How long does a typical IAM governance rollout take with Apex Steward?

Initial workspace setup starts with an 8–10 minute structured intake. Importing a vendor deployment guide through the AI ingestion pipeline takes minutes, and the conflict analysis surfaces divergences in under a minute. A useful first-pass maturity assessment typically lands in the first week. A full multi-application rollout depends on your environment, but is usually weeks rather than months.

Apex / Apex Steward

Stop maintaining IAM governance in spreadsheets.

Apex Steward turns your vendor docs and policy PDFs into structured Identity and Access Management governance — maturity scoring, control-mapped rollout plans, live coverage across six compliance frameworks, AI conflict detection, and one-click executive reports. Built for mid-market security teams who don’t have an analyst to spare.

Book a demo Request a demo account

At a Glance

Multi-tenant IAM governance, AI-augmented.

Multi-tenant SaaS, multiple workspaces per account
AI document ingestion (Voyage AI + Anthropic Claude)
Six compliance frameworks (NIST CSF, ISO 27001, SOC 2, SOX, HIPAA, PCI DSS) computed live
AI conflict detection against your vendor’s methodology
One-click executive PDF reports
Maturity scoring — 4 dimensions, 6 levels, with trend

Live and deployed. Demo accounts are issued on request — request access to see the platform in action.

The Problem

IAM governance shouldn’t take six months and a consulting firm.

Customers buy SailPoint, Saviynt, Okta IG, or Entra ID Governance — then fall behind the rollout because no single tool tracks their environment, their vendor’s prescribed methodology, and their compliance obligations in one place. Mid-market teams get stuck in between: too small for a six-figure rollout, too serious for spreadsheets, too busy to transcribe every vendor policy by hand.

Apex Steward is the in-between. It reads your existing documents, extracts the IAM structure already buried in them, measures where you stand, and turns a slide-deck commitment into a tracked, measured, evidence-producing program.

Who It’s For

Three people who live in different parts of the product.

The IAM Program Managerowns the day-to-day — living in the implementation plan and the maturity assessments. The Security & Compliance Owner lives on the compliance dashboard and exports the executive report for auditors. The Implementation Consultant— internal or external — runs many client workspaces from one account as a shared source of truth, uploading vendor docs and reviewing conflict analysis across engagements.

The common thread: mid-market organizations, roughly 250 to 2,500 employees, that need a real governance practice without nine months or a six-figure budget to get there.

What It Does

Eight modules that make up a working IAM governance practice.

Apex Steward isn’t a single feature with marketing wrapped around it. It’s the structural pieces of an IAM governance program — the parts you’d otherwise stitch together in disconnected spreadsheets — modeled in software, kept in sync, and backed by an evidence engine.

Onboarding & intake

An 8–10 minute structured intake — environment, directory, IGA platform, HR/ERP source, JML scope, governance features, regulated-data flags, audit posture — that seeds every downstream module: the maturity baseline, the generated plan, the framework suggestions, and the Context Confidence score. Plain-English glossary cards on every jargon-heavy page so non-experts can self-serve.

Maturity assessment

A six-level model (0 Non-existent → 5 Optimised) across four dimensions: Lifecycle Events, Application Onboarding, Access Request Process, and Access Reviews & Certifications. A quick path returns a single overall score in under a minute; a detailed per-dimension path feeds the compliance evidence engine. Every assessment is timestamped with its taker, and a history chart tracks progression.

Implementation plan

Generated from your intake and tailored to scope. Each step carries a status check-off with completion stamps, free-text notes, and a “Maps to N controls” chip strip linking it to the exact NIST, ISO, SOC 2, SOX, HIPAA, or PCI subcategories it evidences. Plan blending lets you adopt a vendor's prescribed plan wholesale or merge specific phases — check-off state survives where step keys match.

Compliance dashboard

Six frameworks ship out of the box — NIST CSF 2.0, ISO 27001, SOC 2 CC6, and SOX ITGC always on; HIPAA and PCI DSS suggested from intake. Coverage is computed live against your latest maturity assessment and plan-step statuses. Partial credit is given honestly, unmapped controls are surfaced rather than hidden, and suggestion banners keep the owner in control.

Applications & roles

A full application inventory (SaaS / on-prem / custom / hybrid; criticality; owner; onboarding status). Roles bundle the apps they grant via many-to-many links carrying free-form entitlements. A Boolean eligibility rule builder offers AND/OR/NOT logic with type-aware operators, a plain-English live preview, and AI-assisted drafting — “all US-based finance managers” becomes reviewable rule rows, with nothing saved until you approve it.

Vendor docs & AI conflict detection

Upload the vendor deployment guide (SailPoint, Saviynt, Okta IG, Entra ID Governance, One Identity, Oracle). Steward embeds it and unlocks three AI surfaces: vendor plan extraction with page citations and verbatim quotes; conflict analysis that flags 4–10 severity-coded divergences between your reality and the vendor's methodology; and a per-step Reference panel answering grounded questions with citations.

Executive reports

One-click, board- and auditor-ready PDF for the CISO, the SOC 2 auditor, or a parent company. Sections cover an executive summary, the current maturity scorecard with trend, critical gaps ranked by severity, a 90/180/360-day roadmap, and risk callouts — with footnoted citations on every claim. Each report snapshots its inputs and is versioned per workspace.

Steward, the assistant

A conversational layer over the plan. It answers IAM and implementation questions about your workspace and turns a stated reality change (“they're on Oracle, not Workday”) or a roadblock into a structured accept/reject proposal. It never silently mutates the live plan — an admin applies the change, and the action is audit-logged: who asked, who committed.

The Differentiator

Extraction finds the plan. Conflict analysis tells you where you diverge.

Most IAM governance tools start with a blank table. Apex Steward starts with your vendor’s deployment guide. Upload a PDF or DOCX; Voyage AI embeddings index every section and Anthropic Claude extracts the vendor’s prescribed phase/step plan — with page citations and verbatim quotes.

Then comes the part the guide calls “the AI feature that makes Apex Steward actually intelligent.” Conflict analysis compares your intake, maturity, and plan against that prescribed methodology and returns 4–10 severity-coded divergences — critical, warning, or info — each citing the exact user-side field and the vendor-side page.

Bring a vendor deployment guide and watch real divergences surface in under a minute. Every claim traces back to its source; nothing is speculative.

Maturity Scoring

A six-level model across four dimensions.

Apex Steward scores your IAM maturity on a six-level scale — 0 Non-existent through 5 Optimised — across four dimensions: Lifecycle Events, Application Onboarding, Access Request Process, and Access Reviews & Certifications.

Two paths fit two moods: a quick assessment returns a single overall score in under a minute, while a detailed per-dimension assessment feeds the compliance evidence engine. Every assessment is saved with a timestamp and its taker, and a history chart tracks progression over time — so the output is a live picture, not a static report.

Compliance

Six frameworks, one engine.

The same maturity and plan-step evidence model drives every framework. NIST CSF 2.0, ISO 27001, SOC 2 CC6, and SOX ITGC are always on; HIPAA and PCI DSS v4.0 are suggested from intake and toggled on when you handle PHI or cardholder data — never auto-enrolled. Coverage is computed live against your latest maturity assessment and plan-step statuses. Partial credit is given honestly, and unmapped controls are surfaced rather than hidden.

NIST CSF 2.0Always on

ISO 27001:2022Always on

SOC 2 (CC6)Always on

SOX ITGCAlways on

HIPAAIntake-toggled

PCI DSS v4.0Intake-toggled

Why Apex Steward

Disciplined defaults, transparent AI, honest scores.

The trust points that set Apex Steward apart aren’t features bolted on at the end — they’re how the whole platform behaves. AI that cites its sources, compliance that asks before it enrolls, and scores that tell you what they don’t yet know.

Six frameworks, one engine

The same maturity and plan-step evidence model drives all six frameworks. Toggle per workspace; coverage is computed live, not exported once and forgotten.

Suggestions, not surprise enrolment

Context-aware banners surface relevant frameworks (“you handle PHI — enable HIPAA?”). The owner always confirms; nothing is auto-enrolled.

Boolean roles with AI drafting

A plain-English live preview and AI-assisted rule rows handle the 5% of access logic that confuses 95% of users — without nested parentheses.

AI grounded in the source

Every AI claim cites where it came from — a vendor doc page and quote, or an exact field. Steward proposes; a human approves. Never speculative.

Honest about what's missing

A Context Confidence banner on every output states, in plain language, how complete the picture is — and what uploading vendor docs would raise it to. Soft gates with explicit opt-out, not hard blockers.

Cost & staleness controls

Every AI call is logged with model, token counts, and estimated cost. Per-user daily limits apply, and “Re-analyze” prompts appear when inputs have moved on.

Executive Reports

One click to a board- and auditor-ready PDF.

When the CISO, the board, the SOC 2 auditor, or a parent company asks for the state of the program, Apex Steward produces it in one click. The report opens with an executive summary and the current maturity scorecard with trend, then ranks critical gaps by severity, lays out a 90/180/360-day roadmap, and calls out risks.

Every claim carries a footnoted citation — a vendor doc page, a plan step key, or a compliance subcategory id. Each report snapshots its inputs and is versioned per workspace, so re-rendering an old version reproduces exactly what was true then.

Steward, the Assistant

A chat layer that proposes — never silently acts.

Steward answers IAM and implementation questions about your workspace, grounded in the docs you’ve uploaded. When you tell it a reality has changed (“they’re on Oracle, not Workday”) or hit a roadblock (“the connector won’t authenticate”), it turns that into a structured accept/reject proposal.

It never mutates the live plan on its own. An admin applies the change, and the action is audit-logged — who asked, who committed. Proposes, then a human approves: the same principle that governs AI role-rule drafting.

Built On

Production-grade, not vibe-coded.

Apex Steward runs on TypeScript across the stack — React 18 with Vite on the front end, Node.js 20 with Express and Zod validation on the API, and Prisma over a tenant-isolated database. Production runs on AWS RDS PostgreSQL (the same Prisma schema serves SQLite in dev), deployed on AWS Elastic Beanstalk with end-to-end TLS and secrets in AWS SSM Parameter Store. The AI pipeline pairs Voyage AI embeddings with Anthropic Claude Sonnet 4.6 for extraction and reasoning.

It’s the kind of stack that scales without a rewrite and the kind of operational posture that survives a security review.

TypeScriptReact 18ViteNode.js 20ExpressPrismaPostgreSQL (prod) / SQLite (dev)Tailwind CSSAWS Elastic BeanstalkVoyage AIAnthropic Claude Sonnet 4.6

Security Posture

What buyers actually ask about.

Multi-tenant isolation at the database layer. JWT auth with HTTP-only, Secure-flagged cookies and email verification. End-to-end TLS from the browser to the application origin. Secrets stored in AWS Systems Manager Parameter Store.

Every AI call is audit-logged with its model, token counts, and estimated cost, and per-user daily limits keep usage bounded. A Context Confidence banner on every output states, in plain language, how complete the picture is — honesty as a default, not a disclaimer. SOC 2 Type II attestation is on the roadmap, not yet attained; reach out to discuss timing if certification is a hard prerequisite.

Packaging

Three tiers, sized to where you are.

Pricing is custom and varies with organization size, identity count, and application footprint. Book a demo and we’ll quote against your actual environment — no guessing.

Starter

Single workspace, core governance features, email support.

Best for: Small teams or proof-of-concept rollouts.

1 workspace
Role matrix and application inventory
Maturity scoring (4 dimensions, 6 levels)
Compliance dashboard (six frameworks)
Phased implementation plan
Email support

Talk to us

Growth

Multi-workspace, AI document ingestion and conflict detection, executive reports, onboarding workshop included.

Best for: Mid-market security teams running real IAM governance.

Multiple workspaces
AI document ingestion (Voyage AI + Anthropic Claude)
AI conflict detection & Reference panel
One-click executive PDF reports
Onboarding workshop
Business-hours support

Talk to us

Enterprise

Unlimited workspaces, SAML SSO, named customer success, custom integrations.

Best for: Larger organizations, consultancies, and regulated industries.

Unlimited workspaces and identities
SAML SSO (roadmap)
Named customer success contact
Custom integrations and reporting
SOC 2 Type II attestation (on roadmap)

Talk to us

Frequently Asked

Questions buyers ask before a demo.

What is IAM governance software?

IAM governance software helps an organization define, enforce, and prove that the right people have the right access to the right systems. It usually includes role matrices (who can do what), application inventories (what systems are in scope), access reviews (periodic verification), and maturity scoring. Apex Steward is purpose-built for the mid-market band where IAM governance matters but a six-figure enterprise tool isn't realistic.

Which compliance frameworks does Apex Steward support?

Six frameworks ship out of the box, all driven by the same maturity and plan-step evidence engine: NIST CSF 2.0, ISO/IEC 27001:2022, SOC 2 (CC6), and SOX IT General Controls are always on. HIPAA and PCI DSS v4.0 are suggested and toggled on from intake when you handle PHI or cardholder data — never auto-enrolled. Coverage is computed live, partial credit is honest, and unmapped controls are surfaced rather than hidden.

How is Apex Steward different from SailPoint or Saviynt?

SailPoint and Saviynt are enterprise IGA platforms — powerful but priced and scoped for organizations with dedicated IAM teams and multi-quarter implementation budgets. Apex Steward targets mid-market: faster to deploy, AI-augmented for the manual data-entry work that usually slows IAM projects down, and packaged for organizations that don't have an enterprise advisory budget.

Can AI extract IAM policies and flag conflicts from vendor documentation?

Yes — it's the core of Apex Steward's differentiation. Upload a vendor deployment guide; Voyage AI embeddings index it and Anthropic Claude extracts the vendor's prescribed plan with page citations and verbatim quotes. Conflict analysis then compares your intake, maturity, and plan against that methodology and returns severity-coded divergences, each citing the exact user-side field and the vendor-side page. Every AI claim traces back to its source.

What's the difference between IAM, IGA, and PAM?

IAM (Identity and Access Management) is the umbrella — managing who has access to what. IGA (Identity Governance and Administration) is the governance layer that decides whether the access is appropriate. PAM (Privileged Access Management) is a sub-discipline focused specifically on high-risk admin accounts. Apex Steward is primarily an IGA tool: the layer that decides and proves access is appropriate.

Does Apex Steward integrate with my existing identity provider?

Apex Steward sits above the IdP layer. Your Okta, Microsoft Entra, or Google Workspace continues to handle authentication. Apex Steward governs the policy and structural side — what roles exist, who's in them, which applications map to which roles, and how mature each domain is. SAML SSO into Apex Steward itself is on the roadmap for the Enterprise tier.

What about compliance — SOC 2, ISO 27001, HIPAA?

Apex Steward computes live coverage across six frameworks — NIST CSF 2.0, ISO 27001, SOC 2 CC6, SOX ITGC, HIPAA, and PCI DSS — all from the same maturity and plan-step evidence model. As a vendor, Apex Steward is on a SOC 2 Type II roadmap (not yet attained); reach out to discuss timing if certification is a hard prerequisite for your purchase.

Ready to See It

Book a 30-minute walkthrough.

We’ll run the AI ingestion live on one of your sample documents, show the conflict analysis surface real divergences, walk the maturity scorecard and compliance dashboard, and generate an executive report. Prefer to explore on your own first? Request a demo account and we’ll send credentials with a pre-populated workspace.

Book a demo Request a demo account