PRISM Methodology
PRISM 02IT & Security

The cleanest automation surface in the company.

IT work is ticketed, logged, and runbook-shaped — the most natural place for AI to act, and often the largest single ROI in the program. Get IT right and every other function inherits the guardrails.

40→4 min
mean time to acknowledge on overnight incidents
−41%
MTTA across all incidents at an $800M retailer
2w→2d
for the quarterly, auditor-mandated access review
30–60%
of tier-1 tickets deflected before a human touches them

Weeks 1–2 · Every Program

IT owns the company’s entire AI posture.

Before a single skill ships to finance or legal, six layers go in — live within the first two weeks.

06Incident responseA plan for prompts that leak and outputs that expose.
05Approved toolsA sanctioned catalog — shadow AI found, closed, replaced.
04Model routingFrontier, mid-tier, fast — assigned by role, priced by policy.
03Central loggingEvery AI action logged, audit-ready, answerable.
02Data boundariesWhat never leaves the company — enforced, not memo’d.
01IdentitySSO and MFA on your identity provider. No personal accounts.

Installed bottom-up, weeks one and two.

Week One

Shadow-AI exposure closes in week one. At one manufacturer, public chat-tool usage on company data dropped 94% once sanctioned skills shipped.

The 90-Day IT Playbook

Twelve weeks, five phases, one decision point.

Every phase ends with something live or something measured — and week twelve ends with a decision.

Weeks 1–2

Foundation & discovery

  • SSO, MFA, model routing, data-loss rules, central logging — live.
  • Shadow-AI audit run; interim acceptable-use policy published.

Weeks 3–4

The taxonomy

  • 18–24 months of ticket history classified; runbook inventory built.
  • Top candidates scored on value × AI-fit × frequency.

Weeks 5–8

Triage & lifecycle live

  • Incident triage running with confidence-gated auto-routing.
  • Onboarding orchestration live; first access review run.

Weeks 9–12

Prove and hand off

  • MTTA and deflection measured against baseline.
  • Guardrail playbook handed to the team that owns it.

Week 12

The decision point

  • Telemetry review. Wave two committed — if the numbers earned it.

Model Routing & Spend

Usage governance is an IT job now.

Which models run where, at what cost, is written policy plus telemetry — not a memo asking people to be careful.

All requests

Policy router
Frontier10%of traffic

Executive & high-stakes — board materials, deal analysis.

Mid-tier55%of traffic

Daily knowledge work — drafting, summarizing, analysis.

Fast35%of traffic

Transactional volume — classification, routing, tier-1 deflection.

Spend telemetry, narrated

“Marketing tripled premium usage — flagged, explained, resolved.” Anomalies arrive as sentences, not spreadsheet rows.

Caps as configuration

Thresholds per function, alerts to the owner, escalation on breach. Set once, enforced automatically.

The Outcome

Model spend stops being a culture campaign and becomes a dial IT turns. The telemetry layer is where the dial lives.

Worked Example

3:14 AM. The order flow just failed.

An e-commerce site, overnight, no one at a desk — the first four minutes with the triage agent on shift.

ops — incident monitor
03:14:07ALERTcheckout · order-flow — payment confirmations failing. 142 errors in 90 seconds, all regions.
03:14:09AGENTtriage started — pulling monitor history, recent changes, integration status.
03:14:31AGENTcorrelated — payment-provider integration timing out since 03:11. Order flow only. Catalog and cart healthy.

Incident summary — draft

Severity: P1 · customer-facing ·Scope: order confirmations, all regions

Probable cause: upstream payment-provider timeout

Runbook: PAY-07 — fail over to secondary processor, replay queued orders

03:16:02AGENTfirst customer response drafted — ENDEFR

“We’re aware of an issue affecting order confirmations and are actively resolving it. No action is needed on your part…”

03:16:04PAGEon-call paged — summary, timeline, and runbook attached.
03:18:22ACKJ. Alvarez acknowledged — four minutes after first failure, with full context.
monitoring —

Before

40 min

to acknowledge an overnight incident

After

4 min

triaged, summarized, and in a human’s hands

The engineer wakes to a correlated cause, a drafted summary, and a customer response in three languages. The decision is still theirs.

The Incident Loop

Every incident runs the same loop — and the runbook gets smarter each pass.

RUNS 24/7
Detect
Triage & correlate
Draft response
Human acknowledges
Runbook updated

…and back to detect.

The Skill Catalog

The first wave of IT skills.

Eight named, callable workflows — chosen from where the ticket data says the hours go.

01

Incident triage & routing

Classifies, correlates, auto-routes above a confidence threshold — first response drafted before a human opens the ticket.

02

Onboarding & offboarding orchestration

One flow across identity, tickets, HR — including the post-M&A account sprawl nobody has a map of.

03

Access review automation

Identity export in, per-manager certifications out, reconciled in real time. Two weeks becomes two days.

04

Change-window narration

Rationale, impact, rollback — written at the moment of change, not reconstructed at audit time.

05

Runbook generation

Tribal knowledge becomes living documents the whole team can run.

06

Multilingual tier-1 deflection

Answers in any office language, escalates cleanly. 30–60% of tier-1 volume never reaches the queue.

07

Weekly IT health report

Ticket volume, incident trends, SLA posture — writes itself instead of eating a Friday afternoon.

08

Integration health monitoring

Catches the silent ERP sync failure before finance does.

Vendor & Operating Discipline

The gatekeeper, without the bottleneck.

One lifecycle for every AI tool — say yes quickly, no defensibly, and keep it proven in production.

Vet

SOC 2, data residency, model-training opt-out — in writing.

Sandbox

Defined data boundaries before any wide rollout.

Approve

A real procurement path — exit plan decided at signing.

Monitor

Scheduled spot checks; vendor model changes logged with an approver.

Re-validate

What held for eight users gets re-proven at eight hundred.

Fallback

Critical paths get a manual fallback and a second vendor.

The Point

AI vendors join the same business-continuity planning as every other single point of failure. These systems stop being special and start being infrastructure.

The Guardrail Playbook

The document your team owns when we leave.

Six sections, named owners, a review cadence — a playbook your team runs after we leave.

Internal · Controlled Document

AI Guardrail Playbook — v1.0

§1

The model-routing policy

Which tier runs where, and who can change it.

§2

Integration allowlists

Which tools may connect to what — explicitly, by name.

§3

Data bright lines

What never leaves the company, by classification.

§4

Spend telemetry & escalation thresholds

The caps, the alerts, and who gets them.

§5

The AI incident runbook

Who’s paged when a prompt leaks data or an output goes wrong.

§6

Review cadence & owners

A playbook nobody revisits expires.

If it isn’t written down, it isn’t a policy — it’s a vibe.

Worked Example

Day one at a multi-brand company.

A new hire joins — and the same flow runs in reverse on exit day, which is the one that matters for security.

Before

~3 days

Six tickets, six queues, each with its own SLA — something always missed.

After

~4 hours

One skill call — plan generated, tickets opened, completion tracked, day-one access proven.

The Post-M&A Estate

Every acquisition adds an account sprawl.

For serial acquirers, this is the workstream that pays for the whole program.

Day-one provisioning for acquired employees

The provisioning plan spans both estates. Acquired employees work on day one, not week three.

Estate mapping across brands

A living map of who has access to what, across every system the deal brought in.

Integration health monitoring

The silent sync failure between acquired ERP and parent CRM — caught before finance sees it.

The same rigor on divestitures

Every credential revoked, every access documented — one report for the deal team.

The IT Dashboard

Six numbers that tell you if it’s working.

The board we review at week twelve — a stalled number is visible the week it stalls.

prism — it telemetry

MTTA trend

4.2 min−41%

Deflection by category

Access requests62%
How-to58%
Hardware31%

Access-review cycle time

2.1 days

was 14 days · auditor-ready export attached

Weekly actives per skill

tier1-deflect
388
incident-triage
214
onboard-orch
96

Integration health

Identity ↔ HRISOK
Helpdesk ↔ CMDBOK
ERP ↔ CRM syncDEGRADED

degradation narrated & ticketed 08:12

Model spend by function

Marketing
FLAG
Finance
Ops

anomaly explained — resolved, cap adjusted

The Bottom Line

IT gets the runbooks. And everyone else gets an IT team that answers in four minutes instead of forty.

The Proof Behind the Playbook

Engagement

A PE-backed treasury software company

Enterprise mobile approvals shipped in four weeks — the #1 RFP blocker eliminated.

Engagement

A global spend-management platform

94% reduction in manual procurement touchpoints; 87% of exceptions resolved without a human.

PRISM 06

Governance

The operating model that keeps all of this defensible.

Open

Ready to move

Ready to put this to work?

Start with one function. We’ll show you the process inventory, the skills we’d ship, and the number we’d be accountable to.

Talk to LightCI