But which is the stone that supports the bridge?
—Kublai Khan, looking for the component causing his bottleneck
In earlier chapters, I made the point that compliance is not simply reporting, and that it should be part of the entire identity process rather than something that comes out after all your daily, weekly, or monthly processes have been run. Testing is a similar paradigm. It should be baked into your thinking before, during, and after deployment. Testing should also be used both tactically and strategically, thinking in terms of identity and access. You will want to test granular functions as well as entire use cases, individual actions as well as bulk, single steps and series of steps. These include