🩸 IIQ Privileged Entitlement Spread Report

A weekly operational report that quantifies how privileged access is spreading through the identity population — net new privileged grants, fastest-spreading entitlements, identities accumulating risk, and the share of grants that took unsanctioned paths.

---

Date

2026-05-18

Type

Report

Theme

Detect (primary, NIST CSF) + Protect (secondary, NIST CSF)

The IIQ problem this addresses

Privileged access is the slow-leak failure mode in a mature IdentityIQ deployment. The OOB Privileged Access Cert campaign catches it once a quarter; in between, four things happen and none of them are visible in the native reports:

1. Mass grants land quietly. A new role rollout, an emergency change, a project go-live, or a workflow misfire grants the same privileged entitlement to many identities in a single week. IIQ records every grant in spt_audit_event, but the operator dashboard does not surface week-over-week growth per entitlement.
2. Identities accumulate beyond their role definition. Detection rules and birthright rules add entitlements outside the assigned business role. The native Identity Risk Score moves, but slowly; the which week did this person become high-risk moment is not surfaced.
3. Privileged grants arrive without a request workflow. Some land via Aggregation Discovery (the connector saw it first), some via direct admin action on the target system, some via a Workflow that bypassed the standard LCM Request flow. Each path has a different audit weight, and IIQ does not break them out.
4. Roles drift. A business role's privileged entitlement set expands one quarter at a time. The role still looks healthy in the role catalogue — until you compare its current entitlement bag to a snapshot from 30 days ago.

By the time the next Privileged Access Cert runs, the population already shifted. This report makes that shift visible every Monday morning.

What this report does

The IIQ Privileged Entitlement Spread Report is a Markdown artifact generated by a scheduled query that runs every Monday at 06:00 against the IIQ schema (and against an offline sample-data.json for this prototype). Each run produces:

1. Executive summary — net privileged grant count, distinct identities affected, week-over-week change, identities crossing into "high privileged-access density" cohort, and an exec-friendly Spread Score out of 100.
2. Four-week trend — net new privileged grants, removals, and net change. Designed to be glanced at, not read.
3. Top 10 fastest-spreading privileged entitlements — ranked by week-over-week identity-count growth, with the absolute and percentage delta, the entitlement's risk score, and whether it lives inside a managed role.
4. Top 10 identities by privileged grants this week — with grant count, source path breakdown (Request / Role / Aggregation / Direct), and an inline link back to the IIQ identity drawer (placeholder URLs in the public version).
5. Unsanctioned-path breakdown — the share of grants that did not flow through the standard LCM Request workflow, with each unsanctioned path enumerated. Auditors love this section.
6. Role drift watchlist — managed business roles whose privileged-entitlement set expanded or contracted compared to a 30-day-prior snapshot. Calls out the specific entitlements added.
7. Hot applications — the five connectors with the most net privileged grants this week. Often a leading indicator of a misconfigured role or an aggressive integration project.
8. Recommendations — prescriptive, prioritized, one-week actionable. Distinct from the quarterly cert report's structural recommendations.

The report is rendered to Markdown so it can ship via email, post to a Confluence page, or drop into a Slack channel as-is. The companion template (report-template.md) is a Handlebars-shaped parametric version that the IIQ-side report job populates from a query result; sample-data.json is the canonical input shape.

Why this matters (the business case)

Outcome	What it gets you
Faster detection of privilege creep	Today: noticed at the quarterly cert. Tomorrow: noticed Monday morning of the week it happened, while the change is still close to its root cause.
Audit evidence with a week-level grain	SOX, HIPAA, ISO 27001 access-control evidence improves from "we run quarterly certs" to "we monitor weekly with this report; here are 13 of them".
A real KPI for the IAM scorecard	"Privileged spread score, Monday-over-Monday" graphs cleanly. CISOs can read it without context.
Earlier role-drift discovery	Catches a role acquiring new privileged entitlements within ~7 days instead of ~90.
Triage signal for SecOps	The Top 10 Identities list is a directly actionable trigger for a SOC analyst to investigate an account showing unusual privilege accumulation.

NIST CSF mapping

• Detect
  • DE.AE-1 — A baseline of network operations and expected data flows is established and managed. This report is the baseline for privileged-grant velocity.
  • DE.AE-3 — Event data are aggregated and correlated from multiple sources. Grants from Request, Role, Aggregation, and Direct paths are unified into one ranking.
  • DE.CM-3 — Personnel activity is monitored to detect potential cybersecurity events. Identities accumulating privileged access are the precise activity this control covers.
  • DE.CM-7 — Monitoring for unauthorized personnel, connections, devices, and software is performed. Unsanctioned-path grants are exactly this signal.
• Protect
  • PR.AC-4 — Access permissions are managed, incorporating the principles of least privilege and separation of duties. The Spread Score is a direct quantification of how well that principle is holding.
  • PR.IP-7 — Protection processes are improved. The Recommendations section is the explicit weekly improvement loop.

Data sources

IIQ table	Used for
spt_managed_attribute	Entitlement metadata, especially privileged=true, risk_score, and requestable. The privileged flag is the population filter for the entire report.
spt_identity_entitlement	Current state of which identities hold which entitlements. Compared against a 7-day-prior snapshot to compute net change.
spt_audit_event	Per-grant history — who, when, by which workflow / actor / source. Drives the "path" attribution (Request / Role / Aggregation / Direct).
spt_identity_request	Confirms a grant that came in via the LCM Request flow. Anything privileged in audit_event that does not tie back to an identity_request is flagged as unsanctioned.
spt_bundle (Role)	Managed business-role catalogue. Drives the role-drift watchlist by comparing today's role entitlement set against a 30-day-prior snapshot.
spt_identity	Identity-side risk and population metadata for the "Top 10 Identities" section.
spt_application	Application names + categories for the "Hot Apps" section.

A canonical query plan (Postgres-flavor SQL, with IIQ table names) is included as appendix B of report.md. The query is meant to be parameterized by ?start and ?end and run from a SailPoint custom Report (TaskDefinition of type Java → LiveReportExecutor).

Spread Score formula

spread_score = 0.35 * normalized_net_new_grant_velocity     // grants/week, normalized to 4-week baseline
             + 0.25 * pct_unsanctioned_path                  // share of grants without a Request workflow
             + 0.20 * top_decile_identity_concentration      // how concentrated grants are in 10% of identities
             + 0.15 * role_drift_entitlement_count           // count of new privileged entitlements landing in managed roles
             + 0.05 * privileged_density_growth              // identities holding ≥5 privileged entitlements, WoW change

Scores cluster into bands:

Score	Band	Meaning
0–20	Quiet	No meaningful spread this week.
21–40	Routine	Normal week-on-week churn.
41–60	Elevated	Worth a look in the Monday standup.
61–80	Hot	Open a ticket; investigate the top 3 entitlements.
81–100	Burning	Escalate. Trigger a targeted cert sweep on the affected entitlement(s).

Cadence and distribution

• Run cadence: Weekly, Monday 06:00 local.
• Window: Trailing 7 days (Monday 00:00 → Sunday 23:59).
• Distribution: IAM engineering DL, SecOps DL, GRC partner. Rendered to Markdown for email/Confluence and to a flat HTML for the SailPoint dashboard tile.
• Retention: 13 weeks rolling on the report server; full quarter exported to the audit evidence vault.

What's intentionally out of scope

• Real-time alerting on a single high-risk grant. That belongs in a separate Detect-themed artifact (a Workflow Rule that fires inline). This report is the weekly aggregate; the alerting layer is its complement.
• Cross-platform variants for Identity Security Cloud / IdentityNow. Schema is different; the principles port, the SQL does not.
• Remediation execution. The recommendations cite specific entitlements / identities / roles; running the remediation is a separate gated workflow.
• Identifying which upstream IAM intent caused a grant. The path attribution is grant-level (Request / Role / Aggregation / Direct), not intent-level. Identifying the root cause beyond path is a manual follow-up.

Files in this folder

File	Purpose
README.md	This document.
metadata.md	Provenance — model, generation date, source workflow, IIQ sources, scope.
report.md	The fully-rendered report for the week of 2026-05-11 → 2026-05-17. Realistic synthetic numbers.
report-template.md	The parameterized version using {{placeholders}}. Consumed by the report renderer.
sample-data.json	The canonical JSON shape the template binds to. Drives report.md.
cover-image.png	Concept art (16:9, no text, nanobanana-generated).