Give every new joiner the least access they need, the right training, and a clear record of what was set up.
Pre-day-1
- Decide their role and grant access by role.
- Create the account, but don't enable until day 1.
- Provision encrypted, MFA-enrolled, EDR-protected hardware.
- Prepare a one-page welcome doc.
Day 1
- Help them enrol MFA — authenticator app, not SMS.
- Set them up in the password manager.
- Walk through the AI usage policy and acceptable use.
- Show them the incident reporting route.
First week
- Schedule a 15-minute social engineering brief.
- Confirm they have ONLY what they need.
- Add them to the tools register.
Common mistakes
- Cloning a colleague's permissions.
- Skipping MFA setup.
- SMS-only MFA.
- No record of what was set up.