← Back to Blog

Inside the IdentityFirstMRI: How We Reveal Drift and Erosion

By IdentityFirst Ltd | December 2025

IdentityFirstMRI is designed to give SMEs a clear, visual understanding of their identity landscape. It maps every identity, permission, and relationship across systems, then highlights anomalies, drift, and erosion.

The MRI works by ingesting identity data, applying behavioural context, and comparing current access patterns to expected baselines. It identifies dormant accounts, privilege creep, inconsistent MFA enforcement, and policy exceptions. It also tracks how identities evolve over time, creating a historical record that supports audits and disputes.

The result is a single, unified view of identity health. SMEs finally gain the clarity they've been missing—and the ability to act before risks become incidents.

What is IdentityFirstMRI?

IdentityFirstMRI is the assessment engine at the heart of the IdentityFirst platform. MRI stands for Machine-Readable Identity—an assessment that produces comprehensive, machine-processable identity security data.

Think of it as an MRI scan for your identity landscape. Just as a medical MRI reveals what's happening inside your body without invasive procedures, IdentityFirstMRI reveals what's happening inside your identity infrastructure without requiring changes to your systems.

It connects to your identity sources—Active Directory, Entra ID, Okta, AWS IAM, Google Workspace, SaaS tools—and produces a comprehensive assessment of your identity health.

How IdentityFirstMRI works

Data ingestion

The first stage is gathering identity data from all your connected systems. IdentityFirstMRI connects to:

Directories: Active Directory, Entra ID, Okta, Google Workspace, LDAP directories

Cloud IAM: AWS IAM, Azure IAM, GCP IAM

SaaS platforms: Salesforce, ServiceNow, Workday, and 100+ other SaaS tools

HR systems: Workday, BambooHR, HiBob, SAP SuccessFactors

For each source, IdentityFirstMRI extracts:

The ingestion process is read-only. IdentityFirstMRI never modifies your systems—it only reads data to understand your current state.

Identity mapping

Once data is ingested, IdentityFirstMRI normalises it into a unified identity model. This is critical because the same person often exists in multiple systems with different identifiers.

Example: "John Smith" might appear as:

IdentityFirstMRI resolves these into a single identity record, representing the real person across all their digital representations. This mapping enables accurate cross-system analysis.

Context enrichment

Raw identity data is just data. IdentityFirstMRI enriches it with context:

Behavioural context: What is this person's normal access pattern? What systems do they normally use? What times do they typically access them?

Organisational context: What department is this person in? Who is their manager? What role do they hold?

Policy context: What access should this person have based on their role? What policies apply to their role?

Historical context: How has this person's access changed over time? Have they accumulated permissions? Has their role changed?

This context is what transforms raw data into actionable intelligence.

Drift detection

Now IdentityFirstMRI compares the current state against expected baselines:

Existence drift: Accounts that should exist but don't, or shouldn't exist but do. Terminated employees with active accounts. Contractors whose engagements ended months ago.

Privilege drift: Permissions that exceed what a role or policy allows. A user who moved to a new role but kept old access. A service account that accumulated permissions over time.

Temporal drift: Accounts or credentials that have aged past policy thresholds. Passwords not rotated in 365 days. API keys created for projects that ended two years ago.

Attribute drift: Account attributes that don't match the authoritative source. A user's department changed but didn't propagate to all systems.

Each finding is attributed to a specific identity and source system, with severity based on the risk involved.

Erosion detection

Beyond individual drift findings, IdentityFirstMRI detects patterns of policy erosion—the slow decay of governance controls:

Exception accumulation: Are exceptions to policy increasing over time? Are they being tracked?

Review gaps: When were access reviews last conducted? Are findings being acted on?

Process degradation: Are joiner/mover/leaver processes being followed? Where are they breaking down?

Erosion patterns indicate systemic governance failures that require attention beyond individual findings.

Reporting

IdentityFirstMRI produces comprehensive reports:

Executive summary: High-level posture score, key findings, trends, and recommendations—suitable for board-level reporting

Technical findings: Detailed findings for security teams, with affected systems, risk descriptions, and remediation guidance

Compliance mapping: Findings mapped to regulatory frameworks—GDPR, SOC 2, ISO 27001, NIS2—with evidence for auditors

Trend analysis: How has the identity landscape changed over time? What's improving? What's getting worse?

All reports are available in multiple formats: PDF for presentation, JSON for integration, and HTML for interactive exploration.

What IdentityFirstMRI reveals

Dormant accounts

Every account that hasn't logged in for 60+ days, flagged by system and risk level. IdentityFirstMRI doesn't just list them—it explains who owns them, what access they have, and whether they should be disabled.

Privilege creep

Permissions that accumulated over time as users changed roles or took on new responsibilities. IdentityFirstMRI tracks the history—when access was granted, whether it was approved, and whether it aligns with current role.

MFA gaps

Systems where MFA isn't enforced, methods that are vulnerable (SMS), and users who haven't enrolled. IdentityFirstMRI maps your entire MFA coverage.

Policy exceptions

Every exception to standard access policies—when it was granted, who approved it, and whether it's still valid. IdentityFirstMRI tracks exceptions so they don't become permanent vulnerabilities.

Service account risks

Service accounts often have elevated permissions and minimal oversight. IdentityFirstMRI maps every service account, identifies owners, and flags excessive permissions.

Identity relationships

Every relationship between identities—manager/reports, group membership, delegation, shared access. IdentityFirstMRI maps the connections that attackers exploit for lateral movement.

Why SMEs need IdentityFirstMRI

Visibility

Most SMEs have no idea what their identity landscape actually looks like. They know who has email accounts. They probably don't know who has admin access to the CRM system, or whether the former contractor still has VPN access, or what service accounts exist.

IdentityFirstMRI gives you visibility you can't get any other way.

Context

Even when SMEs have some identity data, they lack context. They know someone has access, but not why. They know a permission exists, but not whether it's appropriate.

IdentityFirstMRI provides the context you need to make decisions—not just what exists, but what it means.

Actionable findings

IdentityFirstMRI doesn't just surface problems—it provides remediation guidance. Every finding includes specific, actionable recommendations.

Audit readiness

The compliance mappings and evidence generation make audit preparation straightforward. You have documented evidence of your identity governance, ready for auditors.

Time to value

IdentityFirstMRI delivers results in hours, not months. There's no implementation project, no configuration required. Connect your systems and get your first assessment immediately.

The IdentityFirstMRI difference

Traditional identity governance platforms are:

IdentityFirstMRI is:

That's the AISF difference. Enterprise-grade identity governance, designed for SMEs, delivered as a service.