This control plane turns synthetic access certification exports into one review surface: privileged-role renewals, sponsor-backed guest reviews, service-account ownership, evidence continuity, and attestation packet completeness before renewal confidence is asserted.
| Risk | Owner | Subject | Observed state |
|---|---|---|---|
| high PrivilegedAccess |
Identity Governance | Break-glass role certification | One emergency role still lacks current reviewer attestation after the latest cycle. |
| high GuestAccess |
IAM Operations | Vendor guest assignment set | Three vendor guest accounts still retain privileged app access without completed sponsor review. |
| high ServiceAccount |
Platform Security | Legacy service account owner | A legacy service principal remains active without a current accountable owner in the campaign packet. |
| medium Evidence |
Security Governance | Attestation evidence chain | Two completed decisions are missing the linked ticket thread that explains continued access. |
| medium ReviewCadence |
Identity Governance | Quarterly reviewer cadence | Reviewer backlog is slipping beyond the expected window for one privileged app set. |
| high Signoff |
Security Governance | Campaign attestation packet | The current packet is missing one reviewer closure and one security note. |