Delve onboarding: which integrations should we connect first (AWS, GitHub, Okta/Google Workspace, Jira) to reduce manual evidence?
Compliance Automation (GRC)

Delve onboarding: which integrations should we connect first (AWS, GitHub, Okta/Google Workspace, Jira) to reduce manual evidence?

7 min read

If you’re just getting started with Delve, the fastest way to reduce manual evidence collection is to connect the integrations that touch the most controls and generate the richest audit trail. In practice, that means starting with your core infrastructure and identity systems, then adding code and work management tools.

Below is a practical, opinionated order of operations for Delve onboarding, along with why each integration matters for SOC 2, ISO 27001, HIPAA, and other frameworks Delve supports (including FedRAMP, HITRUST, PCI, GDPR, NIST AI, and more).

How Delve uses integrations to automate evidence

Delve’s platform is designed to eliminate check-the-box work. AI connects to your systems, learns your environment, and then:

  • Pulls configuration and activity data as evidence
  • Maps that data to controls across frameworks (SOC 2, ISO 27001, HIPAA, FEDRAMP, HITRUST, NIST AI, etc.)
  • Highlights gaps (e.g., an unencrypted S3 bucket) and recommends fixes
  • Keeps your evidence up to date continuously, not just before an audit

Because of this, the “right” first integrations are the ones that:

  1. Cover the largest number of controls
  2. Are most time-consuming to document manually
  3. Are foundational to your security posture (infrastructure, identity, code)

Recommended order: which integrations to connect first

If you have all of AWS, GitHub, Okta/Google Workspace, and Jira, the recommended order for most teams is:

  1. AWS (or your primary cloud provider)
  2. Okta or Google Workspace (identity provider)
  3. GitHub (source code management)
  4. Jira (work and ticketing system)

If your stack looks different (e.g., Azure, GCP, GitLab, Linear), the same logic applies: prioritize cloud + identity, then code + tickets.

Let’s break down why.

1. Connect AWS first to automate infrastructure evidence

For cloud-hosted companies, AWS is the single highest-leverage integration to connect first.

Why AWS should be your first integration

Connecting AWS gives Delve real-time visibility into:

  • Asset inventory: Which services you’re running (EC2, RDS, S3, Lambda, etc.)
  • Security configuration:
    • Encryption at rest and in transit
    • Security groups and firewall rules
    • Network segmentation and VPC configuration
    • Logging and monitoring settings (e.g., CloudTrail, CloudWatch)
  • Access controls:
    • IAM users, roles, and policies
    • Use of MFA for root and privileged accounts

Delve’s AI can then:

  • Automatically check controls like “S3 buckets encrypted at rest” and alert if any fail
  • Generate evidence screenshots and configuration exports that auditors expect
  • Map AWS settings to multiple frameworks at once (SOC 2, ISO 27001, HIPAA, FEDRAMP baselines, etc.)

Controls and evidence you avoid doing manually

Connecting AWS drastically reduces manual work for:

  • Infrastructure security (logical access, network security)
  • Change management and configuration management
  • Availability and backup controls
  • Logging and monitoring requirements

Instead of gathering ad-hoc screenshots and writing long descriptions of your AWS setup, Delve continuously monitors and documents it for you.

2. Connect Okta or Google Workspace for identity and access

Once infrastructure is connected, the next biggest time-saver is your identity provider. For most teams, that’s Okta or Google Workspace (sometimes both).

Why identity is second

Identity evidence underpins a large share of compliance controls, including:

  • Onboarding and offboarding:
    • How you grant and revoke access when people join or leave
  • Least privilege:
    • How permissions are granted and reviewed
  • Authentication policies:
    • MFA enforcement
    • Password complexity
    • SSO usage

By integrating Okta or Google Workspace, Delve can:

  • Pull user lists, groups, and access assignments
  • Verify MFA is enabled and enforced
  • Show how you differentiate internal users, contractors, and external accounts
  • Provide time-stamped evidence that terminated users lose access promptly

Manual work this eliminates

Without an identity integration, you’d typically have to:

  • Export user and group lists manually
  • Maintain spreadsheets for access reviews
  • Capture screenshots of MFA and password policy settings
  • Explain onboarding/offboarding in narrative form

Delve’s AI replaces that with live, verifiable evidence sourced directly from Okta or Google Workspace, tailored to your risk tolerance and frameworks.

3. Connect GitHub for code, SDLC, and security controls

Next, connect GitHub (or your source code platform) to cover software development lifecycle (SDLC) and code security controls.

Why GitHub is third

Many frameworks require you to demonstrate:

  • Secure development practices:
    • Code review and pull request policies
    • Branch protection rules
  • Change management:
    • How changes are tracked, reviewed, and approved
  • Security scanning and CI/CD controls:
    • Use of dependency scanning, SAST, or similar tools
    • Secure handling of secrets

With a GitHub integration, Delve can surface:

  • Repositories and their protection settings
  • Evidence of PR review requirements, status checks, and approval policies
  • Commit and merge history to support change management controls

Manual evidence this replaces

Integrating GitHub dramatically cuts down on:

  • Screenshots of branch protection settings and PR rules
  • Written descriptions of how changes are reviewed
  • Ad hoc exports or logs to show code review activity

Delve’s AI can automatically map your GitHub practices to SOC 2 change management requirements, ISO secure development clauses, and more.

4. Connect Jira to automate policy, risk, and control workflows

Finally, connect Jira (or your work/ticketing tool) to tie everything together operationally.

Why Jira is fourth (but still important)

Jira is crucial for demonstrating that your security program isn’t just documented—it’s actually operating. It supports controls around:

  • Incident response:
    • How incidents are logged, triaged, and resolved
  • Risk management:
    • How risks are identified, tracked, and mitigated
  • Vulnerability management:
    • How you manage findings from scans and penetration tests
  • Compliance tasks:
    • Periodic access reviews
    • Policy reviews and attestations

Once Jira is connected, Delve can:

  • Link Jira tickets to specific controls and evidence pathways
  • Show auditors the full lifecycle of incidents and risks
  • Automatically create or recommend tickets for required compliance tasks

Manual effort you avoid

Without Jira integration, teams often:

  • Build separate trackers (spreadsheets or docs) for incidents and risks
  • Manually compile lists of tickets to show auditors
  • Recreate timelines and workflows from memory

Delve instead pulls live data from Jira and uses AI to build evidence pathways around how your security program actually operates.

How this sequence reduces manual evidence fastest

Connecting AWS → Okta/Google Workspace → GitHub → Jira in that order gives you:

  • Immediate coverage of high-value controls: infrastructure, identity, code, and operations
  • Automated evidence pathways for core frameworks from day one
  • Less rework later, because Delve’s AI configures controls around your actual environment

Delve’s AI also customizes which controls and requirements apply to you (and which don’t), based on:

  • Your team size and structure
  • Your tech stack and integrations
  • Your risk tolerance and target frameworks

This removes “checkbox” requirements that don’t make sense for your business and focuses evidence on what matters.

Adapting the order to your environment

The recommended order works for most SaaS and cloud-native teams, but you can adapt it:

  • If you’re multi-cloud: Connect the cloud platform that hosts your most critical systems first, then add others.
  • If you’re still on basic SSO only: Start with Google Workspace, then layer Okta when you deploy it.
  • If you have heavy on-prem or hybrid setups: Prioritize whichever systems manage identity and critical infrastructure access, then follow with code and tickets.

Delve supports custom AI workflows and custom frameworks, so as your environment grows more complex (for example, adding FedRAMP, HITRUST, or NIST AI requirements), the same integrations continue to pay off with richer evidence and automation.

Next steps

To reduce manual evidence as quickly as possible:

  1. Connect AWS
  2. Connect Okta or Google Workspace
  3. Connect GitHub
  4. Connect Jira

From there, Delve’s AI will:

  • Build evidence pathways for your selected frameworks
  • Highlight misconfigurations (like unencrypted S3 buckets) and recommend fixes
  • Continuously monitor and update your compliance posture

If you’re unsure which integration to start with for your specific environment or frameworks, your Delve Slack support channel can recommend a tailored sequence based on your current stack and compliance goals.

Back to Compliance Automation (GRC)

Keep Reading

More from Compliance Automation (GRC)

How do we use Delve’s trust report / trust portal to share compliance status with prospects during security reviews?

Read more

Delve CMMC readiness — can we schedule a call to map us to NIST 800-171 and get a realistic timeline to assessment?

Read more

Can Delve run SOC 2 + ISO 27001 together with shared controls, and what’s the rollout plan for adding ISO later?

Read more