How Brex automated identity, scaled access governance, and reduced OpEx with ConductorOne

The challenge: Enabling the business while reducing risk and manual work

At Brex, IT, security, and GRC teams each play an integral part in identity and access management. Together, they provide a secure, reliable foundation for both engineering and non-engineering teams, which is essential for a strong security posture.

“As the company scales, identity naturally becomes more complex and convoluted. If you don’t know who did what, when they did it, and how they did it, you’re flying blind from a security perspective.” — Mark Hillick, CISO, Brex

Before ConductorOne, it was difficult for Brex to enforce least privilege across the company. Employees sometimes kept access after changing roles, and removing those permissions required manual intervention. There was no streamlined way to grant elevated access for urgent issues, and the process lacked the automation and auditability needed in a highly regulated environment. These gaps created operational overhead for IT, slowed down response times, and made it increasingly challenging to ensure access controls were secure and compliant.

“Everyone should have the access they need to do their job, but no one should have more than that. And when elevated access is needed, it should be ephemeral and auditable.” — Mark Hillick

The solution: One platform for requests, reviews, and ephemeral access

Brex adopted ConductorOne as a single platform to handle the full lifecycle of access requests, access reviews, and entitlement changes.

For IT, this meant no longer spending hours each week manually processing requests or removing outdated permissions and that every access decision could be tied to clear policies, with elevated just-in-time access granted only when needed and automatically revoked afterward. For GRC, it brought consistent, auditable records and controls that could be relied on during audits without heavy manual evidence collection.

By integrating directly with Okta and supporting the use of Terraform for configuring infrastructure and application entitlements, ConductorOne enabled Brex to manage access “as code,” improving auditability, reducing errors, and allowing changes to be deployed quickly at scale.

“ConductorOne was the right fit because it enabled us to automate the access request process. It reduced OpEx significantly across the GRC and IT teams.”

Mark Hillick

CISO

“ConductorOne was the right fit because it enabled us to automate the access request process. It reduced OpEx significantly across the GRC and IT teams.” — Mark Hillick

These automations replaced time-intensive, repetitive tasks with streamlined workflows, cutting operational expenses dramatically across IT and GRC while allowing security to maintain strict control over who has access to what. The result is a faster, more efficient access governance process that meets the needs of every team without sacrificing compliance or security.

Scaling with Terraform: 400 entitlements in two days

A major factor in Brex’s decision was ConductorOne’s native Terraform provider, which allows them to define and manage access configurations as code. This approach ensures:

• Every entitlement change is auditable in version control
• Infrastructure and application access configurations can be deployed, updated, or removed programmatically
• Application owners can contribute changes without going through IT for every request

In just one weekend, Brex used Terraform to add 400 new entitlements for infrastructure resources.

“One of the nice things about Terraform is that app owners have autonomy. They can change configurations and send us a pull request, and we approve it. Previously, IT would have had to do it all manually. Now our role is less than 10% of what it would have been.” — Mark Hillick

Managing entitlements in Terraform also means higher performance, lower operational overhead, and a faster path to compliance evidence.

Compliance gains: Faster, easier audits in a highly regulated industry

In a fintech environment, access control and audit readiness are inseparable. ConductorOne’s automation, integrations, and improved auditability have dramatically reduced the time it takes Brex’s GRC team to review and approve access, gather evidence, and respond to auditors.

“Through automation, integrations, and improved logging, ConductorOne has dramatically reduced the time taken to perform access reviews. In a highly regulated industry like ours, that time savings is incredibly important.” — Mark Hillick

True partnership built on collaboration

From the earliest stages of the proof of concept, ConductorOne worked closely with Brex to tailor the platform to their needs. Several feature requests were implemented in just days, a pace that continued well after go-live.

That level of responsiveness, paired with ongoing executive sponsorship, gave Hillick confidence that ConductorOne was invested in Brex’s long-term success.

“There’s mutual skin in the game,” he says. “It’s truly a partnership as both companies walk forward.”

The outcome: Reduced costs, stronger governance, and high adoption

Since deployment, Brex has processed 50,000 access requests through ConductorOne, significantly cut OpEx costs, and made ephemeral, auditable access a core part of operations. 

Adoption is high, driven by seamless Slack integration and workflows that fit naturally into existing processes. Brex’s adoption of ConductorOne runs from day-to-day operations all the way to the top. Hillick recalls seeing the company’s CEO direct a teammate in Slack to “just do /c1 request” to get the access they needed, a sign that ConductorOne has become part of Brex’s everyday language and workflow. As Hillick puts it, once a tool becomes part of the vocabulary, you know it’s been a success.

With Terraform automation, ephemeral access, and integrated compliance workflows, Brex has transformed identity governance from a cost center into a business enabler.

“ConductorOne is the future of identity access.”

Mark Hillick

CISO

“ConductorOne is the future of identity access.” — Mark Hillick