GitHub
IAM · Privileged Access Governance

PAM certification, anomaly detection,
ServiceNow-bridged.

30 synthetic CyberArk PAM safes · 6 detected anomaly patterns · ServiceNow access-review ticket sync · ed25519-signed hash-chained audit. Buyer-facing operator surface, browser-only, no live data.

30Total safessynthetic Continental Banking & Trust
9Overdue certs84-day max gap
11In reviewopen ServiceNow tickets
783Member entitlementsacross all safes

Safes overview — Continental Banking & Trust

30 synthetic CyberArk PAM safes across infra, SaaS, identity, and secrets-management tiers. 9 currently overdue (3 at crit-severity 30+ days). Quarterly-cert clock starts at safe creation; ServiceNow tickets auto-open at T-7d.

SafeClassificationOwnerStatusMembersSNOW Tix
PROD-DB-OracleDatabase / OracleSandra VolkovOverdue 14d672 SNOW
PROD-DB-PostgresDatabase / PostgresJamal ReevesIn review1027 SNOW
PROD-Linux-SudoersLinux / sudoersPriya AnandCurrent41
PROD-Windows-DAWindows / Domain AdminErin KowalskiOverdue 3d12
PROD-K8s-ClusterAdminK8s / cluster-adminMarcus LiuIn review84 SNOW
PROD-AWS-OrgRootAWS / Organization(unassigned)Overdue 41d31 SNOW
PROD-Azure-GlobalAdminAzure / Global AdminSandra VolkovIn review11
PROD-GCP-OrgOwnerGCP / Org OwnerMarcus LiuCurrent5
STAGE-DB-MySQLDatabase / MySQLJamal ReevesOverdue 56d8918 SNOW
STAGE-AppServer-TomcatApp / TomcatErin KowalskiCurrent34
DEV-Jenkins-BuildCI / JenkinsPriya AnandIn review673 SNOW
DEV-SourceControl-GitLabCI / GitLabPriya AnandCurrent92
PROD-Cassandra-RingDatabase / CassandraSandra VolkovOverdue 19d286 SNOW
PROD-Salesforce-AdminSaaS / SalesforceErin KowalskiIn review191 SNOW
PROD-Workday-TenantSaaS / Workday(unassigned)Overdue 84d1122 SNOW
PROD-NetworkOps-BastionNetwork / BastionMarcus LiuIn review7
PROD-Splunk-Index-AdminObservability / SplunkPriya AnandCurrent23
PROD-Datadog-Org-AdminObservability / DatadogSandra VolkovIn review154 SNOW
PROD-Snowflake-AccountAdminData / SnowflakeMarcus LiuCurrent38
PROD-Vault-RootSecrets / HashiCorp VaultJamal ReevesOverdue 38d611 SNOW
STAGE-Kafka-ClusterAdminMessaging / KafkaErin KowalskiIn review145 SNOW
PROD-PagerDuty-AccountOwnerITSM / PagerDutyMarcus LiuCurrent4
PROD-Okta-SuperAdminIdentity / OktaSandra VolkovIn review92 SNOW
PROD-1Password-OrgAdminSecrets / 1PasswordPriya AnandCurrent6
DEV-TerraformCloud-OrgAdminIaC / TF CloudJamal ReevesIn review121 SNOW
PROD-Cloudflare-SuperAdminEdge / CloudflareErin KowalskiOverdue 33d79 SNOW
PROD-Cisco-Meraki-OrgAdminNetwork / MerakiMarcus LiuCurrent4
PROD-Veeam-Backup-AdminBackup / VeeamSandra VolkovIn review9
PROD-VMware-vCenter-AdminInfra / vCenterPriya AnandOverdue 26d188 SNOW
PROD-ServiceNow-AdminRoleITSM / ServiceNowJamal ReevesCurrent22

Anomaly detector — 6 patterns surfaced

Patterns matched across all 30 safes: self-review SoD, dormant credentials (>180d), break-glass usage spikes, unassigned ownership, MFA-bypass abuse, cross-safe lateral movement. Each anomaly carries a specific regulatory anchor.

Self-review detected

Owner is also a privileged member

PROD-AWS-OrgRoot owner (Sandra Volkov) appears in the safe's member list with privileged entitlement. Self-review violates SOX ITGC segregation-of-duties — reviewer cannot also be reviewed. Reassign owner to peer in IAM team.

SOX ITGCReviewer self-reviewOpen finding
Dormant credential

Vault credential unused for 187 days

PROD-Vault-Root contains a service-account credential (svc-vault-rotator) last used 187 days ago. Either rotate-and-rebind to current usage or revoke per CIS Control 5.6.

CIS 5.6Dormant >180d
Break-glass spike

5× normal usage in last 7 days

PROD-Windows-DA break-glass credential checked out 12 times in last 7 days vs 7-day rolling avg of 2.4. Investigate root cause (incident? misconfigured runbook?) per NYDFS 500.7.

NYDFS 500.7Usage anomaly
Unassigned ownership

Safe owner = (unassigned)

PROD-AWS-OrgRoot and PROD-Workday-Tenant both have (unassigned) as owner. ISO 27001 A.9.2.3 requires named owner per privileged access path. Assign within 5 business days.

ISO 27001 A.9.2.32 safes
MFA-bypass usage

Bypass token used 3× in 24h

PROD-Okta-SuperAdmin MFA-bypass emergency token used 3 times yesterday by Sandra Volkov. Configured for break-glass only. Investigate normal MFA-flow failure or revoke bypass tier.

MFA bypassPCI DSS 8.4Same actor
Cross-safe escalation pattern

Lateral pattern across 3 prod safes

Actor jamal-reeves requested elevated entitlements across PROD-DB-Postgres, PROD-Vault-Root, and STAGE-DB-MySQL within 6-hour window. Pattern matches CIS 6.7 lateral-movement signature. Force re-justification of all 3.

CIS 6.7Pattern matchMulti-safe

ServiceNow access-review sync

Live sync to ServiceNow Access Review module via existing cyberark-connector-observability-exporter pipeline. Tickets created on certification-overdue event, closed on reviewer-decision event. Stale-ticket auto-escalation at 21 days.

TicketSubjectStateAssigneeAge
SNOW-RITM4421882PROD-DB-Oracle quarterly certAwaiting reviewSandra Volkov8 days open
SNOW-RITM4422001PROD-Windows-DA emergency reviewApprovedErin KowalskiClosed 2d ago
SNOW-RITM4422103PROD-AWS-OrgRoot annual certEscalated(unassigned)21 days open
SNOW-RITM4422244PROD-Vault-Root rotation reviewAwaiting reviewJamal Reeves11 days open
SNOW-RITM4422311PROD-Salesforce-Admin quarterlyIn reviewErin Kowalski4 days open
SNOW-RITM4422401STAGE-DB-MySQL biannualAwaiting evidenceJamal Reeves16 days open
SNOW-RITM4422477PROD-Okta-SuperAdmin MFA-bypass reviewIn reviewSandra Volkov3 days open
SNOW-RITM4422511PROD-Cloudflare-SuperAdmin biannualReassignedErin Kowalski9 days open

Audit chain

Every certification action — cert started, review decision recorded, anomaly flagged, member added/removed, SNOW ticket opened — is emitted as a hash-chained event. Each event signs the prior event's hash, making the log tamper-evident.

Audit chain · ed25519-signed, hash-chained per CIS Control 8.5 audit-log integrity. Verify via mcp-kinetic-gain → audit_chain_verify tool.
2026-06-02T14:42:11Zcert.cyberark.cert-startedPROD-DB-Oracle (annual)…a3f8e2
2026-06-02T14:38:04Zcert.cyberark.review-decision-recordedPROD-Windows-DA (approve, 12 members)…9d12c1
2026-06-02T14:21:55Zcert.cyberark.anomaly-flaggedPROD-Okta-SuperAdmin (mfa-bypass spike)…7b04a9
2026-06-02T13:55:32Zcert.cyberark.overdue-escalatedPROD-AWS-OrgRoot (41 days overdue)…5e91ff
2026-06-02T13:42:09Zcert.cyberark.cert-startedPROD-K8s-ClusterAdmin (quarterly)…3c8a02
2026-06-02T13:18:46Zcert.cyberark.snow-ticket-openedSNOW-RITM4422103 (PROD-AWS-OrgRoot)…1f5d7e
2026-06-02T12:44:31Zcert.cyberark.member-removedPROD-Cassandra-Ring (offboarded actor)…b48211
2026-06-02T12:11:18Zcert.cyberark.review-decision-recordedPROD-Vault-Root (revoke dormant cred)…8a7c33

Why this surface exists

CyberArk PAM is the standard for privileged access vaulting in regulated industries (banking, healthcare, defense). The runtime ops problem is not storing the credential — it's continuously certifying that the right humans still need privileged access, before SOX/ISO audit windows close. This surface compresses the cycle time of quarterly cert from 4-6 weeks down to 4-6 days by visualizing the 5 anomaly patterns auditors look for.

Buyer: CyberArk admins · Compliance teams running quarterly PAM access reviews · Audit committees · ISO 27001 / SOC 2 / NYDFS auditors during evidence-collection windows.

Regulatory anchors: SOX ITGC · PCI DSS 4.0 (Req 7 + 8) · NIST 800-53 AC-2/AC-5/AC-6 · CIS Controls v8 Control 5/6 · ISO 27001 A.9 · NYDFS Part 500.7.

KG Suite tie-back: Every operator decision on this surface emits an audit-stream event (hash-chained, ed25519-signable). Vault-contract data classification follows the Decision Card v0.3 pattern (data_vault_targets + retention_envelope). Incident escalations match the AI Incident Card profile shape. Evidence bundles align with the AI Evidence Format spec.

Static-only doctrine: No backend. No login. No telemetry. All synthetic data is baked into this HTML page as JavaScript constants. Nothing leaves the tab. Frame as readiness / evidence / posture / controls / scaffolding — never "compliant" or "certified" without an externally-attested audit.