Comment by bradbeattie

The softer approach to this I've implemented in the past is to ingest and link up org data (user accounts, groups, projects, etc) into one central DB and then provide an audit notifications or dashboards to authorized users. Examples:

    - Slack user detected with full access that isn't associated with a staff-grouped LDAP account
    - Group A in System X doesn't match the members of Group A in System Y)
    - Service Z provisioned, but their associated customer account is deactivated

These kinds of violations _can_ be automatically synchronized in a variety of ways, but I've seen that result in politically embarrassing outcomes (e.g. Sensitive user X is fired, their Slack account is automatically deactivated, people notice before some kind of staff meeting can be held to talk about what's going on).