CC6.1 · D1 · detection_only
evidence/access-control-policy.md — NovaTech Solutions access control policy| ID | Type | Severity | Finding |
|---|---|---|---|
| F-001 | gap | high | No defined SLA for access revocation upon termination No defined SLA for access revocation upon termination. Policy says 'timely manner' instead of specifying a concrete timeframe (e.g., same business day, within 24 hours). Auditors require a measurable,... |
| F-002 | gap | high | MFA not required for production system access MFA is not required for production system access. Policy mandates MFA for VPN, cloud console, and email from non-corporate devices, but Section 4.2 does not include production servers or databases — t... |
| F-003 | gap | medium | No access review completion evidence or artifacts defined No mention of access review completion evidence or artifacts. Section 5.2 says reviews are 'documented and retained' but does not specify what format, where they are stored, or how long they are retai... |
| F-004 | gap | medium | Role change access revocation depends solely on manager notification Role change access revocation depends on the previous manager notifying IT, with no systemic control or verification. If the manager forgets, stale access persists indefinitely. No periodic reconcilia... |
| Model | Provider | Score | Recall | Prec. | F1 | Gaps | Reported |
|---|---|---|---|---|---|---|---|
| Sonnet 4.6 | Anthropic | 100% | 100% | 36% | 53% | 4/4 | 11 |
| Opus 4.7 | Anthropic | 100% | 100% | 36% | 53% | 4/4 | 11 |
| GPT-5.5 | OpenAI | 100% | 100% | 20% | 33% | 4/4 | 20 |
| GPT-4.1 | OpenAI | 75% | 75% | 30% | 43% | 3/4 | 10 |
| Haiku 4.5 | Anthropic | 100% | 100% | 33% | 50% | 4/4 | 12 |
| GPT-4o | OpenAI | 50% | 50% | 40% | 44% | 2/4 | 5 |