Defining the Target-State Application Onboarding Model for One of Australia's Largest Telcos
TPG Telecom is a top 100 ASX listed company and home to some of Australia’s most-loved brands including Vodafone, TPG, iiNet, Lebara and felix.
The Client
TPG Telecom is one of Australia’s largest telecommunications providers, delivering mobile, internet, and enterprise services nationwide under brands including TPG, Vodafone, iiNet, AAPT, and felix. As a critical national infrastructure operator, TPG runs an exceptionally complex technology estate, hundreds of business and network applications, multiple operating environments, large internal and partner workforces, and the security and compliance posture expected of an organisation of its size and regulatory exposure.
Identity and access governance at this scale is a non-trivial discipline. TPG operates established enterprise platforms for both Identity Governance and Administration (SailPoint) and Privileged Access Management (CyberArk), the right tools, in the hands of capable teams, doing serious work. The opportunity wasn’t with the platforms themselves; it was with the process that connected them to the rest of the organisation.
The Challenge
When you operate identity and privileged access platforms across an estate as broad as TPG’s, the application onboarding process becomes one of the highest-leverage workflows in the business. Every new system that comes online, and many that already exist, needs to be brought under proper identity governance and privileged access controls in a consistent, repeatable way. Done well, onboarding is efficient, predictable, and produces an estate where access controls are uniform and defensible. Done inconsistently, it produces friction for engineering teams, gaps in coverage, and a security and audit posture that requires constant manual reconciliation.
TPG engaged us to take a clear-eyed look at how application onboarding into SailPoint and CyberArk was being performed across the organisation, and to define what good should look like going forward. The brief was deliberately strategic:
The engagement was explicitly architecture and guidance focused, not implementation. The deliverable was a model and a set of artefacts the organisation could carry forward, not a project to reconfigure platforms.
The Approach
We structured the engagement as a focused, outcome-based piece of work delivered over a defined timeframe, drawing on our experience working through enterprise-scale identity and access programs with large, complex organisations.
Discovery, anchored in conversation with the people doing the work. The first phase was structured discovery, workshops, validation sessions, and direct collaboration with the platform teams, security stakeholders, and engineering groups closest to the onboarding process. The goal wasn’t to land with a preconceived target state; it was to genuinely understand how onboarding happens today across different application types, different access patterns, and different operational realities. Enterprise process work lives or dies on this first phase. Get the discovery wrong and the rest of the engagement produces artefacts that don’t reflect the actual environment they need to land in.
Gap and risk analysis against a defined “what good looks like”. With the current-state picture established, we structured a formal analysis against a reference target state, informed by our experience with comparable enterprise identity and access programs, by industry best practice, and by TPG’s own established Access Control Standards. The analysis identified where the current process aligned well and where opportunity existed for greater consistency, clarity, or repeatability. The output was structured for stakeholder review and decision-making rather than as a finger-pointing exercise; the value is in shared understanding of the path forward.
Target-state model definition. The core deliverable was an end-to-end target-state onboarding model spanning both SailPoint and CyberArk, covering the full range of onboarding scenarios the organisation encounters. The model was built to be standards-aligned, platform-aware, and operationally practical, not an idealised reference architecture, but a model TPG’s teams could actually operate against. Architecture diagrams were produced at the level appropriate for the audience: high-level enough to communicate the model to executive stakeholders, detailed enough to guide technical implementation.
Engineering-ready patterns and playbooks. Strategy artefacts that sit only at the executive layer don’t change how work gets done. Alongside the target-state model we produced a set of patterns and playbooks designed for the engineering teams who would be onboarding applications day-to-day. The intent was clear, jargon-light, step-by-step guidance that turned the model into something an engineering team could pick up and use without needing to consult the strategy deck.
Executive-ready communication artefacts. A workshop deck was produced for TPG to use in stakeholder communication, translating the model and its rationale into a form suited to executive and cross-functional audiences. Aligning the message across the organisation matters as much as defining the model itself.
The Outcome
A clear target-state onboarding model. TPG now has a defined, documented, end-to-end onboarding model spanning SailPoint and CyberArk, covering the realistic spectrum of onboarding scenarios across their environment, and aligned to their existing Access Control Standards.
A shared, validated view of the current state. The discovery and gap analysis phases produced an evidence-based picture of how application onboarding operates today, validated with the stakeholders closest to the work. That alignment itself is valuable: future improvement work starts from a shared understanding rather than competing assumptions.
Engineering-ready guidance. The pattern documents and onboarding playbook turn the strategic model into operationally useful artefacts. Engineering teams have a clear, low-friction reference for how to onboard applications consistently, which is what allows a target-state model to actually take hold.
Executive alignment material. The workshop deck gives TPG a way to communicate the model and its rationale to the broader organisation, supporting the change-management work that any process refinement of this kind requires.
A foundation for continuous improvement. The model isn’t static. By being properly anchored in TPG’s standards and built around the platforms in place, it provides a reference point that subsequent process refinement can build on rather than displacing.
Why It Mattered
For an organisation of TPG’s scale, the application onboarding process is one of the quiet workflows that determines whether identity and privileged access programs deliver their full value. The platforms, SailPoint and CyberArk, are mature, capable, and well-run. What multiplies their impact is the consistency of how applications enter their orbit: how identity is provisioned, how privileged access is governed, how the controls landed in policy actually land in practice.
This is the kind of work that doesn’t show up in a dashboard. It shows up over time, in audit cycles that go more smoothly, in engineering teams that spend less time navigating ambiguity, in a security posture that’s defensible because it’s consistent, not just because the right tools are in place.
That’s the strategic value we set out to deliver, and the foundation TPG’s teams now have in hand.
The Results
- A defined target-state onboarding model across SailPoint and CyberArk.
- Evidence-based view of the current state, validated with key stakeholders
- Engineering-ready patterns and playbooks for day-to-day use.
- Executive alignment material for organisation-wide communication.
- Standards-aligned design, anchored to TPG's Access Control framework.
- A foundation for continuous improvement, not a one-off artefact.
