CC6.1 · D3 · detection_and_precision
evidence/access-control-policy.md — Meridian Cloud Systems access control policyevidence/aws-iam-credential-report.csv — AWS IAM credential report showing all users, keys, and MFA statusevidence/access-review-log-q4-2025.csv — Quarterly access review completion log for Q4 2025evidence/terminations-q4-2025.csv — Employee termination records with offboarding datesevidence/okta-mfa-policies.json — Okta MFA enrollment and sign-on policy configurationevidence/service-account-inventory.csv — Service account inventory with ownership and review dates| ID | Type | Severity | Finding |
|---|---|---|---|
| F-001 | gap | critical | Stale unowned service account with active credentials (jenkins-legacy) The 'jenkins-legacy' IAM user has an active access key (last rotated July 2023, over 2 years ago) but was last used in August 2024. The service account inventory shows it is 'Unassigned' with no owner... |
| F-002 | gap | high | Key rotation violation on legacy-monitoring service account The 'legacy-monitoring' IAM user has an access key last rotated on March 10, 2024 — over 9 months ago. Policy Section 4.3 requires automatic rotation every 90 days via AWS Secrets Manager. The key is ... |
| F-003 | gap | high | Direct IAM console user violates SSO-only policy (david.kim) The IAM user 'david.kim' has console password enabled and MFA active, but policy Section 3.3 explicitly states 'Direct IAM user accounts in AWS are prohibited for human users' — all human access must ... |
| F-004 | gap | high | Termination SLA breach — Tom Bradley Okta disabled 7 days late Tom Bradley (EMP-2341) was terminated on December 20 but HR notification was not sent until December 23 (3-day delay) and Okta was not disabled until December 27 (7 days after termination). Policy Sec... |
| F-005 | gap | medium | Termination SLA breach — Priya Sharma Okta disabled 3 days late Priya Sharma (EMP-2287) terminated November 22 but HR notification was delayed to November 24 (2 days) and Okta was not disabled until November 25 (3 days after termination). While less severe than To... |
| F-006 | gap | high | Okta default sign-on policy does not require MFA The Okta sign-on policy has a Default Policy (priority 3) with 'requireFactor': false. Any application not explicitly listed in the 'Production Systems' or 'Corporate Apps' policies will fall through ... |
| F-007 | gap | medium | Okta access review completed late with unresolved flagged users The Okta (IdP) access review (AR-2025-Q4-008) was initiated December 1 but not completed until January 8, 2026 — 23 business days, exceeding the 15-business-day SLA in policy Section 5.1. Additionally... |
| F-008 | gap | medium | backup-s3-sync has two active access keys with stale rotation The 'backup-s3-sync' IAM user has two active access keys. Access key 2 was last rotated on January 15, 2024 — nearly 2 years ago — yet both keys were used on the same day (Dec 28, 2025). Having two ac... |
| F-009 | gap | high | Direct IAM users excluded from quarterly access review scope The quarterly access review covers 'AWS Console (SSO)' but the IAM credential report shows direct IAM users (david.kim, service accounts) that exist outside of SSO. The access review scope does not in... |
| Model | Provider | Score | Recall | Prec. | F1 | Gaps | Reported |
|---|---|---|---|---|---|---|---|
| Sonnet 4.6 | Anthropic | 100% | 100% | 82% | 90% | 9/9 | 11 |
| Opus 4.7 | Anthropic | 88% | 100% | 53% | 69% | 9/9 | 17 |
| GPT-5.5 | OpenAI | 79% | 100% | 47% | 64% | 9/9 | 19 |
| GPT-4.1 | OpenAI | 89% | 89% | 100% | 94% | 8/9 | 8 |
| Haiku 4.5 | Anthropic | 100% | 100% | 64% | 78% | 9/9 | 14 |
| GPT-4o | OpenAI | 78% | 78% | 88% | 82% | 7/9 | 8 |