02:17.889notify.delivered
teams · @manager(cora.m) · ack.pending
sha256: c9a1…f38d
14:02:18.204evidence.sealed
pack ev_2f…11 · joiner/finance · 4 steps
sha256: d5b8…0117
Daily Merkle anchor · 2026-04-16 00:00 UTC
ots: bitcoin:block:834612 · worm:s3://acme-audit/2026-04-16.bin
Re-verify offline:orendyr-verify ./bundle.json
github →
Warden

An AI that stays in its lane.

Frontier-model reasoning, grounded in your identity warehouse. The Warden investigates across platforms, drafts workflows from a sentence, explains policy denials in plain English, and chains tools safely — with three effect tiers enforced at the schema level and a human gate on anything that writes.

read
Look, don't touch.

Runs against the warehouse. Answers posture questions without ever reaching a native API.

Example
"Who has AP approver + vendor setup in NetSuite + Coupa?"
propose
Propose, don't publish.

Drafts workflows, reviews, and evidence packs to the canvas. You're the one who ships them.

Example
"Draft a leaver workflow for Finance with 24h soft-suspend."
execute
Asks before it acts.

Can call native APIs — but always pauses for a human on a confirmation gate first.

Example
"Revoke cora.m's admin role in Okta. (pending approval)"
Warden · acme-corp
frontier reasoning · gated tools · audited
Find orphaned Azure AD admin roles assigned to anyone who left in the last 90 days.
readwarehouse.query(roles.privileged where owner.terminated_at > now() - 90d)
3 findings. cora.m (Global Reader), j.park (User Admin), svc-pbx (Exchange Admin). Their accounts are disabled but roles are still assigned.
Draft a workflow to revoke them and seal evidence.
proposeworkflow.draft("orphan-role-sweep") → rendered to canvas, unpublished
Drafted. Two-step: revoke via Graph, seal evidence pack. Review the diff here →+ 7 nodes, 6 edges · effect.execute gated on approver:security@acme
Awaiting human approval before any native API call.
Agentic capability

Frontier-model assistance, where it matters.

Ask an afternoon's worth of IGA work in a sentence. The Warden runs multi-step reasoning over your warehouse, your policies, and your audit history — and hands back a verifiable answer, not a summary.

  • Investigates posture across every connected platform in one query
  • Drafts workflows from plain language — rendered to the canvas, never auto-published
  • Explains policy denials in plain English with the exact rule that fired
  • Reconstructs failed runs: which step, which API, which permission was missing
  • Assembles evidence packs an auditor will accept
Pin the provider you trust — Claude, GPT on your Azure, self-hosted Llama on an air-gapped node. Swap without changing anything else.
Every prompt and tool call is written to the tamper-evident log with a warden.correlation id.
Honest comparison

We win where it matters. Here's the matrix.

Built from the public product docs and marketing material of each vendor. If you think a cell is wrong, email us — we'll update it. SailPoint and Saviynt are strong at enterprise audit; they're weak at getting out of their own way. Okta IGA is getting better; it's still bounded by the Okta directory. That's the real gap.

CapabilityOrendyrusSailPointSaviyntOkta IGA
Sits on top of M365 / Okta as systems of record
Removable without a migration project
Three-tier ownership (Observed / Hybrid / Managed)
Native workflow state-machine canvas
Tamper-evident audit chain (SHA-256)
External anchor (WORM + OpenTimestamps)
Open-source verifier
Works on a single M365 tenant with no IGA team
Frontier-model agent grounded in your data with a human gate
AI with read / propose / execute tiers + human gate
Typical time-to-first-workflowDay 16-12 months4-9 months4-8 weeks
Typical first-year TCO (mid-market)$$$$$$$$$$$
YesPartialNo· $ = tiers of annual spend in mid-market

Identity governance.
On the platforms you already own.

Start Observed. Keep your directory. Hand an auditor a USB stick. Cancel any time and your platforms stay coherent — because we were never the directory.

Book a 20-min demoRead the docsOpen verifier
No sales engineering week.Live in a sandbox in 20 minutes.Observed-mode is free to trial.