This control plane turns Entra guest-access snapshots into one identity-governance surface: invitation sprawl, missing access reviews, stale sponsors, inactive guests, cross-tenant trust gaps, and the remediation packets needed before external collaboration drifts.
| Risk | Owner | Control family | Subject | Message |
|---|---|---|---|---|
| high invitation-sprawl-risk |
Identity Governance | Invitations | /tenants/kg-prod/groups/external-collab/readers | Invitation sprawl is active on "/tenants/kg-prod/groups/external-collab/readers" and should be contained before new B2B access is approved. |
| high missing-access-review |
Platform Operations | Reviews | /tenants/kg-prod/reviews/finance-supplier-guests-q2 | Access review coverage is degraded on "/tenants/kg-prod/reviews/finance-supplier-guests-q2" and stale guest access should be revalidated before the next cycle closes. |
| high cross-tenant-policy-gap |
Security Operations | CrossTenant | /tenants/kg-prod/cross-tenant/partner-research | Cross-tenant trust posture is degraded on "/tenants/kg-prod/cross-tenant/partner-research" and partner collaboration boundaries should be tightened. |
| high inactive-guest-risk |
Platform Operations | Inactivity | /tenants/kg-prod/guests/former-contractor-8 | Inactive guest cleanup is delayed on "/tenants/kg-prod/guests/former-contractor-8" and stale external identities should be removed before the next review. |
| high telemetry-gap |
Identity Governance | Telemetry | /tenants/kg-prod/audit/guest-signin-exports | Guest governance telemetry is incomplete on "/tenants/kg-prod/audit/guest-signin-exports", weakening review evidence and attestation continuity. |
| medium stale-guest-export |
Identity Governance | — | /tenants/kg-prod/groups/finance-supplier-guests | Guest-access snapshot for "Finance supplier guest access snapshot" is stale and should be regenerated before certifying B2B posture. |
| medium sponsor-ownership-gap |
Identity Governance | Sponsors | /tenants/kg-prod/guests/vendor-analyst-17 | Sponsor ownership is incomplete on "/tenants/kg-prod/guests/vendor-analyst-17", weakening guest accountability and renewal decisions. |
| low stale-gap-window |
Identity Governance | Reviews | /tenants/kg-prod/reviews/finance-supplier-guests-q2 | Gap on "/tenants/kg-prod/reviews/finance-supplier-guests-q2" has remained unresolved for 28 hours. |
| low stale-gap-window |
Identity Governance | Sponsors | /tenants/kg-prod/guests/vendor-analyst-17 | Gap on "/tenants/kg-prod/guests/vendor-analyst-17" has remained unresolved for 31 hours. |
| low stale-gap-window |
Identity Governance | Inactivity | /tenants/kg-prod/guests/former-contractor-8 | Gap on "/tenants/kg-prod/guests/former-contractor-8" has remained unresolved for 43 hours. |
| low stale-gap-window |
Identity Governance | Telemetry | /tenants/kg-prod/audit/guest-signin-exports | Gap on "/tenants/kg-prod/audit/guest-signin-exports" has remained unresolved for 36 hours. |