Get in touch
Independent security adviser · NZ
PureLayer provides governance advisory. ComplianceLayer is the compliance platform.

Your IT provider keeps the lights on. Nobody guards the door.

The operational layer is covered. The governance layer usually is not.

Get a 48-hour Microsoft 365 governance review → See what sits outside MSP scope

What the assessment delivers

Full identity and access exposure review
Governance gap summary against MSP contract scope
Inactive and orphaned account audit
Admin access map with privilege risk rating
Prioritised remediation plan owned by the organisation
Completed within 48 hours. Everything documented.
44%¹
of NZ businesses attacked in 2025. Financial losses up 118% in Q3 alone.
$500k²
proposed personal director liability under NZ critical infrastructure reform.
26%³
of user accounts are inactive but still enabled, creating identity gaps attackers exploit directly.
¹ Kordia NZ Cyber Security Report 2026 ↗ ² Bell Gully — Director Liability, March 2026 ↗ ³ NCSC NZ Cyber Threat Report 2025 ↗
Most NZ businesses find out they have a problem after something has already gone wrong. The ones who move early avoid becoming a case study.
Identify hidden Microsoft 365 risk →
Privacy Act 2020
NIST CSF 2.0
ISO 27001
Microsoft 365 and Entra ID
Identity governance
IPP 3A
No lock in
NZ specialist
Everything yours to keep
Privacy Act 2020
NIST CSF 2.0
ISO 27001
Microsoft 365 and Entra ID
Identity governance
IPP 3A
No lock in
NZ specialist
Everything yours to keep
What standard MSP contracts do not include

Infrastructure support is covered.
Governance oversight is not.

Standard MSP contracts cover infrastructure and helpdesk. Identity governance, access lifecycle management, and compliance oversight sit outside that scope entirely.

Standard MSP scope
Outside standard MSP scope
Devices and software staying online
Former staff accounts still active in the system
Microsoft 365 email and helpdesk support
Who actually has admin access right now and why
Backups being configured
Whether backups have ever actually been tested
Software updates and patching
Brand impersonation and domain monitoring
Day to day operational issues
Governance documentation and director liability exposure

This is the layer most NZ organisations have never formally assigned to anyone.

See what your MSP contract does not cover →

Privacy Act 2020 compliance, AI workforce governance, and incident response infrastructure for NZ organisations. Runs continuously in the background. ComplianceLayer handles the compliance layer so governance stays current as legislation changes.

Visit compliancelayer.co.nz →
The governance model

One governance model.
Three operational layers.

Strategic layer
PureLayer
Strategic governance and operational oversight.
Identity governance Risk remediation Security architecture Compliance advisory AI governance Director visibility
ComplianceLayer
Continuous governance infrastructure.
Privacy governance AI workforce governance Incident workflows Board reporting Auto-updated to legislation
Infrastructure provider
Routine infrastructure management is now largely automated.
Monitoring, patching, backup configuration, and helpdesk triage are handled by tooling across most modern MSP environments. That shift has moved real value upward into governance, oversight, and advisory. PureLayer operates at that layer, providing the strategic governance and intervention that no automated tool replaces.
Monitoring Patching Backups Microsoft 365 Device management

Source: MSP Trends 2026, Worksent, March 2026

Identity and access governance

Find out who actually has
the keys to the business

Most organisations have accounts still active from staff who left years ago. Some carry admin access. None of it is documented. The assessment maps every access point and hands back a complete governance framework the organisation owns outright.

01
Full account and access review
All user and admin accounts across Microsoft 365. Inactive, orphaned, and high risk access identified. Entra ID roles and conditional access assessed.
Clear visibility of who has access to what
02
Systems and ownership documented
Platforms, infrastructure, and provider relationships documented. A governance baseline aligned to the Privacy Act 2020, owned by the organisation from day one.
Systems, providers, and credentials all mapped
03
Risk remediation plan
MFA and conditional access improvements defined and implemented. SPF, DKIM, and DMARC email authentication set up. Backup structure reviewed and strengthened.
Reduced risk with clear direction on what needs to change
04
Governance framework yours to keep
Identity and access management, threat modelling, risk register, compliance obligations, and supplier risk assessment. Aligned to Privacy Act 2020. No lock in.
Complete framework. No ongoing dependency.

Every deliverable is documented, transferable, and handed to the organisation at the close of the engagement.

Get a Microsoft 365 identity exposure review →
What actually changes

Before the engagement.
After the engagement.

Microsoft 365 environment before and after a PureLayer governance engagement Two panels showing the state of a Microsoft 365 environment before and after engagement. Before Typical Microsoft 365 environment After Post governance engagement User accounts Unknown. Never fully audited. Former staff access Multiple accounts still active Admin access Shared. Undocumented. Untested. MFA enforcement Not enforced for any account Email authentication SPF, DKIM, DMARC absent Governance documentation None exists Identity Secure Score Typically 25% or below User accounts Every account verified and documented Former staff access All identified, staged for closure Admin access Named owners. Privileges mapped. MFA enforcement Enforced. Conditional access defined. Email authentication SPF, DKIM, DMARC configured Governance documentation Full framework. Organisation owns it. Identity Secure Score Remediation plan in place
What changes after the assessment

Organisational exposure
identified and owned.

01
Former staff access identifiedEvery account still active from people who no longer work there is found, documented, and closed.
02
Governance gaps exposedEverything outside MSP scope is named, prioritised, and handed back with a remediation plan.
03
Organisational ownership establishedEvery system, account, credential, and provider relationship documented and owned by the organisation.
Typical assessment findings
31%
of user accounts reviewed are inactive, orphaned, or carry access never formally revoked after a staff change.
Internal PureLayer assessment data, NZ SMB engagements 2025 to 2026. Small sample size — results are indicative.
4 of 4
Global Administrator accounts in a recent engagement included at least one shared mailbox with unintended admin access.
Internal PureLayer assessment data, NZ SMB engagements 2025 to 2026. Small sample size — results are indicative.
25%
average Microsoft Identity Secure Score at the start of an engagement. MFA unenforced for all accounts including Global Administrators.
Internal PureLayer assessment data, NZ SMB engagements 2025 to 2026. Small sample size — results are indicative.
What every engagement produces
Documented. Transferable. Yours.
IT systems framework documenting all infrastructure, access, and credentials
Identity governance, risk and compliance framework aligned to Privacy Act 2020
Security and risk remediation plan with prioritised actions and defined ownership
Device register cross-referenced against Microsoft Entra records
Credential governance structure with defined ownership transferred to the organisation
Email authentication, DNS, and tenant administration reviewed and secured
Governance infrastructure

ComplianceLayer runs the
compliance layer continuously.

Part of the PureLayer governance model · compliancelayer.co.nz

Privacy Act 2020
PolicyLayer
Privacy policy tool
A compliant privacy policy matched to the industry and jurisdiction. Updated automatically when the law changes.
View PolicyLayer →
AI Governance · IPP 3A
AiReady NZ
Staff AI training platform
Every staff member trained to use AI tools correctly and legally under NZ law. Board reportable records.
View AiReady NZ →
Incident Response
BreachReady NZ
Incident response workflow
Structured incident response under the Privacy Act 2020 with OPC notification assessment built in.
View BreachReady NZ →

compliancelayer.co.nz

Visit compliancelayer.co.nz →
Start the conversation

A governance assessment
starts here.

Most assessments are completed within 48 hours. Nothing is disruptive. No systems are touched without discussion. What comes back is a clear picture of what is exposed, what requires attention, and what needs to change.

The assessment is the starting point. Everything after that moves at the organisation's pace.

Responds within 24 hours, usually the same day.
All engagements are confidential.
Information handled under the NZ Privacy Act 2020.
lee@purelayer.co.nz or use the form.

Information handled under the NZ Privacy Act 2020

Request received. Expect a response within 24 hours.