Loop IT-2 · IT & governance · reports to Nish

45 accounts, audited monthly, deltas only.

A monthly sweep of Google Workspace safety basics — two-step verification, admin counts, third-party app grants, dormant accounts — reported as what changed, not a wall of green.

Built & tested — pilotWave 4🕐 Monthly⚙️ Script over admin CLI
Part 1 — the plain-english view

Security posture drifts quietly. This loop notices.

What it watches
  • Two-step verification coverage across all accounts
  • Admin counts, dormant/never-logged-in accounts, root-OU strays
  • Third-party app permissions — diffed month over month
  • Forwarding rules (pending one tooling grant — reported honestly as a gap until then)
When & how it speaks

Monthly to Nish, deltas only: what changed since last month. A stable posture is a two-line email.

Why it exists

Nobody audits workspace security on a rhythm — it gets audited when something scares us. First live run: 95% two-step coverage (39/41), zero dormant accounts, admin counts as expected, one account in the root OU to relocate, and ~118 third-party app grants now baselined for future diffs.

95%
two-step verification coverage on the first sweep (39 of 41 users)
0
dormant accounts found — and now it stays that way, checked monthly
~118
third-party app grants baselined — next month's diff will show any new ones

Monthly

First Sunday

👀

Sweeps the tenant

2SV, admins, tokens, dormancy, OUs

📸

Diffs vs baseline

Only changes surface

💬

Delta email to Nish

Two lines when stable

Fixes are human

Hardening actions run as their own approved tasks

What it will never doNever changes a user, setting, or permission — it audits; hardening is done by people.
Where it stands today · July 2026Built and live-tested. One check (forwarding rules) needs a service-account delegation grant to work tenant-wide — the loop reports that gap honestly in its digest rather than skipping silently. Awaiting that grant decision from the Wave-4 questions.
Part 2 — under the hood

How it's wired: systems, models, and the path a number takes.

For implementers and the technically curious. The full build sheet — verified queries, thresholds, and build notes — lives on the specs page.

ReadsGoogle Workspace
Via the admin CLI (GAM), read-only sweeps
Stepit2_security_posture.py
Coverage checks + month-over-month diff
StatePosture baseline
Last month's snapshot — the thing deltas are computed against
DeliversMonthly delta email
To Nish
System we read Automated step State / memory Human decision
SystemRole in this loop
GAMWorkspace admin CLIThe established admin tool for tenant operations — used here in read-only mode for the sweeps.
Hermesagent runtime on our serverThe scheduler that wakes the loop up. Each loop is a cron job under a Hermes profile; the planned bizops profile will host the business digests (IT loops run under vpsops).
Healthcheckshealthchecks.huxapps.comThe dead-man's switch. The loop pings it only after a clean run — if the loop dies or errors, the ping stops and Healthchecks raises the alarm independently. This is how 'never silent' is enforced by machinery, not promises.
Email renderer + gwsrender_email.pyAll digests pass through one shared renderer: Huxberry-branded HTML, tables for repeated rows, a coral 'needs your response' box when the loop has questions, and an arrow link on every record. Sent from the loops mailbox via the Google Workspace CLI.
Loop chassisloop_common.pyShared plumbing every loop reuses instead of reinventing: state files, run-over-run diffing, Metabase drill-down link building, quiet-on-green notify logic.
Model / brainWhat it does here
None at run timedeterministic scriptA normal cycle is a plain Python script — no AI tokens are spent unless a diagnosis or judgment step is actually needed. AI wrote the script; the script does the rounds.
GPT-5.5 via Codexthe bulk-work modelWrote and maintains the mechanical parts — SQL, diffing, digest assembly. Effectively free on our existing subscription, so routine cycles cost almost nothing.
State & memory

The monthly posture snapshot: per-user 2SV, admin list, token grants — diffs come from here.

Delivery

Monthly email, deltas only.

Safety rails

Read-only admin credential path; individual account details stay out of the public digest (aggregates only).

Before it can run for real
  • Service-account delegation grant for the forwarding-rules check (open Wave-4 question)
Full build sheet →