This control plane turns synthetic access certification exports into one review surface: privileged-role renewals, sponsor-backed guest reviews, service-account ownership, evidence continuity, and attestation packet completeness before renewal confidence is asserted.
| Lane | Owner | Status | Focus | Next action |
|---|---|---|---|---|
| Privileged access lane Privileged roles are still carrying one unresolved review exception. |
Identity Governance | red | Break-glass roles, privileged apps, and emergency elevation reviews | Close the break-glass attestation gap before renewing the admin campaign packet. |
| Guest access lane External access remains over-entitled until sponsor evidence is complete. |
IAM Operations | red | Vendor guests, sponsor ownership, and third-party entitlement proof | Finish sponsor decisions for the remaining vendor guest assignments. |
| Service account lane The service-account lane is recoverable once owner evidence is repaired. |
Platform Security | yellow | Legacy service principals, accountable owners, and non-human access review | Attach the missing accountable owner record and reroute the legacy principal for decision. |
| Packet signoff lane The campaign packet is not yet safe for final renewal. |
Security Governance | red | Attestation completeness, reviewer closure, and renewal confidence | Close the missing reviewer and security signoff notes before packet renewal. |