Guided programmeDemo 1: First Install + Delta RunIdentityFirstMRI real surfaceRepresentative data

Meridian Crest Financial Services Ltd

First assessment visibility with a second run that proves movement without pretending the data is complete. This page uses the current webapp surface and report structure with a fictional UK financial-services scenario kept explicit about representative data, P1-only licensing, and what is and is not yet mature.

Executive framing: this is the real MRI-led board report surface, driven by representative scenario data for a fictional 1,500-user UK financial-services organisation operating on Entra ID P1. Use this once the run history has already made the movement feel earned.

Board ReportPrepared by IdentityFirst LtdPrepared for Meridian Crest Financial Services LtdSample / Synthetic

Identity Risk Report

Executive posture, trend, financial consequence, and prioritised identity decisions for leadership review.

Prepared by: IdentityFirst Ltd
Prepared for: Meridian Crest Financial Services Ltd
Issue date: 22 January 2026
Classification: Confidential - Demonstration Use Only
Document reference: IF-BRD-MRI-MCFS
Version: 1.0
Assessment scope: UK financial services · first install + delta run
Report run: MRI-MCFS
Product tier: IdentityFirstMRI
Profile: UK financial services · first install + delta run

Report credibility

Scope, methodology, ownership, evidence

Every field is shown explicitly. Items not yet provided are labelled (Roadmap, Unavailable, Not applicable, Missing) rather than hidden.

Classification: Confidential - Demonstration Use Only
Scope of estate: UK financial services · first install + delta run
Reporting period: Representative MRI assessment window
Version: 1.0
Change reference: Not applicable
Methodology: NIST CSF 2.0 functions framing (Govern, Identify, Protect, Detect, Respond, Recover) over the MRI read-only assessment surface. Demo posture and risk numbers are derived from a deterministic seed profile, not live customer telemetry.
Limitations: Public demo only. No live tenant data. Financial impact framing is illustrative; SEC materiality determinations require customer-supplied facts. Risk-appetite line is a roadmap item.
Owner: Roadmap
Preparer: IdentityFirst MRI Engine (deterministic demo profile)
Approver: Roadmap
Regulatory relevance: Supports board oversight expectations under NIS2 Article 20 (management body accountability) and SEC cyber-disclosure governance reporting. Customer legal applicability must be confirmed in scope.
Evidence status: Evidence chain unavailable in public demo

Section 1 - Executive Summary

Mixed provenance

This board view combines real product reporting patterns with curated executive demo framing. Posture and remediation structure are grounded in the platform model; financial interpretation and storyline emphasis remain representative unless a live tenant provides the supporting evidence.

Posture

Projected 69 after remediation

Platforms

Identities

1842

Telemetry streams

Raw findings

Key Risk Drivers

- Hybrid identity drift is already visible across AD, ADFS, MIM, Entra, Azure, AWS, and SaaS tooling.
- The first two runs narrowed the immediate risk list without pretending the estate is fully mature.
- The highest-value work sits in lifecycle closure, standing privilege reduction, and federation rationalisation.

CISO takeaway: MRI gives immediate visibility into where identity risk is real enough to prioritise now, even while coverage is still maturing.

Section 2 - Strategic Decision Framing

Why this matters now

The report has moved beyond descriptive posture. Current exposure is concentrated in identities and trust paths that can be actioned inside this quarter, and the operating question is whether to accept continued loss exposure or fund the roadmap that bends the next reporting cycle.

Risk trend

Improving

Time to value

30 days

Decision impact

Budget + policy

Investment vs outcome

Estimated remediation investment: £45,200

Modelled loss avoidance multiple: 3.9x

Loss avoidance if funded now: £176,280

The commercial case is not just lower risk. It is a shorter path to measurable exposure reduction than the expected cost of delay.

Board decision required now

The question is not whether identity risk exists. It is whether leadership funds the reduction path now, assigns owners to the highest-consequence findings, and enforces the policy changes needed to collapse the worst attack paths before the next reporting cycle.

Top findings

Ownerless

Modelled exposure

£1,785,000

Top reduction priorities

Eleven stale AD-linked accounts still retain active access

Active Directory · Identity and access management

critical

The first two runs still show leaver and contractor identities synchronised from Active Directory into Entra, with the highest-value cases retaining VPN and treasury application access.

Modelled impact £0

ADFS relying party trust sprawl still exposes legacy access paths

ADFS · Infrastructure engineering

high

Fourteen relying party trusts remain active for services that have partly moved to Entra. Claim-rule hygiene and trust ownership are inconsistent across wealth, treasury, and branch servicing applications.

Modelled impact £0

MIM-driven attribute exceptions are still granting outdated on-prem app entitlements

MIM · Identity engineering

high

Historic MIM rules continue to preserve role attributes after department moves, especially across acquired advisory teams and older servicing applications.

Modelled impact £0

Highest modelled loss driver: Eleven stale AD-linked accounts still retain active access at £0.

Section 3 - How to Read This Report

Posture Score: 0-100 composite where higher is better. Red under 40, amber 40-70, green over 70.

Identity Paths: Correlated attack routes across platforms (for example Okta to Entra to AWS) that reveal blast radius beyond single-system findings.

Drift: Deviation from approved identity policy baseline over time.

Severity: High indicates urgent exploitability, Medium indicates meaningful control weakness, Low indicates hygiene debt.

Blue annotation bars and cards are product-tour cues that explain where each metric comes from.

Section 4 - Identity Risk Score

Posture Score

59/100

90-day trend

Projected after remediation

Risk Category Breakdown

Privilege accumulation74

Drift71

Workload hygiene66

Cross-platform correlation69

High

Medium

Low

Generation methodology blends privileged-access accumulation, cross-platform drift, workload identity hygiene, and correlated path depth from telemetry over the last 90 days.

Section 5 - Top Correlated Identity Paths

high

Dormant AD account to ADFS-published treasury app

Entry: Dormant hybrid account with VPN entitlement

Step 1
Authenticate with stale AD credentials
Active Directory
Sign-in
Step 2
Federate via historic relying party trust
ADFS
Token issue
Step 3
Reach treasury web application with inherited role
On-prem application
Access

Blast Radius

43 identities potentially affected | max depth 3

Why It Matters

A low-noise finance entry path still exists even though the user left the firm months ago.

Contributing Misconfigurations

- Leaver account still active
- ADFS trust not retired after application migration
- Role mapping still driven by stale AD group

high

Shared admin pattern into Entra and Azure production

Entry: Standing privileged account used for emergency operations

Step 1
Interactive sign-in without stronger assurance
Microsoft Entra ID
Privilege use
Step 2
Persistent role assignment across production subscriptions
Azure
Role inheritance
Step 3
Modify workload access and monitoring settings
Azure
Privilege pivot

Blast Radius

128 identities potentially affected | max depth 4

Why It Matters

It creates a direct operational resilience concern because the same identity can alter access and monitoring in production.

Contributing Misconfigurations

- Standing admin roles still in place
- P1-only Conditional Access policy not applied consistently
- Break-glass usage mixed with everyday administration

medium

Shared CI role into AWS analytics estate

Entry: Broad trust policy on shared deployment role

Step 1
Assume shared analytics deployment role
AWS IAM
STS assume role
Step 2
Reach customer-insight workloads and data stores
AWS
Privilege access

Blast Radius

27 identities potentially affected | max depth 2

Why It Matters

The path is not catastrophic on its own, but it is exactly the kind of inherited cloud privilege that an MSP can evidence and reduce quickly.

Contributing Misconfigurations

- Shared pipeline role used by multiple teams
- Trust policy broader than intended analytics scope

Section 6 - Platform-by-Platform Findings (11 platforms)

High 5Medium 3Low 0

highEleven stale AD-linked accounts still retain active access

The first two runs still show leaver and contractor identities synchronised from Active Directory into Entra, with the highest-value cases retaining VPN and treasury application access.

Evidence: The first two runs still show leaver and contractor identities synchronised from Active Directory into Entra, with the highest-value cases retaining VPN and treasury application access.

Affected:

Section 7 - Cross-Platform Drift and Hygiene

Active Directory

ADFS

Microsoft Entra ID

Azure

AWS IAM

Drift Patterns

MIM|410 days

Historic MIM attribute rules continue to grant legacy on-prem application roles

Mover events are not consistently stripping entitlements after department change.

ADFS|260 days

Relying party trusts remain after applications moved behind Entra

Old federation paths still exist and complicate access governance.

Microsoft 365|92 days

Shared data access persists beyond project end dates

Collaboration and finance data remain wider than role need.

Workload identities

138

Stale identities >90d

Over-privileged

Long-lived tokens

Section 8 - Workload Identity Risks

Total workload IDs

138

Stale >90d

Over-privileged

Long-lived tokens

Cross-cloud trust drifts

Risk Distribution

High 8Medium 14Low 10

Section 9 - Remediation Roadmap

Immediate (0-7 days)

Disable stale hybrid finance and VPN identities and evidence closure in the next run.

IAM | HIGH | 12h

Constrain standing admin paths and document named emergency access usage.

PAM | HIGH | 18h

Near-term (30 days)

Rationalise ADFS relying parties and claim rules after Entra migration review.

IAM | MEDIUM | 28h

Reduce Azure and AWS role sprawl for shared engineering and analytics paths.

Cloud | MEDIUM | 34h

Strategic (90 days)

Retire MIM-driven entitlement exceptions for legacy line-of-business applications.

AppOps | MEDIUM | 42h

Section 10 - Appendix: Raw Findings

ID	Severity	Platform	Title	Evidence
MCFS-I-001	high	Active Directory	Eleven stale AD-linked accounts still retain active access	The first two runs still show leaver and contractor identities synchronised from Active Directory into Entra, with the highest-value cases retaining VPN and treasury application access.
MCFS-I-002	high	ADFS	ADFS relying party trust sprawl still exposes legacy access paths	Fourteen relying party trusts remain active for services that have partly moved to Entra. Claim-rule hygiene and trust ownership are inconsistent across wealth, treasury, and branch servicing applications.
MCFS-I-003	high	MIM	MIM-driven attribute exceptions are still granting outdated on-prem app entitlements	Historic MIM rules continue to preserve role attributes after department moves, especially across acquired advisory teams and older servicing applications.
MCFS-I-004	high	Microsoft Entra ID	Standing Entra and Azure administrative access remains broader than operational need	A small set of platform and operations users still hold standing administrative access in Entra and Azure production subscriptions without a tighter named-elevation pattern.
MCFS-I-005	high	Azure	Legacy service accounts retain broad access across Azure automation and branch batch jobs	Service identities created for older reconciliation and branch-reporting workflows retain wide permissions in Azure automation, file shares, and scheduled tasks.
MCFS-I-006	medium	Microsoft Entra ID	MFA and Conditional Access remain inconsistent for remote and contractor access	The estate is operating on Entra ID P1. MFA coverage improved between runs, but several contractor and unmanaged-device journeys still rely on policy exceptions rather than fully consistent control paths.
MCFS-I-007	medium	AWS IAM	AWS analytics role trust remains broader than intended for shared engineering workflows	A shared CI role can still assume analytics-facing AWS roles that should now be limited to a smaller service boundary.
MCFS-I-008	medium	SaaS Applications	Joiner, mover, leaver mismatches persist across SaaS finance, HR, and ticketing tools	SaaS entitlements are no longer chaotic, but lifecycle ownership still varies enough to leave avoidable residual access after role change and contract end.

Board Report · Prepared by IdentityFirst Ltd · Prepared for Meridian Crest Financial Services Ltd · Ref IF-BRD-MRI-MCFS · v1.0 · Confidential - Demonstration Use Only · SAMPLE - SYNTHETIC DATA - NOT FOR DISTRIBUTION

Next Step

Turn this executive output into a live customer report

Use this board view to frame the risk conversation, then move into a tailored walkthrough of your own identity estate.

Current buyer path: CISO / Executive

Guided programmeDemo 1: First Install + Delta RunIdentityFirstMRI real surfaceRepresentative data

Meridian Crest Financial Services Ltd

Board ReportPrepared by IdentityFirst LtdPrepared for Meridian Crest Financial Services LtdSample / Synthetic

Identity Risk Report

Executive posture, trend, financial consequence, and prioritised identity decisions for leadership review.

Prepared by: IdentityFirst Ltd
Prepared for: Meridian Crest Financial Services Ltd
Issue date: 22 January 2026
Classification: Confidential - Demonstration Use Only
Document reference: IF-BRD-MRI-MCFS
Version: 1.0
Assessment scope: UK financial services · first install + delta run
Report run: MRI-MCFS
Product tier: IdentityFirstMRI
Profile: UK financial services · first install + delta run

Report credibility

Scope, methodology, ownership, evidence

Every field is shown explicitly. Items not yet provided are labelled (Roadmap, Unavailable, Not applicable, Missing) rather than hidden.

Classification: Confidential - Demonstration Use Only
Scope of estate: UK financial services · first install + delta run
Reporting period: Representative MRI assessment window
Version: 1.0
Change reference: Not applicable
Methodology: NIST CSF 2.0 functions framing (Govern, Identify, Protect, Detect, Respond, Recover) over the MRI read-only assessment surface. Demo posture and risk numbers are derived from a deterministic seed profile, not live customer telemetry.
Limitations: Public demo only. No live tenant data. Financial impact framing is illustrative; SEC materiality determinations require customer-supplied facts. Risk-appetite line is a roadmap item.
Owner: Roadmap
Preparer: IdentityFirst MRI Engine (deterministic demo profile)
Approver: Roadmap
Regulatory relevance: Supports board oversight expectations under NIS2 Article 20 (management body accountability) and SEC cyber-disclosure governance reporting. Customer legal applicability must be confirmed in scope.
Evidence status: Evidence chain unavailable in public demo

Section 1 - Executive Summary

Mixed provenance

Posture

Projected 69 after remediation

Platforms

Identities

1842

Telemetry streams

Raw findings

Key Risk Drivers

- Hybrid identity drift is already visible across AD, ADFS, MIM, Entra, Azure, AWS, and SaaS tooling.
- The first two runs narrowed the immediate risk list without pretending the estate is fully mature.
- The highest-value work sits in lifecycle closure, standing privilege reduction, and federation rationalisation.

CISO takeaway: MRI gives immediate visibility into where identity risk is real enough to prioritise now, even while coverage is still maturing.

Section 2 - Strategic Decision Framing

Why this matters now

Risk trend

Improving

Time to value

30 days

Decision impact

Budget + policy

Investment vs outcome

Estimated remediation investment: £45,200

Modelled loss avoidance multiple: 3.9x

Loss avoidance if funded now: £176,280

The commercial case is not just lower risk. It is a shorter path to measurable exposure reduction than the expected cost of delay.

Board decision required now

Top findings

Ownerless

Modelled exposure

£1,785,000

Top reduction priorities

Eleven stale AD-linked accounts still retain active access

Active Directory · Identity and access management

critical

The first two runs still show leaver and contractor identities synchronised from Active Directory into Entra, with the highest-value cases retaining VPN and treasury application access.

Modelled impact £0

ADFS relying party trust sprawl still exposes legacy access paths

ADFS · Infrastructure engineering

high

Modelled impact £0

MIM-driven attribute exceptions are still granting outdated on-prem app entitlements

MIM · Identity engineering

high

Historic MIM rules continue to preserve role attributes after department moves, especially across acquired advisory teams and older servicing applications.

Modelled impact £0

Highest modelled loss driver: Eleven stale AD-linked accounts still retain active access at £0.

Section 3 - How to Read This Report

Posture Score: 0-100 composite where higher is better. Red under 40, amber 40-70, green over 70.

Identity Paths: Correlated attack routes across platforms (for example Okta to Entra to AWS) that reveal blast radius beyond single-system findings.

Drift: Deviation from approved identity policy baseline over time.

Severity: High indicates urgent exploitability, Medium indicates meaningful control weakness, Low indicates hygiene debt.

Blue annotation bars and cards are product-tour cues that explain where each metric comes from.

Section 4 - Identity Risk Score

Posture Score

59/100

90-day trend

Projected after remediation

Risk Category Breakdown

Privilege accumulation74

Drift71

Workload hygiene66

Cross-platform correlation69

High

Medium

Low

Generation methodology blends privileged-access accumulation, cross-platform drift, workload identity hygiene, and correlated path depth from telemetry over the last 90 days.

Section 5 - Top Correlated Identity Paths

high

Dormant AD account to ADFS-published treasury app

Entry: Dormant hybrid account with VPN entitlement

Step 1
Authenticate with stale AD credentials
Active Directory
Sign-in
Step 2
Federate via historic relying party trust
ADFS
Token issue
Step 3
Reach treasury web application with inherited role
On-prem application
Access

Blast Radius

43 identities potentially affected | max depth 3

Why It Matters

A low-noise finance entry path still exists even though the user left the firm months ago.

Contributing Misconfigurations

- Leaver account still active
- ADFS trust not retired after application migration
- Role mapping still driven by stale AD group

high

Shared admin pattern into Entra and Azure production

Entry: Standing privileged account used for emergency operations

Step 1
Interactive sign-in without stronger assurance
Microsoft Entra ID
Privilege use
Step 2
Persistent role assignment across production subscriptions
Azure
Role inheritance
Step 3
Modify workload access and monitoring settings
Azure
Privilege pivot

Blast Radius

128 identities potentially affected | max depth 4

Why It Matters

It creates a direct operational resilience concern because the same identity can alter access and monitoring in production.

Contributing Misconfigurations

- Standing admin roles still in place
- P1-only Conditional Access policy not applied consistently
- Break-glass usage mixed with everyday administration

medium

Shared CI role into AWS analytics estate

Entry: Broad trust policy on shared deployment role

Step 1
Assume shared analytics deployment role
AWS IAM
STS assume role
Step 2
Reach customer-insight workloads and data stores
AWS
Privilege access

Blast Radius

27 identities potentially affected | max depth 2

Why It Matters

The path is not catastrophic on its own, but it is exactly the kind of inherited cloud privilege that an MSP can evidence and reduce quickly.

Contributing Misconfigurations

- Shared pipeline role used by multiple teams
- Trust policy broader than intended analytics scope

Section 6 - Platform-by-Platform Findings (11 platforms)

High 5Medium 3Low 0

highEleven stale AD-linked accounts still retain active access

The first two runs still show leaver and contractor identities synchronised from Active Directory into Entra, with the highest-value cases retaining VPN and treasury application access.

Evidence: The first two runs still show leaver and contractor identities synchronised from Active Directory into Entra, with the highest-value cases retaining VPN and treasury application access.

Affected:

Section 7 - Cross-Platform Drift and Hygiene

Active Directory

ADFS

Microsoft Entra ID

Azure

AWS IAM

Drift Patterns

MIM|410 days

Historic MIM attribute rules continue to grant legacy on-prem application roles

Mover events are not consistently stripping entitlements after department change.

ADFS|260 days

Relying party trusts remain after applications moved behind Entra

Old federation paths still exist and complicate access governance.

Microsoft 365|92 days

Shared data access persists beyond project end dates

Collaboration and finance data remain wider than role need.

Workload identities

138

Stale identities >90d

Over-privileged

Long-lived tokens

Section 8 - Workload Identity Risks

Total workload IDs

138

Stale >90d

Over-privileged

Long-lived tokens

Cross-cloud trust drifts

Risk Distribution

High 8Medium 14Low 10

Section 9 - Remediation Roadmap

Immediate (0-7 days)

Disable stale hybrid finance and VPN identities and evidence closure in the next run.

IAM | HIGH | 12h

Constrain standing admin paths and document named emergency access usage.

PAM | HIGH | 18h

Near-term (30 days)

Rationalise ADFS relying parties and claim rules after Entra migration review.

IAM | MEDIUM | 28h

Reduce Azure and AWS role sprawl for shared engineering and analytics paths.

Cloud | MEDIUM | 34h

Strategic (90 days)

Retire MIM-driven entitlement exceptions for legacy line-of-business applications.

AppOps | MEDIUM | 42h

Section 10 - Appendix: Raw Findings

ID	Severity	Platform	Title	Evidence
MCFS-I-001	high	Active Directory	Eleven stale AD-linked accounts still retain active access	The first two runs still show leaver and contractor identities synchronised from Active Directory into Entra, with the highest-value cases retaining VPN and treasury application access.
MCFS-I-002	high	ADFS	ADFS relying party trust sprawl still exposes legacy access paths	Fourteen relying party trusts remain active for services that have partly moved to Entra. Claim-rule hygiene and trust ownership are inconsistent across wealth, treasury, and branch servicing applications.
MCFS-I-003	high	MIM	MIM-driven attribute exceptions are still granting outdated on-prem app entitlements	Historic MIM rules continue to preserve role attributes after department moves, especially across acquired advisory teams and older servicing applications.
MCFS-I-004	high	Microsoft Entra ID	Standing Entra and Azure administrative access remains broader than operational need	A small set of platform and operations users still hold standing administrative access in Entra and Azure production subscriptions without a tighter named-elevation pattern.
MCFS-I-005	high	Azure	Legacy service accounts retain broad access across Azure automation and branch batch jobs	Service identities created for older reconciliation and branch-reporting workflows retain wide permissions in Azure automation, file shares, and scheduled tasks.
MCFS-I-006	medium	Microsoft Entra ID	MFA and Conditional Access remain inconsistent for remote and contractor access	The estate is operating on Entra ID P1. MFA coverage improved between runs, but several contractor and unmanaged-device journeys still rely on policy exceptions rather than fully consistent control paths.
MCFS-I-007	medium	AWS IAM	AWS analytics role trust remains broader than intended for shared engineering workflows	A shared CI role can still assume analytics-facing AWS roles that should now be limited to a smaller service boundary.
MCFS-I-008	medium	SaaS Applications	Joiner, mover, leaver mismatches persist across SaaS finance, HR, and ticketing tools	SaaS entitlements are no longer chaotic, but lifecycle ownership still varies enough to leave avoidable residual access after role change and contract end.

Next Step

Turn this executive output into a live customer report

Use this board view to frame the risk conversation, then move into a tailored walkthrough of your own identity estate.

Current buyer path: CISO / Executive