Curated demo content by default.
The /demo route group is a public demonstration surface. Its stories, report packs, and portal views are intentionally curated unless a live tenant is explicitly selected.
Current route truth
Synthetic compliance outputThe public route exists now and demonstrates compliance reporting patterns; it is a synthetic public demo rather than a GA-authenticated workflow.
Strongest first view
Open BoardStart here when you need the strongest first commercial story: risk, consequence, funding decision, and executive ownership.
This GRC report is a synthetic public demo surface. It illustrates representative compliance and governance output rather than promising a GA-authenticated workflow, substrate-backed verification state, or fixed production contract.
Demo truth model
Persona switching, posture, blast radius, and remediation delta are anchored to real platform/runtime contracts.
Governance, audit readiness, risk-weighted control priorities, and time-to-compliance guidance.
Report credibility
Every field is shown explicitly. Items not yet provided are labelled (Roadmap, Unavailable, Not applicable, Missing) rather than hidden.
Demo seed — period derived from synthetic profile, not live tenant telemetry
Reference IF-GRC-RUN-MRI-
No prior version to diff — the public demo regenerates deterministically per request.
Named report owner is captured in webapp tenant scope settings — surfaced once a tenant is provisioned.
Approver sign-off block lands with the Audit / PBC workspace milestone.
Substantia signed-evidence chain is exercised in the authenticated webapp, not in the public demo route.
Audit readiness is currently 62/100 across 6 mapped frameworks. The main drag is not just open control count; it is evidence consistency, which puts likely time to compliance at around 104 days unless priorities are reordered.
Audit Readiness Score
62/100
Time to Compliance
104days
ISO 27001:2022
59%
Gap IdentifiedSOC 2
61%
PartialNIST CSF 2.0
58%
Gap IdentifiedDORA
61%
PartialCyber Essentials
51%
Gap IdentifiedGDPR
54%
Gap IdentifiedPrivileged Access Management - persistent admin privileges without review
Identity & Access Governance - lack of centralised identity inventory
Valid Accounts: Domain Accounts - compromised domain credentials
Social Networks: Friend/Follow - fake social media accounts for phishing
Planning Phase: Reconnaissance - gathering target information for fraud
AI Model Inversion - extracting training data from models
Emulation Plan: Credential Stuffing - simulating password reuse attacks
Multi-Factor Authentication - inadequate MFA implementation for identity protection
5G Network Reconnaissance - probing for SIM swap vulnerabilities
Threat Intelligence - incomplete threat-informed defense cycle
Action: Malware - identity compromise via malicious software
Broken Access Control - API vulnerabilities in identity endpoints
Active Defense - insufficient threat hunting for identity anomalies
Buffer Overflow - potential in identity parsing code
Cross-Site Scripting - vulnerability in identity web interfaces
Spoofing - weak authentication allowing identity impersonation
Risk Analysis - unprioritized identity threats
Authenticator Assurance Level 2 - insufficient for identity verification
Adversary Actions in DeFi - wallet compromise risks
Threat Intelligence - lack of UK-centric identity guidance
Federation Security - vulnerable SAML assertions
Token Security - insecure OAuth flows
Evidence completeness
70%
Available
Missing
Enforced
A.9.2.3
Privileged Access Management - persistent admin privileges without review
Board-visible control weakness with direct evidence friction.
I&A.4
Identity & Access Governance - lack of centralised identity inventory
Slows audit closure because the control cannot be defended consistently.
T1078.002
Valid Accounts: Domain Accounts - compromised domain credentials
Creates repeat assurance drag and raises exception handling cost.
T0010.001
Social Networks: Friend/Follow - fake social media accounts for phishing
Creates repeat assurance drag and raises exception handling cost.
Implement automated access reviews
ISO 27001
Enforce identity ownership policies
NIS2
Deploy centralised identity governance tooling
SOC 2
Prevent credential dumping (T1003)
MITRE ATT&CK
Mitigate privilege escalation (T1068)
MITRE ATT&CK
Detect social engineering campaigns (T0010)
DISARM
Monitor fraud lifecycle phases (P1-P4)
FIST
Secure AI models against inversion attacks
MITRE ATLAS
Conduct adversary emulation exercises
MITRE ENGAGE
Strengthen MFA across identity systems
MITRE D3FEND
Secure 5G networks against SIM swapping
MITRE FiGHT
Implement threat-informed defense cycle
MITRE INFORM
Categorize incidents using VERIS schema
VERIS
Conduct threat modeling on identity APIs
OWASP
Deploy active defense for threat hunting
MITRE Shield
Analyze attack patterns in identity systems
CAPEC
Fix common weaknesses in identity code
CWE
Address spoofing risks in identity authentication
STRIDE
Prioritize risks using PASTA methodology
PASTA
Implement NIST SP 800-63 identity assurance levels
NIST SP 800-63
Protect crypto identities from adversary actions
MITRE AADAPT
Apply NCSC threat intelligence to identity
NCSC
Secure SAML/OAuth federation protocols
SAML/OAuth
Enhance OpenID Connect token security
OpenID Connect
GRC Report · Prepared by IdentityFirst Ltd · Prepared for Acme Corp · Ref IF-GRC-RUN-MRI- · v1.0 · Confidential - Demonstration Use Only · SAMPLE - SYNTHETIC DATA - NOT FOR DISTRIBUTION