Curated demo content by default.
The /demo route group is a public demonstration surface. Its stories, report packs, and portal views are intentionally curated unless a live tenant is explicitly selected.
Current route truth
Synthetic evidence packageThe public route exists now and demonstrates audit-report structure; detailed evidence remains synthetic and package-delivered, not a live customer export.
Strongest first view
Open BoardStart here when you need the strongest first commercial story: risk, consequence, funding decision, and executive ownership.
Days to audit
47
Evidence gaps
6
Frameworks
4
Critical findings
3
Audit framing: this report uses the S3 Compliance Audit Readiness scenario with synthetic evidence gaps, framework status, and identity coverage data.
Demo truth model
Persona switching, posture, blast radius, and remediation delta are anchored to real platform/runtime contracts.
Control evidence, audit readiness scoring, time-to-compliance, and risk-prioritised remediation for assurance stakeholders.
Report credibility
Every field is shown explicitly. Items not yet provided are labelled (Roadmap, Unavailable, Not applicable, Missing) rather than hidden.
Demo seed — period derived from synthetic profile, not live tenant telemetry
Reference IF-AUD-RUN-MRI-
No prior version to diff — the public demo regenerates deterministically per request.
Named report owner is captured in webapp tenant scope settings — surfaced once a tenant is provisioned.
Approver sign-off block lands with the Audit / PBC workspace milestone.
Substantia signed-evidence chain is exercised in the authenticated webapp, not in the public demo route.
Audit posture is no longer just a checklist view. Identity evidence, control gaps, and remediation timing are being translated into a readiness score of 62/100, with likely time-to-compliance at roughly 214 days if current priorities hold.
Audit readiness
62/100
Time to compliance
214days
Evidence completeness
70%
Compliance posture derived from identity evidence, drift patterns, and platform findings across 11 connected platforms.
SOC 2 CC
63%
Partial18 evidence gaps
ISO 27001:2022
55%
Partial2 evidence gaps
NIST CSF 2.0
60%
Partial1 evidence gap
DORA
50%
Partial19 evidence gaps
Critical / High
19
Findings requiring immediate evidence
Medium
21
Findings with partial evidence
Platforms in scope
11
2,014 identities assessed
| ID | Severity | Platform | Finding | Evidence ref |
|---|---|---|---|---|
| F-2K-001 | high | Entra ID | 6 permanent Global Admin assignments; 0 PIM eligible schedules. | GET /directoryRoles/globalAdministrator/members — count:6 |
| F-2K-002 | high | AWS IAM | SAML trust role acme.role.cloud-admin has AdministratorAccess and no condition keys. | Trust Condition:null; attachedPolicy:AdministratorAccess |
| F-2K-003 | high | Okta | 4 Okta super-admins authenticate from named network zone without FIDO2. | policy OKTA_SIGN_ON: grantControls for admin zone lacks FIDO2 requirement |
| F-2K-004 | high | Google Cloud IAM | 3 SA keys committed to CI/CD repo; all unrotated >90 days. | gitleaks scan: 3 SA key files in .env; oldest commit 47 days ago |
| F-2K-005 | high | Kubernetes | 4 cluster-admin ClusterRoleBindings to workload service accounts across 4 namespaces. | kubectl get clusterrolebindings — 4 results; subjects[].kind:ServiceAccount |
| F-2K-006 | high | Active Directory | svc-entra-sync has Domain Admins membership; password age 289 days. | Get-ADGroupMember "Domain Admins" | where sAMAccountName -eq svc-entra-sync; PasswordLastSet:2025-07-09 |
| F-2K-007 | high | Google Cloud IAM | acme.service.analytics-pipeline has project-level roles/bigquery.dataEditor (intended: dataset-level dataViewer). | gcloud projects get-iam-policy: roles/bigquery.dataEditor binding at project level |
| F-2K-008 | high | AWS IAM | IRSA role acme.role.k8s-data-access has s3:* and dynamodb:* on Resource:* for 3 K8s service accounts. | Action:['s3:*','dynamodb:*'],Resource:'*' |
Showing 8 of 19 high-severity findings. See full findings appendix in the board report.
Actions required before the audit window closes. Prioritised by auditor impact and evidence readiness.
Add aws:MultiFactorAuthPresent and aws:RequestedRegion condition keys to acme.role.cloud-admin SAML trust policy; restrict session duration to 1 hour.
Owner: Cloud · Est. 6h
Revoke all 3 GCP service-account keys committed to acme-ci-pipeline repository; rotate immediately; migrate to Workload Identity Federation for CI/CD GCP access.
Owner: Cloud · Est. 20h
Disable the 2 Okta API tokens owned by deprovisioned users (acme.user.former.employee1, acme.user.former.employee2); audit all API tokens against active user list.
Owner: IAM · Est. 6h
Remediate the 4 Kubernetes cluster-admin ClusterRoleBindings: scope to namespace-level RoleBindings with least-privilege roles; assign owners to each binding via annotation.
Owner: AppOps · Est. 20h
Enable CyberArk dual-control on the Production-Windows-Admin safe immediately; require secondary approval for all credential checkouts; remove shared VaultAdmin account — replace with individually named admin accounts.
Owner: PAM · Est. 20h
Revoke 4 GitHub PATs owned by deprovisioned users; configure GitHub Actions OIDC federation with AWS, Azure, and GCP to replace 47 long-lived credential secrets.
Owner: Cloud · Est. 20h
Enforce FIDO2 or Microsoft Authenticator for all 4 Okta super-admin accounts; update Okta authentication policy to require phishing-resistant factor for admin console sign-in.
Owner: IAM · Est. 20h
Rotate all 23 AWS IAM access keys older than 90 days; implement IAM Access Analyzer key-rotation alerts; set automated 90-day key expiry policy for new keys.
Owner: Cloud · Est. 20h
Apply GCP org policy constraint iam.disableServiceAccountKeyCreation to acme-org; migrate all 6 remaining SA key authentications to Workload Identity Federation.
Owner: Cloud · Est. 48h
Enable pod security admission for Baseline profile in all 5 unlabelled Kubernetes namespaces; audit any existing privileged pod configs before enforcement.
Owner: AppOps · Est. 20h
Enable automatic password rotation in CyberArk for all 34 currently unmanaged accounts; prioritise SQL SA and Windows local admin accounts; set maximum password age to 30 days.
Owner: PAM · Est. 20h
Audit exposure by platform — platforms with high finding counts or evidence gaps present the greatest audit risk.
Overall posture: 58/100 — projected to reach 71/100 after remediation.
Key risk drivers: Cross-Platform Attack Chains Bypass Individual Platform Controls; Service Accounts Accumulate Privilege Without Governance; Security Controls That Appear Active Are Not Functioning Correctly.
Auditor recommendation: Cross-platform privilege escalation paths, CyberArk dual-control gaps, long-lived GitHub CI credentials bypassing OIDC, and SailPoint approval bypasses are the dominant risk drivers — requiring coordinated IAM, Cloud, PAM, and IGA remediation.
Audit Readiness Report · Prepared by IdentityFirst Ltd · Prepared for Acme Corp · Ref IF-AUD-RUN-MRI- · v1.0 · Confidential - Demonstration Use Only · SAMPLE - SYNTHETIC DATA - NOT FOR DISTRIBUTION