Deloitte × Kindo - Portfolio Management

Program Status

YELLOW

Apr 27, 2026

Executive Overview

Deloitte Meeting Apr 28 — Key Outcomes: Portal for real-time issue tracking and request submission confirmed for delivery this week. Credential pinning per agent step (top priority for Matthew Lew’s team) is in active development — Bryan estimates 2–3 weeks. Canvas architecture tactical fixes delivered (dynamic parameters, chat actions API); broader redesign discussion planned with Kush next week.

Integration sandbox access is the key bottleneck — Deloitte’s VPN/legal requirements prevent Kindo from testing integrations directly. Nathan confirmed it’s a Deloitte-side blocker. Bryan proposed a dedicated test instance or live call-based testing as workarounds. Exchange/Outlook integration clarified post-meeting — Nathan confirmed use case is sending messages via client/OWA, suggested SMTP relay as alternative. Mo confirmed it's in flight and can be disabled per instance.

59 open items remain (3 urgent). 80 of 201 total items delivered (40%). SQL database connectivity starting this week per Mo. SailPoint ISC write ops confirmed not yet started. New request: Kali Linux MCP server for penetration testing use cases.

🚧 Key Strategic Blockers

🔥

Integration Sandbox Access — Cannot Test Integrations BLOCKED

Kindo cannot directly access Deloitte sandbox environments for integration testing due to VPN and legal requirements. Nathan confirmed this is a Deloitte-side blocker. Bryan proposed a dedicated test instance or live call-based testing as workarounds. This slows all integration development from hours to weeks.

🔥

ThreatConnect MCP — ~80% Tool Call Failure Rate CONFIRMING

ThreatConnect integration parameters consistently rejected. ~80% of tool calls fail. Engineering investigating root cause in MCP configuration. Status being confirmed with Deloitte team.

🔧

Sandbox Cleanup Race Condition FIX IN TESTING

Root cause identified. Bryan confirmed fix undergoing robust load testing before release to avoid regression. Will ship in v3.17 or 2026.04 release.

⚠️

Canvas Architecture Redesign Needed PLANNING

Tactical fixes delivered (dynamic parameters, chat actions API). Bryan and Kush planning broader architecture discussion next week during LA visit. Current approach hitting limitations for complex use cases.

🎯 3 Main Priorities

🔒

Credential Pinning Per Agent Step IN DEVELOPMENT

Top priority from Matthew Lew’s team (Apr 28 meeting). Ability to pin specific integration credentials per agent step for delegated access workflows. Bryan estimates 2–3 weeks. Already in active development.

⚡

Multi-Active MCP Connections TODO

Allow multiple tool connections active simultaneously in Command Center (e.g., multiple SAP servers). Matthew Lew flagged as critical for his team’s workflows. Prioritized for next release.

📦

SQL Database Connectivity STARTING THIS WEEK

Operate teams need agents to query PostgreSQL, MySQL, MSSQL via secrets vault. Mo confirmed in Apr 28 meeting this is starting this week. High demand from multiple Deloitte teams.

Dashboards

Each dashboard tracks a different class of work across the Deloitte engagement.

● On Track

Training

Platform training program for Deloitte teams - pilot session, LMS, video content, and live trainer coordination.

Bug Fixes & Info Requests

Active bugs, configuration issues, and operational requests from Deloitte teams requiring engineering response.

Platform enhancements, new integrations, and capability requests surfaced through Deloitte engagement calls.

Open Items

High Priority

Workstreams

Engagement Information Flow

Full mind map showing all request sources, classifications, and resolution paths across the Deloitte engagement.

🗺️ View Full Engagement Mind Map

Request sources → Requests → Classification (Bug / Training / Feature) → Resolution paths. Interactive - click to explore.

→

🔍 Key Health Questions Reporting Period: Apr 30, 2026

▼

Question	Status	Explanation
Is the team behind schedule?	🔴 Yes	Multiple issues raised weeks/months ago still lack updates. Centralized priority tracking dashboard promised >1 month ago has not been shared with Deloitte. 64 open items remain, 12 urgent.
Problems preventing cycle goal?	🔴 Active	ThreatConnect MCP ~80% failure rate blocking cyber workstream. Jira DC triggers non-functional. No integration routing capability for multi-instance environments. Sandbox fix still in testing.
Tasks added or deleted this cycle?	⚠️ Yes	New issues from Apr 23: Jira DC triggers, ThreatConnect MCP reliability regression, integration routing request, SailPoint write ops, agent failure notes, UI resizability. Instance upgraded to v3.16.
Foresee issues for next period?	🔴 Yes	Sandbox fix release imminent but not yet deployed. ThreatConnect and integration routing have no ETA. Deloitte expressed frustration over lack of updates and visibility. New SMK deployment (#3 Digital Identity) needs preflight validation.
Unscheduled tasks this cycle?	⚠️ Several	Jira DC trigger investigation, ThreatConnect MCP deep-dive, agent UI resizability request, agent failure notes, and agent run asset/user visibility enhancement all surfaced at Apr 23 meeting.
Have any estimates changed?	⚠️ Yes	Sandbox fix ETA moved to "tomorrow morning at latest" (from Apr 23 call). Canvas disclaimer customization targeted for next release. Integration routing and ThreatConnect have no estimates.
Technical problems encountered?	🔴 Active	ThreatConnect MCP parameter schema causing ~80% failure rate. Sandbox cleanup race condition found (EBS unmount). Jira DC triggers never fire. Agent completion not reflected in UI without manual refresh.
Resource problems?	🔴 Yes	Project management gap - primary PM (Mo) absent for 2 weeks with no coverage. Deloitte teams have no visibility into issue tracking or prioritization. Meta Global Ops remains unresourced.

🧭 Strategic Priorities for Portfolio Stakeholders

▼

Urgent1. Integration Reliability & Routing

ThreatConnect MCP fails ~80% of tool calls - parameter schema issues cause retries on almost every request. Additionally, there is no capability to route agents to a specific integration when multiple instances of the same type are configured. Both are critical blockers for Deloitte's multi-environment workflows. Escalated to engineering Apr 23.

Decision Required2. Centralized Priority Tracking & Visibility

Deloitte teams have no visibility into issue tracking or prioritization. A centralized dashboard was promised over a month ago but never delivered. Primary PM (Mo) absent for 2 weeks with no coverage. Multiple teams raising different priorities with no coordination mechanism. Restoring trust requires immediate action on visibility tooling.

In Progress3. Platform Stability: Sandbox Fix & Agent UI

Sandbox race condition root cause identified (EBS unmount); fix in testing, expected in next release. Agent run completion still not reflected in UI without manual refresh (2-3 times). Canvas disclaimer customization (separate for Canvas and chat) targeted for next release.

Input Requested4. Integration Backlog Prioritization

SailPoint ISC write operations requested >1 month ago with no status. Jira DC triggers non-functional. SAP/Oracle integration partially in progress. Stakeholder alignment needed on priority order across integration requests - multiple teams have competing priorities with no unified view.

✅ Accomplishments This Period

▼

Accomplishment	Done	Status
Canvas URL parameter navigation — drill-down navigation and contextual filtering now supported on Canvas dashboards	Apr 24	✅ Complete
Instance upgrade to v3.16 — deployed to Deloitte instance	Apr 22	✅ Complete
API Action Step fix — dynamic body now has access to previous step outputs	Apr 22	✅ Complete
Sandbox race condition root cause identified — deep debugging session captured logs and identified root cause in cleanup process	Apr 21	✅ Complete
SAP integration fix — serialization error regression on Deloitte ITS instance resolved	Apr 14	✅ Complete
Profile dropdown organization name — now displays organization name for non-admin users	Apr 14	✅ Complete
Canvas AI disclaimer banner — sticky header disclaimer added to Canvas pages	Apr 8	✅ Complete
SAP MCP serialization fix — resolved serialization errors on ITS instance	Apr 7	✅ Complete
Selective data flow control — data flow control between model context windows for Cyber workstream	Apr 7	✅ Complete
Agent workflow restart fix — webhook trigger context now preserved on restart	Apr 6	✅ Complete
AEF context window fix — Bedrock extended context flag set; 1M context now active	Apr 6	✅ Complete
Task worker / Hatchet stability — heartbeat reconnection patch deployed and holding; no restarts needed	Apr 2	✅ Complete
Chat UI session visibility — Agent ID and session ID now surfaced without URL extraction	Apr 2	✅ Complete
SMK white-label logo CORS fix — resolved CORS issues with custom logo assets	Mar 24	✅ Complete
Jira Data Center auth fix — basic auth vs API token mismatch resolved for self-hosted Jira DC	Mar 19	✅ Complete
Okta disconnected state fix — resolved incorrect disconnected state display	Mar 19	✅ Complete
Dashboard/Canvas agent cleanup — auto-created agents hidden from main list, new "Dashboard Agents" filter tab	Mar 16	✅ Complete
DLP data scrubbing fix — customer PII scrubbing issue resolved	Mar 11	✅ Complete
Sandbox cleanup fix — race condition fix in testing, expected in next release	—	⚠️ In Testing
Canvas disclaimer customization — separate disclaimers for Canvas and chat; in next release	—	⚠️ In Release
Agent failure notes enhancement — improved visibility into why an agent failed; in next release	—	⚠️ In Release
Preflight script with pre-flight checks — deployment automation package ready for Deloitte testing	—	⚠️ Delivering

🔺 Active Risks

▼

ID	Impact	Trend	Description	Mitigation
R1	High	📈	ThreatConnect MCP Reliability. ~80% of tool calls fail - parameters rejected, system brute-forces retries. Blocks cyber workstream productivity.	Escalated to engineering with priority Apr 23. Root cause suspected in MCP parameter schema. No fix ETA yet.
R2	High	🆕	Integration Routing Gap. No way to specify which integration instance an agent should use when multiples are configured. Blocks multi-environment workflows.	Escalated to engineering Apr 23. No ETA or prior tracking visible. Critical for CrowdStrike, Jira, and other multi-instance deployments.
R3	High	📈	Project Management Visibility. Primary PM (Mo) absent 2 weeks. No centralized priority tracker shared with Deloitte despite being promised >1 month ago. Multiple teams with conflicting priorities and no coordination.	Marcos covering Apr 23 meeting, committed to getting updates today. Mo to provide personal update to Deloitte. Out-of-band meeting proposed for next week.
R4	Med	📉	Sandbox Stability. Race condition in cleanup process identified (EBS unmount). Fix in testing. Instance upgraded to v3.16 Apr 22.	Fix expected in next release (tomorrow morning at latest per Apr 23). Debugging session with Nathan was productive - root cause confirmed.
R5	Med	🆕	Jira DC Triggers Non-Functional. Custom Jira Data Center triggers do not initiate agents on ITS. Lower priority than integration routing but blocks automation workflows.	Identified Apr 23. Lower priority per Deloitte - other backlog items take precedence. Being tracked.
R6	Med	➡️	Integration Backlog. SailPoint write ops waiting >1 month. SAP/Oracle partially in progress. Jira DC triggers broken. Direct Connect (ThreatConnect) MCP failing.	SAP work ongoing. SailPoint and other integration requests lack ETA. Integration priority ranking needed from Deloitte stakeholders.
R7	Med	➡️	SMK deployment scalability. Preflight script ready for delivery. Deployment #3 (Digital Identity) planned. Enterprise AWS guardrails remain a challenge.	Preflight automation package being sent to Deloitte for testing. Manual checklist + Terraform automation in development.
R8	Med	➡️	Agent UI / UX gaps. Agent run completion not reflected in UI. Tool call output not readable (long JSON). Resizable windows requested. Agent failure notes unclear.	Agent failure notes and disclaimer customization in next release. UI resizability is a new request - not on current roadmap.

Most Recent Meeting Deployment Q&A - Weekly Connect (Apr 23)

4 Critical 8 Action Items ▼

📞 Deployment Q&A - Weekly Connect - Apr 23, 2026

Participants: Marcos Pagnucco (Kindo), Nathan Ellis (Deloitte), Sumanth Tadikonda, Harish, Harshal Vasudeo, and ~40 others

🔥 ThreatConnect MCP - ~80% Failure Rate - Every time a tool call is made to ThreatConnect, ~80% of calls fail because parameters are rejected. System retries/brute-forces until one succeeds. Something wrong with MCP parameter configuration or description. Escalated to engineering.

🔥 Integration Routing - Cannot Select Specific Integration - When multiple integrations of the same type are configured (e.g., 3 Jiras, 3 CrowdStrikes), there is no way to specify which one an agent should use. Long-standing request tracked by Mo - no status update provided for weeks. Escalated with priority.

🔥 PM Visibility Gap - No Updates for 2 Weeks - Primary PM (Mo) absent for 2 weeks. No status updates provided to Deloitte. Centralized priority tracking dashboard promised over a month ago was never shown. Multiple teams with different priorities and no visibility into what's being tracked. Nathan: "I'm getting a little frustrated because we've been waiting for updates."

🔧 Sandbox Race Condition - Fix in Testing - Root cause found: race condition in cleanup process causing EBS unmount failures. Deep debugging session with Nathan captured critical logs. Fix in testing - expected tomorrow morning at latest. Instance already upgraded to v3.16.

⚠️ Agent UI - Completion Still Not Reflected - Agents complete on backend but UI doesn't update. Users must refresh manually 2-3 times. Front-end polling/streaming issue persists despite backend improvements.

⚠️ Jira DC Triggers Non-Functional - Custom Jira Data Center triggers don't initiate agents at all on ITS. Multiple filter configurations attempted. Lower priority than integration routing per Deloitte.

📦 SailPoint ISC Write Operations - Requested 1-1.5 months ago. Jira created by Mo, no status update provided. Currently read-only - write operations needed.

📦 Canvas Disclaimer Customization - Separate disclaimers for Canvas and chat. Implemented, in next release (same release as sandbox fix).

📦 Agent Failure Notes - Better visibility into why agents failed. Engineering has discussed; expected in next release.

💡 Agent Output UI Enhancements (New request - Low Priority) - Tool call output areas are cluttered and not readable. Request for resizable windows for prompt/output areas. Also: show which asset and user ID was used during tool calls.

📦 SMK Deployment Automation - Preflight script with new pre-flight functionality ready. Marcos to send package + instructions to Deloitte within hours. Validates cluster networking, connection strings, and access before deployment.

📅 Meeting Cadence - Out-of-band meeting proposed for next week to bring full updates that Marcos couldn't provide. Mo expected to provide personal update to Deloitte.

📦 SMK Installs - Deployment Progress

2 Complete 1 Planned 4 Blockers ▼

Key deployment status and improvement initiatives from Cyber Weekly (Apr 2), Office Hours (Apr 2), and prior sessions.

Deployment Status

Deployment	Status	Key Issues
Deployment #1	✅ Complete	Security group/connectivity issues discovered during install
Deployment #2	✅ Complete	Calico CNI vs VPC CNI caused ingress automation failure
Deployment #3 (Digital Identity)	🔵 Planned	Bastion host access being requested, same environment challenges expected

Key Improvements In Progress

Initiative	Status	Details
Preflight Script (Helm chart)	✅ Ready	Preflight automation package with pre-flight validation complete. Marcos delivering to Deloitte with instructions (Apr 23). Checks cluster networking, connection strings, and access before deployment.
Manual Deployment Checklist	⚠️ In Progress	For enterprise teams with multiple departments involved in provisioning and access.
Infrastructure Automation (Terraform)	⚠️ In Progress	Turnkey AWS provisioning, handed to Deloitte infra team for testing.
Script Migration to Helm Charts	⚠️ In Progress	Moving bastion host scripts into cluster, reducing external dependencies.

Current Blockers

Blocker	Severity	Mitigation
Task worker / Hatchet instability	✅ Resolved	Heartbeat/Hatchet reconnection patch deployed and stable. No restarts needed since fix.
Sandbox cleanup race condition	⚠️ Fix In Testing	Race condition in cleanup process identified (EBS unmount). Fix in testing, expected in next release. Instance upgraded to v3.16 on Apr 22.
ThreatConnect MCP ~80% failure rate	🔴 Critical	Tool call parameters consistently rejected. System brute-forces retries. Escalated to engineering Apr 23.
No observability configured	⚠️ Medium	Deployed instances lack OpenTelemetry/Grafana monitoring.
Enterprise AWS guardrails	⚠️ Medium	IAM roles, network subnets will be a challenge for every customer deployment.

🏛️ Deloitte Portfolio & Program Management