<- Command Center/Board ReportDemo | 2,000 users | MRI

BoardLive route · representative CISOLive route · representative AuditLive route · synthetic GRCLive route · synthetic IAMLive route · synthetic TechnicalLive route · preview TDRLive route · preview

Current route truth

Representative board output

The public route exists now and renders a representative MRI-style board pack; the underlying data is synthetic, not live customer evidence.

Executive SnapshotMRI GA executive demoSynthetic data | 2,000 users

Identities assessed

2,014

Platforms

Telemetry streams

Projected posture

Assessment scope

2,000-user company

Data source

Synthetic profile

Report contract

Representative MRI GA

Board framing: this public MRI demo uses the current MRI executive report structure with synthetic data and company-size profile changes.

Demo truth model

Persona switching, posture, blast radius, and remediation delta are anchored to real platform/runtime contracts.

4 engine-backed3 illustrated

Board ReportPrepared by IdentityFirst LtdPrepared for Acme CorpSample / Synthetic

Identity Risk Report

Executive posture, trend, financial consequence, and prioritised identity decisions for leadership review.

Prepared by: IdentityFirst Ltd
Prepared for: Acme Corp
Issue date: 13 March 2026
Classification: Confidential - Demonstration Use Only
Document reference: IF-BRD-RUN-MRI-
Version: 1.0
Assessment scope: 2,000-user company
Report run: RUN-MRI-
Product tier: MRI
Profile: 2,000 users

Section 1 - Executive Summary

Mixed provenance

This board view combines real product reporting patterns with curated executive demo framing. Posture and remediation structure are grounded in the platform model; financial interpretation and storyline emphasis remain representative unless a live tenant provides the supporting evidence.

Posture

Projected 71 after remediation

Platforms

Identities

2014

Telemetry streams

Raw findings

Key Risk Drivers

- Cross-Platform Attack Chains Bypass Individual Platform Controls
- Service Accounts Accumulate Privilege Without Governance
- Security Controls That Appear Active Are Not Functioning Correctly

CISO takeaway: Cross-platform privilege escalation paths, CyberArk dual-control gaps, long-lived GitHub CI credentials bypassing OIDC, and SailPoint approval bypasses are the dominant risk drivers — requiring coordinated IAM, Cloud, PAM, and IGA remediation.

Section 2 - Strategic Decision Framing

Why this matters now

The report has moved beyond descriptive posture. Current exposure is concentrated in identities and trust paths that can be actioned inside this quarter, and the operating question is whether to accept continued loss exposure or fund the roadmap that bends the next reporting cycle.

Risk trend

Worsening

Time to value

30 days

Decision impact

Budget + policy

Investment vs outcome

Estimated remediation investment: £48,840

Modelled loss avoidance multiple: 5.8x

Loss avoidance if funded now: £283,272

The commercial case is not just lower risk. It is a shorter path to measurable exposure reduction than the expected cost of delay.

Section 3 - How to Read This Report

Posture Score: 0-100 composite where higher is better. Red under 40, amber 40-70, green over 70.

Identity Paths: Correlated attack routes across platforms (for example Okta to Entra to AWS) that reveal blast radius beyond single-system findings.

Drift: Deviation from approved identity policy baseline over time.

Severity: High indicates urgent exploitability, Medium indicates meaningful control weakness, Low indicates hygiene debt.

Blue annotation bars and cards are product-tour cues that explain where each metric comes from.

Section 4 - Identity Risk Score

Posture Score

58/100

90-day trend

Projected after remediation

Risk Category Breakdown

Privilege accumulation95

Drift63

Workload hygiene50

Cross-platform correlation67

High

Medium

Low

Generation methodology blends privileged-access accumulation, cross-platform drift, workload identity hygiene, and correlated path depth from telemetry over the last 90 days.

Section 5 - Top Correlated Identity Paths

high

Okta Federation → Entra SAML Trust → AWS AdministratorAccess (Production)

Entry: acme.user.jane.doe (Okta, standard analyst, no phishing-resistant MFA)

Step 1
Credential phishing or OTP intercept; Okta MFA is push-based, not phishing-resistant; no FIDO2 enrolled for analyst cohort
Okta
Account phish
Step 2
Okta SAML assertion accepted; CA-FederatedSessions does not require step-up for Okta-sourced sessions; attacker obtains Entra access token
Entra ID
Federation token
Step 3
sts:AssumeRoleWithSAML to acme.role.cloud-admin (AdministratorAccess); 12-hour session; no condition keys on trust policy
AWS IAM
Role assumption

Blast Radius

183 identities potentially affected | max depth 4

Why It Matters

A single phishing attack against a non-privileged analyst yields full AWS production access and extends laterally to two additional AWS accounts through existing cross-account trust relationships.

Contributing Misconfigurations

- Okta: push-based MFA (not FIDO2) for analyst cohort is susceptible to MFA fatigue attacks
- Entra CA: CA-FederatedSessions lacks step-up requirement for Okta-sourced tokens
- AWS IAM: acme.role.cloud-admin trust policy has no aws:MultiFactorAuthPresent or sts:SourceIdentity condition
- AWS IAM: 12-hour session duration on SAML role exceeds recommended 1-hour maximum

high

GCP Service Account Key Exfiltration → BigQuery → Finance Data

Entry: acme.service.analytics-pipeline@acme-prod.iam.gserviceaccount.com (GCP, key unrotated 134 days)

Step 1
Static JSON key file exposed in CI/CD environment variable; key unrotated 134 days; no key-access alerting configured
GCP IAM
Key exfiltration
Step 2
acme.service.analytics-pipeline has roles/bigquery.dataEditor on acme-prod; includes acme-prod.finance_analytics and acme-prod.trading_positions datasets
GCP BigQuery
Dataset query
Step 3
BigQuery export to GCS: attacker exports acme-prod.finance_analytics to acme.bucket.analytics-staging, then exfiltrates via signed URL
GCP Storage
Export to attacker

Blast Radius

72 identities potentially affected | max depth 3

Why It Matters

A static GCP service account key in a CI/CD environment variable provides direct access to sensitive financial datasets, enabling bulk exfiltration of confidential trading data without triggering authentication alerts.

Contributing Misconfigurations

- GCP: Service account key unrotated 134 days; no automated rotation policy applied
- CI/CD: Key exposed as plaintext environment variable in acme-ci-pipeline project
- GCP IAM: acme.service.analytics-pipeline has overly broad dataEditor instead of dataset-specific bindings

medium

AD Service Account → Entra Connect Sync → Global Admin Delegation

Entry: acme.service.entra-sync (Active Directory, Entra Connect sync account)

Step 1
svc-entra-sync has Domain Admins membership (overconfigured during initial Entra Connect setup); password last changed 289 days ago
Active Directory
Account compromise
Step 2
Entra Connect sync account has AAD Connect Sync permissions; compromised account can write arbitrary attributes to Entra objects
Entra ID
Connect sync abuse
Step 3
By modifying adminCount and onPremisesSyncEnabled attributes, attacker can escalate acme.user.john.smith to Global Administrator via next sync cycle
Entra ID
Role escalation

Blast Radius

49 identities potentially affected | max depth 3

Why It Matters

The Entra Connect sync account is a critical attack path from on-premises Active Directory to the Entra ID cloud tenant; a domain compromise becomes a full cloud-tenant compromise within one sync cycle (typically 30 minutes).

Contributing Misconfigurations

- AD: svc-entra-sync has Domain Admins membership; only Directory Service access is required
- Entra Connect: Fine-grained attribute filtering not configured; all attributes synchronised including adminCount
- AD: Service account password age exceeds 90-day rotation policy by 199 days

Section 6 - Platform-by-Platform Findings (11 platforms)

High 16Medium 27Low 7

high6 Permanent Global Administrator Assignments Without PIM

Six independent paths to tenant-level control; each represents a persistent elevated attack surface.

Evidence: GET /directoryRoles/globalAdministrator/members — count:6; 0 eligible schedules in roleEligibilitySchedules; 2 accounts have not signed in for >30 days

Affected:

MITRE: T1078

mediumCA-FederatedSessions: No Step-Up for Okta Token

Okta session compromise propagates to Entra without additional authentication challenge.

Evidence: Policy CA-FederatedSessions: conditions.users.includeGroups:[acme.group.all-employees]; grantControls.builtInControls:[] (no MFA requirement) for Okta-sourced sessions

Affected:

MITRE: T1528

medium156 Users Without Phishing-Resistant MFA Registration

Large cohort vulnerable to SIM-swap and MFA-fatigue attacks.

Evidence: GET /reports/authenticationMethods/userRegistrationDetails — 156 users: registeredStrongAuthMethods excludes fido2, microsoftAuthenticator; sms or voice only

Affected:

MITRE: T1111

mediumService Principal Secret Expiry: 23 Secrets > 180 Days Old

Long-lived service principal secrets extend the window of undetected credential theft.

Evidence: GET /applications — 23 app registrations with passwordCredentials.endDateTime null or >180 days from creation; includes acme.service.payment-api and acme.service.data-bridge

Affected:

low34 Inactive Guest Accounts (>90 days)

Stale external access increasing identity surface; low exploitability but fails audit requirements.

Evidence: GET /users?$filter=userType eq Guest — 34 guests; signInActivity.lastSignInDateTime >90 days; 8 have SharePoint or Teams membership in production groups

Affected:

Section 7 - Cross-Platform Drift and Hygiene

Entra ID

AWS IAM

Okta

GCP IAM

Kubernetes

Active Directory

SaaS Apps

SailPoint

CyberArk

BeyondTrust

GitHub

Drift Patterns

Entra ID|14 days

Entra CA policy CA-FederatedSessions does not require MFA step-up for Okta-sourced SAML tokens; intended baseline (confirmed in security policy SL-22-04) requires re-authentication for all federated sessions. Drift introduced 74 days ago during Okta SSO migration.

Federated sessions from Okta bypass MFA enforcement in Entra, enabling session token reuse to pivot between platforms without additional authentication.

AWS IAM|25 days

AWS IAM password policy drifted from baseline (90-day rotation, uppercase required) to current state (MaxPasswordAge:0, RequireUppercaseCharacters:false) 91 days ago; 23 IAM console users affected. Change not recorded in any approved change request.

IAM console credentials remain valid indefinitely, creating a persistent risk of undetected credential theft and reuse.

Okta|36 days

GCP IAM bindings for acme.service.analytics-pipeline drifted from roles/bigquery.dataViewer (IaC baseline in acme-terraform) to roles/bigquery.dataEditor 67 days ago; Terraform state shows intended binding was dataViewer at dataset level, not project-level dataEditor.

IaC drift means the deployed permission state is more permissive than the approved design; the broadened permission enables data modification and export rather than read-only access.

GCP IAM|47 days

Okta inline hook 'acme-risk-evaluation-hook' was deployed 112 days ago but has never been validated via the Okta validation endpoint; the hook endpoint returns HTTP 200 unconditionally regardless of risk context.

A risk-evaluation hook that always returns allow is functionally equivalent to no risk evaluation; the authentication policy appears to apply risk controls but does not enforce them.

Kubernetes|58 days

Kubernetes ClusterRoleBindings in the analytics namespace were widened from RoleBindings (namespace-scoped) to ClusterRoleBindings 58 days ago; associated Jira ticket (OPS-4421) was closed without security review sign-off.

Widened RBAC scope means a compromise of any analytics service account now yields cluster-wide access rather than namespace-isolated access, significantly amplifying blast radius.

Workload identities

Stale identities >90d

Over-privileged

Long-lived tokens

Section 8 - Workload Identity Risks

Total workload IDs

Stale >90d

Over-privileged

Long-lived tokens

Cross-cloud trust drifts

Risk Distribution

High 9Medium 7Low 12

Section 9 - Remediation Roadmap

Immediate (0-7 days)

Add aws:MultiFactorAuthPresent and aws:RequestedRegion condition keys to acme.role.cloud-admin SAML trust policy; restrict session duration to 1 hour.

Cloud | LOW | 6h

Revoke all 3 GCP service-account keys committed to acme-ci-pipeline repository; rotate immediately; migrate to Workload Identity Federation for CI/CD GCP access.

Cloud | MEDIUM | 20h

Disable the 2 Okta API tokens owned by deprovisioned users (acme.user.former.employee1, acme.user.former.employee2); audit all API tokens against active user list.

IAM | LOW | 6h

Remediate the 4 Kubernetes cluster-admin ClusterRoleBindings: scope to namespace-level RoleBindings with least-privilege roles; assign owners to each binding via annotation.

AppOps | MEDIUM | 20h

Enable CyberArk dual-control on the Production-Windows-Admin safe immediately; require secondary approval for all credential checkouts; remove shared VaultAdmin account — replace with individually named admin accounts.

PAM | MEDIUM | 20h

Revoke 4 GitHub PATs owned by deprovisioned users; configure GitHub Actions OIDC federation with AWS, Azure, and GCP to replace 47 long-lived credential secrets.

Cloud | MEDIUM | 20h

Near-term (30 days)

Enforce FIDO2 or Microsoft Authenticator for all 4 Okta super-admin accounts; update Okta authentication policy to require phishing-resistant factor for admin console sign-in.

IAM | MEDIUM | 20h

Rotate all 23 AWS IAM access keys older than 90 days; implement IAM Access Analyzer key-rotation alerts; set automated 90-day key expiry policy for new keys.

Cloud | MEDIUM | 20h

Apply GCP org policy constraint iam.disableServiceAccountKeyCreation to acme-org; migrate all 6 remaining SA key authentications to Workload Identity Federation.

Cloud | HIGH | 48h

Enable pod security admission for Baseline profile in all 5 unlabelled Kubernetes namespaces; audit any existing privileged pod configs before enforcement.

AppOps | MEDIUM | 20h

Enable automatic password rotation in CyberArk for all 34 currently unmanaged accounts; prioritise SQL SA and Windows local admin accounts; set maximum password age to 30 days.

PAM | MEDIUM | 20h

Segment BeyondTrust jump clients into separate groups by network zone (Production, Staging, Dev); require secondary approval for any production jump session initiated from a non-production operator.

PAM | MEDIUM | 20h

Strategic (90 days)

Implement Entra PIM for all 6 Global Administrator accounts; require justification, MFA, and manager approval for activation; set maximum activation window of 4 hours.

IAM | HIGH | 48h

Establish cross-platform IaC drift detection: run weekly Terraform plan diff and GCP policy comparison against approved baselines; alert on any deviation within 24 hours.

SecOps | HIGH | 48h

Implement Kubernetes secrets encryption at rest using AWS KMS (for EKS) or GCP KMS (for GKE); remove etcd plaintext secret storage across all cluster environments.

AppOps | HIGH | 48h

Run bi-annual workload identity access certification: inventory all 75 workload identities, validate scope against current least-privilege baseline, decommission 18 stale identities.

SecOps | MEDIUM | 20h

Mandate PSM for all Production-Windows-Admin and SQL-SA safe access; enforce RequirePSMOnAll on the 4 affected CyberArk platforms; validate session recording is capturing all sessions.

PAM | MEDIUM | 20h

Pin all GitHub Actions workflow steps to commit SHAs; implement a GitHub organisation actions allowlist restricted to verified publishers; enable Dependabot for action version updates.

AppOps | MEDIUM | 20h

Section 10 - Appendix: Raw Findings

ID	Severity	Platform	Title	Evidence
F-2K-001	high	Entra ID	6 permanent Global Admin assignments; 0 PIM eligible schedules.	GET /directoryRoles/globalAdministrator/members — count:6
F-2K-002	high	AWS IAM	SAML trust role acme.role.cloud-admin has AdministratorAccess and no condition keys.	Trust Condition:null; attachedPolicy:AdministratorAccess
F-2K-003	high	Okta	4 Okta super-admins authenticate from named network zone without FIDO2.	policy OKTA_SIGN_ON: grantControls for admin zone lacks FIDO2 requirement
F-2K-004	high	Google Cloud IAM	3 SA keys committed to CI/CD repo; all unrotated >90 days.	gitleaks scan: 3 SA key files in .env; oldest commit 47 days ago
F-2K-005	high	Kubernetes	4 cluster-admin ClusterRoleBindings to workload service accounts across 4 namespaces.	kubectl get clusterrolebindings — 4 results; subjects[].kind:ServiceAccount
F-2K-006	high	Active Directory	svc-entra-sync has Domain Admins membership; password age 289 days.	Get-ADGroupMember "Domain Admins" \| where sAMAccountName -eq svc-entra-sync; PasswordLastSet:2025-07-09
F-2K-007	high	Google Cloud IAM	acme.service.analytics-pipeline has project-level roles/bigquery.dataEditor (intended: dataset-level dataViewer).	gcloud projects get-iam-policy: roles/bigquery.dataEditor binding at project level
F-2K-008	high	AWS IAM	IRSA role acme.role.k8s-data-access has s3:* and dynamodb:* on Resource:* for 3 K8s service accounts.	Action:['s3:','dynamodb:'],Resource:'*'
F-2K-021	high	Active Directory	svc-entra-sync has Domain Admins membership with 289-day-old password; used by Entra Connect.	Get-ADGroupMember "Domain Admins" — svc-entra-sync; PasswordLastSet:2025-07-09; PasswordNeverExpires:True
F-2K-022	high	Active Directory	3 accounts with adminCount=1 outside protected groups; AdminSDHolder ACLs still propagated.	Get-ADUser -Filter {adminCount -eq 1} — 3 accounts; prior DA membership confirmed; no current protected group membership
F-2K-025	high	SaaS Applications	4 Slack workspace admins authenticate with email/password; Okta SSO not enforced for admin accounts.	Slack Audit API — 4 workspace owners with authMethod:email; Okta SSO not mandatory for admin tier
F-2K-026	high	SaaS Applications	9 Salesforce System Administrators; 3 federated via Okta without MFA step-up requirement.	Salesforce /services/data/vXX/query — SystemAdministrator count:9; 3 Okta-federated without step-up CA policy
F-2K-029	high	SailPoint	IT-Annual-Review-2025 campaign: 89 open items past SLA; 34 auto-approved without review.	SailPoint Campaign Manager: totalItems:412; open:89; autoApproved:34; avgReviewTime:7s
F-2K-030	high	SailPoint	SailPoint connector accounts have Domain Admin and cluster-admin rights on target systems.	AD: svc-sailpoint-connector in Domain Admins; K8s: clusterrolebinding sailpoint-admin → cluster-admin
F-2K-033	high	CyberArk	23 privileged accounts retrievable without dual-control approval; DualControl:false on Production-Windows-Admin safe.	CyberArk REST API /Accounts — 23 accounts; DualControl:false; RequireConfirmation:false
F-2K-034	high	CyberArk	Shared VaultAdmin account used by 3 administrators; 6 distinct source IPs in 30 days; no individual accountability.	CyberArk PVWA > User Management — VaultAdmin: lastLoginDate:2026-01-08; 6 source IPs; shared across 3 named admins
F-2K-037	high	BeyondTrust	BeyondTrust admin credential unchanged 380 days; shared across 3 named administrators.	BeyondTrust API /BeyondTrust/api/public/v3/Accounts — btadmin: lastPasswordChange:2025-01-19; 3 users; no expiry policy
F-2K-040	high	GitHub	47 deployment workflows use long-lived cloud credentials; OIDC not configured in any provider; oldest credential 312 days.	GitHub /orgs/acme-mid/actions/secrets — AWS, Azure, GCP credentials in 47 workflows; no OIDC federation
F-2K-041	high	GitHub	4 GitHub organisation owners use personal accounts exempt from enterprise SSO enforcement.	GitHub /orgs/acme-mid/members?role=owner — 4 owners; account_type:personal; SSO policy:Required but exempted
F-2K-009	medium	Entra ID	CA-FederatedSessions lacks MFA step-up for Okta-sourced tokens.	grantControls.builtInControls:[] for Okta-sourced sessions
F-2K-010	medium	Entra ID	156 users without phishing-resistant MFA registration.	GET /reports/authenticationMethods/userRegistrationDetails — 156 users; sms/voice only
F-2K-011	medium	AWS IAM	23 IAM access keys not rotated >90 days; 9 keys >180 days.	aws iam get-credential-report — 23 keys age >90d
F-2K-012	medium	AWS IAM	Cross-account trust from shared-services account lacks condition keys for 2 subsidiary accounts.	Trust: Condition:null for subsidiary account principals
F-2K-013	medium	Okta	6 inactive SAML apps active >180 days with no sign-ins in last 90 days.	Okta systemLog: 0 sign-in events in 90 days for 6 apps
F-2K-014	medium	Okta	Okta inline hook acme-risk-evaluation-hook returns HTTP 200 unconditionally; never validated.	lastValidated:null; manual test call returns {allow:true} regardless of payload
F-2K-015	medium	Google Cloud IAM	4 SA bindings at project level exceed intended IaC scope.	Terraform state vs deployed: 4 bindings elevated from dataset to project level
F-2K-016	medium	Google Cloud IAM	Org policy iam.disableServiceAccountKeyCreation not enforced at org level.	gcloud resource-manager org-policies describe — notSet:true
F-2K-017	medium	Kubernetes	Pod security admission not enforced in 5 namespaces.	kubectl get ns --show-labels — 5 namespaces missing pod-security label
F-2K-018	medium	Kubernetes	Kubernetes secrets not encrypted at rest; etcd uses default plaintext storage.	kubectl get apiserver -o yaml — encryption.config:not set
F-2K-023	medium	Active Directory	47 stale computer accounts inactive >90 days; 12 with active SPNs; 3 with constrained delegation.	Get-ADComputer -Filter {LastLogonDate -lt (Get-Date).AddDays(-90)} — count:47; SPNs:12; constrained delegation:3
F-2K-024	medium	Active Directory	Fine-grained password policy not applied to 86 service accounts; all under Default Domain Policy.	Get-ADFineGrainedPasswordPolicy — 0 PSO objects for service account OUs; DefaultDomainPolicy applies
F-2K-027	medium	SaaS Applications	23 Slack guests with sensitive channel access inactive >90 days; 6 from completed vendor engagements.	Slack Audit API — 23 guests; lastActive >90d; channels: #acme-finance, #acme-engineering, #acme-incident-response
F-2K-028	medium	SaaS Applications	Workday ISU integration credential not rotated in 18 months; used by SailPoint HR provisioning feed.	Workday ISU acme-sailpoint-isu: lastPasswordChange:2024-05-14; no rotation schedule configured
F-2K-031	medium	SailPoint	23 high-risk entitlement provisioning events bypassed approval workflow via emergency access mechanism.	SailPoint Audit Log — 23 events with bypassApproval:true; includes AD Domain Admins, AWS AdministratorAccess, Salesforce SystemAdmin
F-2K-035	medium	CyberArk	34 accounts with automatic password rotation disabled; oldest password 247 days old.	CyberArk REST API /Accounts?filter=autoManagement — 34 accounts; automationManagement:false
F-2K-036	medium	CyberArk	PSM not mandatory for 4 high-privilege safe groups; direct RDP/SSH without session recording available.	CyberArk PVWA > Safe Management — 4 safes: AllowManualAccess:true; no PSM platform requirement
F-2K-038	medium	BeyondTrust	347 jump clients not zone-segregated; production and dev systems in same jump group without additional approval gate.	BeyondTrust /BeyondTrust/api/public/v3/JumpGroups — group acme-all-systems: 347 jump clients; mixed zones
F-2K-039	medium	BeyondTrust	12 team passwords not certified in 12 months; 4 reference decommissioned systems.	BeyondTrust Password Safe > Team Passwords — 12 entries; lastCertified:null for 8; 4 referencing decommissioned systems
F-2K-042	medium	GitHub	GitHub Actions permissions allow all actions from any publisher; 63 distinct 3rd-party publishers across 89 workflows.	GitHub /orgs/acme-mid/actions/permissions — allowed_actions:all; no verified creator or approved list restriction
F-2K-043	medium	GitHub	34 deploy keys older than 180 days across 12 repos; 8 have write access; 4 for decommissioned integrations.	GitHub /repos API — 34 deploy keys; created_at >180d; 8 read_write:true; 4 referencing retired integrations
F-2K-019	low	AWS IAM	CloudTrail disabled in 2 subsidiary accounts.	aws cloudtrail describe-trails: status:Disabled in subsidiary-eu-west, subsidiary-ap-southeast
F-2K-020	low	Okta	23 admin role assignments not certified in last 180 days.	Okta /api/v1/users?filter=profile.isAdmin eq true — lastCertifiedDate absent
F-2K-032	low	SailPoint	SailPoint audit log retention: 30 days; compliance requirement is 12 months.	SailPoint IdentityNow > Admin > Audit: logRetentionDays:30; no SIEM forwarding configured

Board Report · Prepared by IdentityFirst Ltd · Prepared for Acme Corp · Ref IF-BRD-RUN-MRI- · v1.0 · Confidential - Demonstration Use Only · SAMPLE - SYNTHETIC DATA - NOT FOR DISTRIBUTION

Next Step

Turn this executive output into a live customer report

Use this board view to frame the risk conversation, then move into a tailored walkthrough of your own identity estate.

<- Command Center/Board ReportDemo | 2,000 users | MRI

Current route truth

Representative board output

The public route exists now and renders a representative MRI-style board pack; the underlying data is synthetic, not live customer evidence.

Executive SnapshotMRI GA executive demoSynthetic data | 2,000 users

Identities assessed

2,014

Platforms

Telemetry streams

Projected posture

Assessment scope

2,000-user company

Data source

Synthetic profile

Report contract

Representative MRI GA

Board framing: this public MRI demo uses the current MRI executive report structure with synthetic data and company-size profile changes.

Demo truth model

Persona switching, posture, blast radius, and remediation delta are anchored to real platform/runtime contracts.

4 engine-backed3 illustrated

Board ReportPrepared by IdentityFirst LtdPrepared for Acme CorpSample / Synthetic

Identity Risk Report

Executive posture, trend, financial consequence, and prioritised identity decisions for leadership review.

Prepared by: IdentityFirst Ltd
Prepared for: Acme Corp
Issue date: 13 March 2026
Classification: Confidential - Demonstration Use Only
Document reference: IF-BRD-RUN-MRI-
Version: 1.0
Assessment scope: 2,000-user company
Report run: RUN-MRI-
Product tier: MRI
Profile: 2,000 users

Section 1 - Executive Summary

Mixed provenance

Posture

Projected 71 after remediation

Platforms

Identities

2014

Telemetry streams

Raw findings

Key Risk Drivers

- Cross-Platform Attack Chains Bypass Individual Platform Controls
- Service Accounts Accumulate Privilege Without Governance
- Security Controls That Appear Active Are Not Functioning Correctly

Section 2 - Strategic Decision Framing

Why this matters now

Risk trend

Worsening

Time to value

30 days

Decision impact

Budget + policy

Investment vs outcome

Estimated remediation investment: £48,840

Modelled loss avoidance multiple: 5.8x

Loss avoidance if funded now: £283,272

The commercial case is not just lower risk. It is a shorter path to measurable exposure reduction than the expected cost of delay.

Section 3 - How to Read This Report

Posture Score: 0-100 composite where higher is better. Red under 40, amber 40-70, green over 70.

Identity Paths: Correlated attack routes across platforms (for example Okta to Entra to AWS) that reveal blast radius beyond single-system findings.

Drift: Deviation from approved identity policy baseline over time.

Severity: High indicates urgent exploitability, Medium indicates meaningful control weakness, Low indicates hygiene debt.

Blue annotation bars and cards are product-tour cues that explain where each metric comes from.

Section 4 - Identity Risk Score

Posture Score

58/100

90-day trend

Projected after remediation

Risk Category Breakdown

Privilege accumulation95

Drift63

Workload hygiene50

Cross-platform correlation67

High

Medium

Low

Generation methodology blends privileged-access accumulation, cross-platform drift, workload identity hygiene, and correlated path depth from telemetry over the last 90 days.

Section 5 - Top Correlated Identity Paths

high

Okta Federation → Entra SAML Trust → AWS AdministratorAccess (Production)

Entry: acme.user.jane.doe (Okta, standard analyst, no phishing-resistant MFA)

Step 1
Credential phishing or OTP intercept; Okta MFA is push-based, not phishing-resistant; no FIDO2 enrolled for analyst cohort
Okta
Account phish
Step 2
Okta SAML assertion accepted; CA-FederatedSessions does not require step-up for Okta-sourced sessions; attacker obtains Entra access token
Entra ID
Federation token
Step 3
sts:AssumeRoleWithSAML to acme.role.cloud-admin (AdministratorAccess); 12-hour session; no condition keys on trust policy
AWS IAM
Role assumption

Blast Radius

183 identities potentially affected | max depth 4

Why It Matters

A single phishing attack against a non-privileged analyst yields full AWS production access and extends laterally to two additional AWS accounts through existing cross-account trust relationships.

Contributing Misconfigurations

- Okta: push-based MFA (not FIDO2) for analyst cohort is susceptible to MFA fatigue attacks
- Entra CA: CA-FederatedSessions lacks step-up requirement for Okta-sourced tokens
- AWS IAM: acme.role.cloud-admin trust policy has no aws:MultiFactorAuthPresent or sts:SourceIdentity condition
- AWS IAM: 12-hour session duration on SAML role exceeds recommended 1-hour maximum

high

GCP Service Account Key Exfiltration → BigQuery → Finance Data

Entry: acme.service.analytics-pipeline@acme-prod.iam.gserviceaccount.com (GCP, key unrotated 134 days)

Step 1
Static JSON key file exposed in CI/CD environment variable; key unrotated 134 days; no key-access alerting configured
GCP IAM
Key exfiltration
Step 2
acme.service.analytics-pipeline has roles/bigquery.dataEditor on acme-prod; includes acme-prod.finance_analytics and acme-prod.trading_positions datasets
GCP BigQuery
Dataset query
Step 3
BigQuery export to GCS: attacker exports acme-prod.finance_analytics to acme.bucket.analytics-staging, then exfiltrates via signed URL
GCP Storage
Export to attacker

Blast Radius

72 identities potentially affected | max depth 3

Why It Matters

Contributing Misconfigurations

- GCP: Service account key unrotated 134 days; no automated rotation policy applied
- CI/CD: Key exposed as plaintext environment variable in acme-ci-pipeline project
- GCP IAM: acme.service.analytics-pipeline has overly broad dataEditor instead of dataset-specific bindings

medium

AD Service Account → Entra Connect Sync → Global Admin Delegation

Entry: acme.service.entra-sync (Active Directory, Entra Connect sync account)

Step 1
svc-entra-sync has Domain Admins membership (overconfigured during initial Entra Connect setup); password last changed 289 days ago
Active Directory
Account compromise
Step 2
Entra Connect sync account has AAD Connect Sync permissions; compromised account can write arbitrary attributes to Entra objects
Entra ID
Connect sync abuse
Step 3
By modifying adminCount and onPremisesSyncEnabled attributes, attacker can escalate acme.user.john.smith to Global Administrator via next sync cycle
Entra ID
Role escalation

Blast Radius

49 identities potentially affected | max depth 3

Why It Matters

Contributing Misconfigurations

- AD: svc-entra-sync has Domain Admins membership; only Directory Service access is required
- Entra Connect: Fine-grained attribute filtering not configured; all attributes synchronised including adminCount
- AD: Service account password age exceeds 90-day rotation policy by 199 days

Section 6 - Platform-by-Platform Findings (11 platforms)

High 16Medium 27Low 7

high6 Permanent Global Administrator Assignments Without PIM

Six independent paths to tenant-level control; each represents a persistent elevated attack surface.

Evidence: GET /directoryRoles/globalAdministrator/members — count:6; 0 eligible schedules in roleEligibilitySchedules; 2 accounts have not signed in for >30 days

Affected:

MITRE: T1078

mediumCA-FederatedSessions: No Step-Up for Okta Token

Okta session compromise propagates to Entra without additional authentication challenge.

Evidence: Policy CA-FederatedSessions: conditions.users.includeGroups:[acme.group.all-employees]; grantControls.builtInControls:[] (no MFA requirement) for Okta-sourced sessions

Affected:

MITRE: T1528

medium156 Users Without Phishing-Resistant MFA Registration

Large cohort vulnerable to SIM-swap and MFA-fatigue attacks.

Evidence: GET /reports/authenticationMethods/userRegistrationDetails — 156 users: registeredStrongAuthMethods excludes fido2, microsoftAuthenticator; sms or voice only

Affected:

MITRE: T1111

mediumService Principal Secret Expiry: 23 Secrets > 180 Days Old

Long-lived service principal secrets extend the window of undetected credential theft.

Evidence: GET /applications — 23 app registrations with passwordCredentials.endDateTime null or >180 days from creation; includes acme.service.payment-api and acme.service.data-bridge

Affected:

low34 Inactive Guest Accounts (>90 days)

Stale external access increasing identity surface; low exploitability but fails audit requirements.

Evidence: GET /users?$filter=userType eq Guest — 34 guests; signInActivity.lastSignInDateTime >90 days; 8 have SharePoint or Teams membership in production groups

Affected:

Section 7 - Cross-Platform Drift and Hygiene

Entra ID

AWS IAM

Okta

GCP IAM

Kubernetes

Active Directory

SaaS Apps

SailPoint

CyberArk

BeyondTrust

GitHub

Drift Patterns

Entra ID|14 days

Federated sessions from Okta bypass MFA enforcement in Entra, enabling session token reuse to pivot between platforms without additional authentication.

AWS IAM|25 days

IAM console credentials remain valid indefinitely, creating a persistent risk of undetected credential theft and reuse.

Okta|36 days

IaC drift means the deployed permission state is more permissive than the approved design; the broadened permission enables data modification and export rather than read-only access.

GCP IAM|47 days

A risk-evaluation hook that always returns allow is functionally equivalent to no risk evaluation; the authentication policy appears to apply risk controls but does not enforce them.

Kubernetes|58 days

Widened RBAC scope means a compromise of any analytics service account now yields cluster-wide access rather than namespace-isolated access, significantly amplifying blast radius.

Workload identities

Stale identities >90d

Over-privileged

Long-lived tokens

Section 8 - Workload Identity Risks

Total workload IDs

Stale >90d

Over-privileged

Long-lived tokens

Cross-cloud trust drifts

Risk Distribution

High 9Medium 7Low 12

Section 9 - Remediation Roadmap

Immediate (0-7 days)

Add aws:MultiFactorAuthPresent and aws:RequestedRegion condition keys to acme.role.cloud-admin SAML trust policy; restrict session duration to 1 hour.

Cloud | LOW | 6h

Revoke all 3 GCP service-account keys committed to acme-ci-pipeline repository; rotate immediately; migrate to Workload Identity Federation for CI/CD GCP access.

Cloud | MEDIUM | 20h

Disable the 2 Okta API tokens owned by deprovisioned users (acme.user.former.employee1, acme.user.former.employee2); audit all API tokens against active user list.

IAM | LOW | 6h

Remediate the 4 Kubernetes cluster-admin ClusterRoleBindings: scope to namespace-level RoleBindings with least-privilege roles; assign owners to each binding via annotation.

AppOps | MEDIUM | 20h

PAM | MEDIUM | 20h

Revoke 4 GitHub PATs owned by deprovisioned users; configure GitHub Actions OIDC federation with AWS, Azure, and GCP to replace 47 long-lived credential secrets.

Cloud | MEDIUM | 20h

Near-term (30 days)

Enforce FIDO2 or Microsoft Authenticator for all 4 Okta super-admin accounts; update Okta authentication policy to require phishing-resistant factor for admin console sign-in.

IAM | MEDIUM | 20h

Rotate all 23 AWS IAM access keys older than 90 days; implement IAM Access Analyzer key-rotation alerts; set automated 90-day key expiry policy for new keys.

Cloud | MEDIUM | 20h

Apply GCP org policy constraint iam.disableServiceAccountKeyCreation to acme-org; migrate all 6 remaining SA key authentications to Workload Identity Federation.

Cloud | HIGH | 48h

Enable pod security admission for Baseline profile in all 5 unlabelled Kubernetes namespaces; audit any existing privileged pod configs before enforcement.

AppOps | MEDIUM | 20h

Enable automatic password rotation in CyberArk for all 34 currently unmanaged accounts; prioritise SQL SA and Windows local admin accounts; set maximum password age to 30 days.

PAM | MEDIUM | 20h

Segment BeyondTrust jump clients into separate groups by network zone (Production, Staging, Dev); require secondary approval for any production jump session initiated from a non-production operator.

PAM | MEDIUM | 20h

Strategic (90 days)

Implement Entra PIM for all 6 Global Administrator accounts; require justification, MFA, and manager approval for activation; set maximum activation window of 4 hours.

IAM | HIGH | 48h

Establish cross-platform IaC drift detection: run weekly Terraform plan diff and GCP policy comparison against approved baselines; alert on any deviation within 24 hours.

SecOps | HIGH | 48h

Implement Kubernetes secrets encryption at rest using AWS KMS (for EKS) or GCP KMS (for GKE); remove etcd plaintext secret storage across all cluster environments.

AppOps | HIGH | 48h

Run bi-annual workload identity access certification: inventory all 75 workload identities, validate scope against current least-privilege baseline, decommission 18 stale identities.

SecOps | MEDIUM | 20h

Mandate PSM for all Production-Windows-Admin and SQL-SA safe access; enforce RequirePSMOnAll on the 4 affected CyberArk platforms; validate session recording is capturing all sessions.

PAM | MEDIUM | 20h

Pin all GitHub Actions workflow steps to commit SHAs; implement a GitHub organisation actions allowlist restricted to verified publishers; enable Dependabot for action version updates.

AppOps | MEDIUM | 20h

Section 10 - Appendix: Raw Findings

ID	Severity	Platform	Title	Evidence
F-2K-001	high	Entra ID	6 permanent Global Admin assignments; 0 PIM eligible schedules.	GET /directoryRoles/globalAdministrator/members — count:6
F-2K-002	high	AWS IAM	SAML trust role acme.role.cloud-admin has AdministratorAccess and no condition keys.	Trust Condition:null; attachedPolicy:AdministratorAccess
F-2K-003	high	Okta	4 Okta super-admins authenticate from named network zone without FIDO2.	policy OKTA_SIGN_ON: grantControls for admin zone lacks FIDO2 requirement
F-2K-004	high	Google Cloud IAM	3 SA keys committed to CI/CD repo; all unrotated >90 days.	gitleaks scan: 3 SA key files in .env; oldest commit 47 days ago
F-2K-005	high	Kubernetes	4 cluster-admin ClusterRoleBindings to workload service accounts across 4 namespaces.	kubectl get clusterrolebindings — 4 results; subjects[].kind:ServiceAccount
F-2K-006	high	Active Directory	svc-entra-sync has Domain Admins membership; password age 289 days.	Get-ADGroupMember "Domain Admins" \| where sAMAccountName -eq svc-entra-sync; PasswordLastSet:2025-07-09
F-2K-007	high	Google Cloud IAM	acme.service.analytics-pipeline has project-level roles/bigquery.dataEditor (intended: dataset-level dataViewer).	gcloud projects get-iam-policy: roles/bigquery.dataEditor binding at project level
F-2K-008	high	AWS IAM	IRSA role acme.role.k8s-data-access has s3:* and dynamodb:* on Resource:* for 3 K8s service accounts.	Action:['s3:','dynamodb:'],Resource:'*'
F-2K-021	high	Active Directory	svc-entra-sync has Domain Admins membership with 289-day-old password; used by Entra Connect.	Get-ADGroupMember "Domain Admins" — svc-entra-sync; PasswordLastSet:2025-07-09; PasswordNeverExpires:True
F-2K-022	high	Active Directory	3 accounts with adminCount=1 outside protected groups; AdminSDHolder ACLs still propagated.	Get-ADUser -Filter {adminCount -eq 1} — 3 accounts; prior DA membership confirmed; no current protected group membership
F-2K-025	high	SaaS Applications	4 Slack workspace admins authenticate with email/password; Okta SSO not enforced for admin accounts.	Slack Audit API — 4 workspace owners with authMethod:email; Okta SSO not mandatory for admin tier
F-2K-026	high	SaaS Applications	9 Salesforce System Administrators; 3 federated via Okta without MFA step-up requirement.	Salesforce /services/data/vXX/query — SystemAdministrator count:9; 3 Okta-federated without step-up CA policy
F-2K-029	high	SailPoint	IT-Annual-Review-2025 campaign: 89 open items past SLA; 34 auto-approved without review.	SailPoint Campaign Manager: totalItems:412; open:89; autoApproved:34; avgReviewTime:7s
F-2K-030	high	SailPoint	SailPoint connector accounts have Domain Admin and cluster-admin rights on target systems.	AD: svc-sailpoint-connector in Domain Admins; K8s: clusterrolebinding sailpoint-admin → cluster-admin
F-2K-033	high	CyberArk	23 privileged accounts retrievable without dual-control approval; DualControl:false on Production-Windows-Admin safe.	CyberArk REST API /Accounts — 23 accounts; DualControl:false; RequireConfirmation:false
F-2K-034	high	CyberArk	Shared VaultAdmin account used by 3 administrators; 6 distinct source IPs in 30 days; no individual accountability.	CyberArk PVWA > User Management — VaultAdmin: lastLoginDate:2026-01-08; 6 source IPs; shared across 3 named admins
F-2K-037	high	BeyondTrust	BeyondTrust admin credential unchanged 380 days; shared across 3 named administrators.	BeyondTrust API /BeyondTrust/api/public/v3/Accounts — btadmin: lastPasswordChange:2025-01-19; 3 users; no expiry policy
F-2K-040	high	GitHub	47 deployment workflows use long-lived cloud credentials; OIDC not configured in any provider; oldest credential 312 days.	GitHub /orgs/acme-mid/actions/secrets — AWS, Azure, GCP credentials in 47 workflows; no OIDC federation
F-2K-041	high	GitHub	4 GitHub organisation owners use personal accounts exempt from enterprise SSO enforcement.	GitHub /orgs/acme-mid/members?role=owner — 4 owners; account_type:personal; SSO policy:Required but exempted
F-2K-009	medium	Entra ID	CA-FederatedSessions lacks MFA step-up for Okta-sourced tokens.	grantControls.builtInControls:[] for Okta-sourced sessions
F-2K-010	medium	Entra ID	156 users without phishing-resistant MFA registration.	GET /reports/authenticationMethods/userRegistrationDetails — 156 users; sms/voice only
F-2K-011	medium	AWS IAM	23 IAM access keys not rotated >90 days; 9 keys >180 days.	aws iam get-credential-report — 23 keys age >90d
F-2K-012	medium	AWS IAM	Cross-account trust from shared-services account lacks condition keys for 2 subsidiary accounts.	Trust: Condition:null for subsidiary account principals
F-2K-013	medium	Okta	6 inactive SAML apps active >180 days with no sign-ins in last 90 days.	Okta systemLog: 0 sign-in events in 90 days for 6 apps
F-2K-014	medium	Okta	Okta inline hook acme-risk-evaluation-hook returns HTTP 200 unconditionally; never validated.	lastValidated:null; manual test call returns {allow:true} regardless of payload
F-2K-015	medium	Google Cloud IAM	4 SA bindings at project level exceed intended IaC scope.	Terraform state vs deployed: 4 bindings elevated from dataset to project level
F-2K-016	medium	Google Cloud IAM	Org policy iam.disableServiceAccountKeyCreation not enforced at org level.	gcloud resource-manager org-policies describe — notSet:true
F-2K-017	medium	Kubernetes	Pod security admission not enforced in 5 namespaces.	kubectl get ns --show-labels — 5 namespaces missing pod-security label
F-2K-018	medium	Kubernetes	Kubernetes secrets not encrypted at rest; etcd uses default plaintext storage.	kubectl get apiserver -o yaml — encryption.config:not set
F-2K-023	medium	Active Directory	47 stale computer accounts inactive >90 days; 12 with active SPNs; 3 with constrained delegation.	Get-ADComputer -Filter {LastLogonDate -lt (Get-Date).AddDays(-90)} — count:47; SPNs:12; constrained delegation:3
F-2K-024	medium	Active Directory	Fine-grained password policy not applied to 86 service accounts; all under Default Domain Policy.	Get-ADFineGrainedPasswordPolicy — 0 PSO objects for service account OUs; DefaultDomainPolicy applies
F-2K-027	medium	SaaS Applications	23 Slack guests with sensitive channel access inactive >90 days; 6 from completed vendor engagements.	Slack Audit API — 23 guests; lastActive >90d; channels: #acme-finance, #acme-engineering, #acme-incident-response
F-2K-028	medium	SaaS Applications	Workday ISU integration credential not rotated in 18 months; used by SailPoint HR provisioning feed.	Workday ISU acme-sailpoint-isu: lastPasswordChange:2024-05-14; no rotation schedule configured
F-2K-031	medium	SailPoint	23 high-risk entitlement provisioning events bypassed approval workflow via emergency access mechanism.	SailPoint Audit Log — 23 events with bypassApproval:true; includes AD Domain Admins, AWS AdministratorAccess, Salesforce SystemAdmin
F-2K-035	medium	CyberArk	34 accounts with automatic password rotation disabled; oldest password 247 days old.	CyberArk REST API /Accounts?filter=autoManagement — 34 accounts; automationManagement:false
F-2K-036	medium	CyberArk	PSM not mandatory for 4 high-privilege safe groups; direct RDP/SSH without session recording available.	CyberArk PVWA > Safe Management — 4 safes: AllowManualAccess:true; no PSM platform requirement
F-2K-038	medium	BeyondTrust	347 jump clients not zone-segregated; production and dev systems in same jump group without additional approval gate.	BeyondTrust /BeyondTrust/api/public/v3/JumpGroups — group acme-all-systems: 347 jump clients; mixed zones
F-2K-039	medium	BeyondTrust	12 team passwords not certified in 12 months; 4 reference decommissioned systems.	BeyondTrust Password Safe > Team Passwords — 12 entries; lastCertified:null for 8; 4 referencing decommissioned systems
F-2K-042	medium	GitHub	GitHub Actions permissions allow all actions from any publisher; 63 distinct 3rd-party publishers across 89 workflows.	GitHub /orgs/acme-mid/actions/permissions — allowed_actions:all; no verified creator or approved list restriction
F-2K-043	medium	GitHub	34 deploy keys older than 180 days across 12 repos; 8 have write access; 4 for decommissioned integrations.	GitHub /repos API — 34 deploy keys; created_at >180d; 8 read_write:true; 4 referencing retired integrations
F-2K-019	low	AWS IAM	CloudTrail disabled in 2 subsidiary accounts.	aws cloudtrail describe-trails: status:Disabled in subsidiary-eu-west, subsidiary-ap-southeast
F-2K-020	low	Okta	23 admin role assignments not certified in last 180 days.	Okta /api/v1/users?filter=profile.isAdmin eq true — lastCertifiedDate absent
F-2K-032	low	SailPoint	SailPoint audit log retention: 30 days; compliance requirement is 12 months.	SailPoint IdentityNow > Admin > Audit: logRetentionDays:30; no SIEM forwarding configured

Board Report · Prepared by IdentityFirst Ltd · Prepared for Acme Corp · Ref IF-BRD-RUN-MRI- · v1.0 · Confidential - Demonstration Use Only · SAMPLE - SYNTHETIC DATA - NOT FOR DISTRIBUTION

Next Step

Turn this executive output into a live customer report

Use this board view to frame the risk conversation, then move into a tailored walkthrough of your own identity estate.