Case study · anonymised
Audit in 24 hours. Transformed in days.
A UK enterprise commissioned a major application delivery programme through a global consulting firm. Delivery practice was drifting. We were brought in. Within 24 hours the client had the evidence — and the audit had surfaced many more issues than anyone expected. Over the following working days we partnered with both the client and the delivery team to transform the programme: better practice, healthier delivery, problems caught before they multiplied.
- Anonymised
- 24-hour audit
- Transformed in days
Why we were engaged
Background.
A UK enterprise had commissioned a significant application delivery programme with a global consulting firm. The programme had strategic importance — its output would underpin core business operations. Material investment had already been made.
The client's risk function had concerns. Delivery milestones had slipped. Vendor assurances were not specific. When the delivery team was formally asked to change their approach, they declined. The client needed independent, evidence-based grounds to act — not an internal view that could be dismissed as political, and not a traditional assurance engagement that would take weeks they did not have.
Volorai's founders were brought in to conduct an independent, AI-enhanced assessment. The brief was clear: read-only access, no disruption, findings within 24 hours, verdict suitable for executive and board use.
Scope
What we audited.
Read-only access across four domains. The full delivery environment — not a sample. Twenty-four hours from access grant to formal report.
Code & Repository Health
Branch hygiene, commit quality, development patterns, code debt, evidence of trial-and-error engineering.
CI/CD & Pipeline Maturity
Failure rates, trigger patterns, automation versus manual operation, build validation policies, pipeline reliability scoring.
Access & Identity (RBAC/IAM)
Every role assignment resolved against the identity provider — dormant accounts, over-privileged principals, and ClickOps changes that bypass governance.
Infrastructure Security
Network exposure, endpoint configuration, compliance against security baselines, resource configuration across the full cloud estate.
Findings
What we found.
Four material findings. Every one evidence-backed, resolved directly against the environment, not inferred from documentation or vendor testimony.
Identity exposure at scale
Every role assignment was resolved directly against the identity provider. Of the active access assignments in the delivery environment, 600+ belonged to 200+ deleted identities. These assignments were not dormant relics — they were active, and automatically inherited by every new resource provisioned. There was no technical control preventing this propagation.
The delivery team had not identified this. No remediation had been scheduled. The exposure would have entered production on the programme's planned go-live date.
600+ access assignments belong to 200+ deleted identities
Recommendation
Disable orphaned principals; introduce automated identity-resource lifecycle binding.
Publicly-accessible integration infrastructure
All three shared integration namespaces were found to be accessible from the public internet. The delivery team had explicitly stated in a prior meeting that this infrastructure was secured and not publicly accessible.
Volorai confirmed this finding by external connectivity test — not by reviewing configuration documentation. The test returned a positive connection from outside the client's network boundary. The evidence was unambiguous and vendor-argument-proof.
Integration infrastructure publicly accessible from internet
Recommendation
Restrict to private endpoints; add network-level access control.
Engineering competency and CI/CD maturity well below benchmark
The delivery team was assessed across engineering competency and CI/CD maturity using Volorai's scoring framework, calibrated against industry benchmarks (minimum 60/100 for production-readiness).
The team scored 23/100 on engineering competency and 25/100 on CI/CD maturity. Both scores sit in the range associated with trial-and-error engineering, low automation, and high delivery risk. Neither score was close to a threshold that would make production deployment responsible.
Competency Assessment
Engineering & CI/CD Maturity
Critical single-point dependency in delivery
Analysis of pipeline execution records showed that 91.7% of all pipeline runs were executed by a single individual. The remaining 8.3% were distributed across the rest of the delivery team.
Five core pipelines were assessed as inoperable without this individual. This concentration creates an acute operational risk — any departure, absence, or unavailability of this person would halt delivery entirely. It also represents a governance failure: no knowledge transfer, no succession, no resilience.
Pipeline Concentration Risk
Single-point dependency in delivery
5 core pipelines
inoperable without this individual
Verdict
Not recommended in current form.
NOT RECOMMENDED
IN CURRENT FORM
The audit verdict acted on within 24 hours. Programme transformed in working days; delivery aligned to industry standards.
The formal report issued to the client's risk function 24 hours after access was granted. It contained a clear verdict, four findings with supporting evidence, a risk register with likelihood and impact ratings, and a set of conditions under which the programme could proceed if the client chose to pursue remediation before go-live.
The report fit on a page. It did not need to be long. The evidence was unambiguous.
What followed
Transformation.
Identifying the problems was only the start. The real work was transforming the programme — encouraging better practice, aligning delivery to industry standards, and fixing what was broken before it caused more harm. It took working days, not weeks.
Within 24 hours of the report landing, the client paused planned go-live and convened both Volorai and the delivery team's leadership at the same table. The intent was explicit: not to remove the vendor, but to transform delivery practice end to end.
The audit had identified four headline findings; the transformation surfaced — and addressed — many more issues across the delivery estate as we worked alongside the team to align practice to industry standards. The work covered:
- Identity controls hardened — orphaned principals removed, automated identity-resource lifecycle binding introduced, tenant-level governance restored.
- Cloud configuration secured — public exposures closed, private endpoints introduced, network-level access controls enforced against a documented baseline.
- Engineering practice upgraded — formal code review gates introduced, peer engineering standardised, branch protection enforced across the delivery repositories.
- CI/CD practice revised — automated trigger requirements added, validation gates instated, pipeline authorship distributed so that no single individual remained a critical dependency.
- Governance refreshed — an ongoing assurance cadence introduced, a risk register integrated with phase-gate approvals, and clear evidence requirements set for future go-live decisions.
- Many smaller issues addressed — across configuration drift, repository hygiene, secret management, and team practice, all picked up as we worked through the transformation alongside the delivery team.
Within a handful of working days the programme was transformed — same parties, materially better practice, materially lower risk. Problems caught before they multiplied. No production exposure ever occurred. No vendor change was needed. The audit served as a catalyst, the transformation did the work.
What this means for you
Every major vendor-delivered programme carries this risk.
The findings in this engagement were not unusual. Orphaned access assignments, insecure integration infrastructure, and low-competency delivery teams are common outputs when programmes are commissioned without independent technical oversight. The difference here is that the client found out before production — not after.
An introductory audit — scoped to a single subscription or resource group, delivered in hours — converts latent risk into visible evidence. An organisation that has seen what we found in this case does not need to be persuaded that independent assurance has value. The case makes itself.
Want to know what's lurking in your programme?
A conversation is the fastest way to scope whether an audit is right for you. We'll tell you honestly whether it is — and what it would find.