Terrain
Terrain
NSPM-33 Deal Frame — When the VP for Research Owns the Liability but Not the Budget
The VP for Research at your Tier 1 R1 is about to sign an RSP cybersecurity certification that carries False Claims Act liability. Penn State and Georgia Tech both settled FCA cases without a single breach. The identity controls she needs — lifecycle governance for visiting scholars, affiliates, cross-institutional collaborators — don't exist in her HR system. And the budget she'd use to fix it is the same budget she's defending against federal funding cuts. Here's how to frame the deal across four committee buyers when the most motivated champion is also the most constrained.
NSPM-33 Deal Frame — When the VP for Research Owns the Liability but Not the Budget
The VP for Research at your Tier 1 R1 is about to sign an RSP cybersecurity certification that carries False Claims Act liability. Penn State and Georgia Tech both settled FCA cases without a single breach. The identity controls she needs — lifecycle governance for visiting scholars, affiliates, cross-institutional collaborators — don't exist in her HR system. And the budget she'd use to fix it is the same budget she's defending against federal funding cuts. Here's how to frame the deal across four committee buyers when the most motivated champion is also the most constrained.
Tier 2 Portrait — The Mid-Size University CIO Who Signs Alone
At Tier 2, one person holds the budget, the GLBA compliance obligation, and the vendor relationship. The CIO signs alone. Their CISO influences but doesn't control spend. Their CFO controls whether the request survives the budget cycle. And their institution is running semi-manual provisioning against 40%+ annual student lifecycle churn with no headcount relief in sight. Pitch IAM as a new security line item here and it dies in a room you'll never enter. This portrait maps the buyer, the stakeholders, and the cost-reduction reframe that gets the deal through.
Tier 2 Portrait — The Mid-Size University CIO Who Signs Alone
At Tier 2, one person holds the budget, the GLBA compliance obligation, and the vendor relationship. The CIO signs alone. Their CISO influences but doesn't control spend. Their CFO controls whether the request survives the budget cycle. And their institution is running semi-manual provisioning against 40%+ annual student lifecycle churn with no headcount relief in sight. Pitch IAM as a new security line item here and it dies in a room you'll never enter. This portrait maps the buyer, the stakeholders, and the cost-reduction reframe that gets the deal through.
Dual Feature
The Canvas Breach Is an Identity Governance Story
ShinyHunters didn't breach Canvas through the enterprise product. They walked in through a free account tier that shared infrastructure with 9,000 institutions' production environments. The 3.65 TB they claim to have exfiltrated will get the coverage, but the credential pathway they exploited exists, in some form, in virtually every campus environment right now. An intelligence brief on the ungoverned provisioning problem, the HECVAT questions it maps to, and the one question worth asking on any call this week.
First-Call Guide for Tier 3 Institutions
The Canvas breach intelligence in our companion piece applies at every tier. But carrying it into a three-person IT shop at a community college requires understanding a buying environment that operates on entirely different logic than mid-size institutions. Decision authority concentrates in one or two people. Purchases follow triggers. And the federal safety net that partially compensated for being under-resourced just disappeared. A behavioral guide to the first call.
The Identity Lifecycle Tax
Enrollment is declining, but identity lifecycle workload isn't. At mid-size institutions facing the enrollment cliff, international revenue collapse, and operating deficits simultaneously, student churn still exceeds 40% annually — generating thousands of provisioning and deprovisioning events absorbed by IT staff that just lost a position to a hiring freeze. The cost is concrete: six figures in manual labor, hundreds of thousands in orphaned SaaS licenses, and an audit remediation nobody budgeted for. The argument that survives a budget committee at an institution running a deficit is dollars and FTE hours saved.
The Identity Lifecycle Tax
Enrollment is declining, but identity lifecycle workload isn't. At mid-size institutions facing the enrollment cliff, international revenue collapse, and operating deficits simultaneously, student churn still exceeds 40% annually — generating thousands of provisioning and deprovisioning events absorbed by IT staff that just lost a position to a hiring freeze. The cost is concrete: six figures in manual labor, hundreds of thousands in orphaned SaaS licenses, and an audit remediation nobody budgeted for. The argument that survives a budget committee at an institution running a deficit is dollars and FTE hours saved.
Competitive Sidebar
NC State confirmed in April 2026 it is migrating from Shibboleth to Entra ID after 18 years, application by application, no published end date. Bundle consolidation won this deal. Accept that.
What matters for your next R1 call: NC State's own documentation confirms Entra ID cannot natively support multilateral federation and requires Cirrus Bridge middleware to keep InCommon membership alive. Microsoft's published Higher Ed architecture agrees. Shibboleth is being repositioned here, not eliminated. Your move: lead on governance depth and federation coexistence.