The security review is going normally until someone asks a very small question with very large consequences: "Are we enforcing MFA on everyone?" The answer arrives with an alarming amount of punctuation. "Mostly."
That one word does a lot of damage. It means some users are protected, some are not, and the organization has chosen to outsource part of its identity security posture to personal preference.
HR-Z0 case note: optional controls become mandatory incidents.
Optional MFA creates a fragile environment:
The symptoms are always recognizable:
This is how companies end up feeling compliant while still being surprisingly easy to compromise through ordinary human behavior.
The cost is not abstract.
The lockout or over-permission event is the symptom. Exception culture is the disease.
Many organizations start MFA rollout as a project and finish it as an aspiration. Legacy accounts, service accounts, shared logins, and awkward exceptions remain outside the rule.
MFA is often discussed separately from admin roles, guest access, password posture, and break-glass planning. In reality, they are one operating surface.
If nobody owns the actual enforcement state, the business ends up with a policy statement instead of a control.
If nobody owns the actual enforcement state, the business ends up with a policy statement instead of a control.
The fix is not a security memo. The fix is enforced baseline behavior that survives turnover.
NorthStar identifies which accounts are covered, which are exempt, which are risky, and where the organization is confusing policy with practice.
Oort improves the baseline through:
The outcome is not theoretical security maturity. It is fewer preventable identity gaps.
We automate access reviews, exception expiry, backup/restore verification, and sharing enforcement so security does not depend on heroic memory.
Comms Officer HR-Z0 (a.k.a. “H.R. Zero”) is Galaxie’s deadpan broadcast voice for the Office Horror Stories series — part dispatcher, part incident historian, part morale damage control.
Built from equal parts helpdesk transcripts, post-mortems, and calendar trauma, HR-Z0 doesn’t “tell stories.” It files reports from the front lines of messy operations — where ownership evaporates, folders time-travel, and a “quick change” becomes a six-month saga.
