[REVIEW] access-review: add guest sponsor expiry and shared-account attribution evidence gates

[wowsofine]

Skill Being Reviewed

Skill name: access-review
Skill path: skills/identity/access-review/

False Positive Analysis

Benign entitlement record that should stay low risk:

identity_type: external_guest
identity: vendor-analyst@example.net
system: salesforce-prod
access_package: q2-vendor-readonly-review
sponsor: alice.manager@example.com
sponsor_status: active
contract_end_date: 2026-09-30
access_package_expiry: 2026-06-30
last_successful_sign_in: 2026-06-01T10:15:00Z
entitlements:
  - salesforce_readonly_reporting
certification:
  campaign: 2026-Q2-external-access-review
  decision: approve
  certifier: app-owner@example.com
  evidence_id: IGA-2026-Q2-4412
audit:
  source: Entra ID Governance access review + app audit log
  recent_activity_reviewed: true

Why this is a false positive:
The current skill mentions guest/external accounts and quarterly review cadence, but it does not ask for sponsor state, contract end date, access-package expiry, or recent activity evidence. A reviewer may only see "external guest" and mark it as risky, even when the access is sponsor-owned, time-bounded, and certified in the current campaign.

Coverage Gaps

Missed variant 1: Guest access outlives sponsor, contract, or access package.

identity_type: external_guest
identity: contractor@example.net
sponsor: former.manager@example.com
sponsor_status: terminated
contract_end_date: 2025-12-31
access_package_expiry: 2026-01-31
current_date: 2026-06-07
entitlements:
  - prod_billing_export_reader
review_scope:
  included_in_quarterly_campaign: true
review_decision: approve

Why it should be caught:
The account is technically inside the quarterly campaign, so AR-SCOPE-06 may look satisfied, but the sponsor is no longer valid and the business relationship has expired. The skill should require evidence that external access has an active sponsor, active contract/business owner, package expiry, and recent revalidation trigger.

Missed variant 2: Shared account has an owner but no individual-use attribution.

account: shared-prod-admin
account_type: shared_privileged_account
owner: platform-team@example.com
review_decision: approve
pam_checkout_required: false
session_recording: missing
per_user_attribution_in_logs: missing
last_used_by: unknown
systems:
  - production_database
  - production_kubernetes

Why it should be caught:
AR-ORPH-04 flags shared accounts with no accountable individual, but a team owner alone does not prove individual attribution. For shared or emergency accounts, the review needs evidence of per-use checkout, session recording, command/audit attribution, and post-use review.

Edge Cases

• External guests nested through IdP groups or access packages where the campaign reviews the group owner but not the guest sponsor.
• Sponsored guests whose sponsor transferred teams or left the company while the app entitlement remained active.
• Break-glass or shared operational accounts that have a named owner but lack PAM checkout, session recording, or individual log correlation.
• External accounts with no recent interactive sign-in but active API token / delegated app access still present.

Remediation Quality

• Fix resolves the vulnerability
• Fix doesn't introduce new security issues
• Fix doesn't break functionality
• Issues found: Add a dedicated evidence gate for external guest and shared-account attribution instead of treating inclusion in the access review campaign as sufficient.

Recommended additions:

1. Add findings such as AR-EXT-01 through AR-EXT-06 for missing sponsor, inactive sponsor, expired contract/package, missing guest last-activity evidence, nested external group blind spots, and stale delegated app/API access.
2. Add AR-SHARED-01 through AR-SHARED-04 for shared accounts that have a team owner but lack per-user checkout, session recording, command/audit attribution, or post-use review.
3. Add output fields for sponsor_status, business_expiry, access_package_expiry, last_activity_source, individual_attribution_evidence, and next_external_revalidation_date.
4. Include one vulnerable fixture for an expired guest sponsor and one benign fixture for a sponsor-owned, time-bounded external access package.

Comparison to Other Tools

Tool	Catches this?	Notes
Semgrep	No	This is identity-governance evidence, not source-code pattern matching.
CodeQL	No	CodeQL does not evaluate IGA campaign sponsor state or shared-account attribution.
Entra ID Governance / Access Reviews	Partial	Can review guests and access packages, but the skill should require sponsor and package-expiry evidence in the assessment output.
Okta IGA / SailPoint	Partial	Can model certifiers and owners, but per-use shared-account attribution still requires PAM/log evidence.

Overall Assessment

Strengths:
The skill has strong coverage for review scope, orphaned accounts, role explosion, SoD, revocation enforcement, and audit evidence retention.

Needs improvement:
Guest/external accounts and shared accounts are mentioned, but the current checks do not distinguish review inclusion from proof that the access is still sponsor-owned, time-bounded, and individually attributable.

Priority recommendations:

1. Add external guest sponsor and access-package expiry evidence gates.
2. Add shared-account individual-use attribution gates.
3. Require output fields that show sponsor status, expiry, recent activity, and per-use attribution evidence.

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: I can provide payment details privately after maintainer acceptance.

[malb200710-dev]

Implemented in PR #1570: #1570

Scope: external guest sponsor/expiry/activity gates, shared-account per-use attribution gates, output evidence fields, and version history update.