[REVIEW] access-review: add certifier independence and delegation evidence gates

[NiXouuuu]

Skill Being Reviewed

Skill name: access-review
Skill path: skills/identity/access-review/

False Positive Analysis

Benign delegated certification that can be incorrectly treated as unaccountable:

access_review_campaign:
  system: "Finance SaaS"
  entitlement: "expense-report-reader"
  reviewer_of_record: "finance-operations-manager"
  delegated_reviewer: "finance-operations-deputy"
  delegation:
    approved_by: "access-governance-board"
    reason: "reviewer_of_record on leave"
    valid_from: "2026-06-01"
    valid_until: "2026-06-14"
    permitted_scope:
      systems: ["Finance SaaS"]
      entitlements: ["read-only finance roles"]
  decision:
    result: "approve"
    timestamp: "2026-06-05T14:15:00Z"
    evidence: "ticket GRC-18442"

Why this is a false positive:

The skill already lists AR-CERT-08: Delegated reviews without accountability, which is a useful finding. However, a delegated review is not automatically deficient. In large access certification campaigns, planned delegation is common when the reviewer of record is unavailable or when a resource owner assigns a qualified delegate for a narrow system scope.

The current wording can push the reviewer toward treating any delegation as suspicious unless the delegate is explicitly tracked. The stronger test should distinguish between:

• untracked delegation, where the actual approver is not retained;
• tracked but unauthorized delegation, where the delegate was never approved for the system or entitlement scope;
• tracked, authorized, time-bounded delegation, which should generally pass if the delegate is independent and the reviewer of record remains accountable.

NIST SP 800-53 AC-2, AC-5, and AC-6 support account review, separation of duties, and least privilege, but the control decision depends on evidence of authority and independence rather than delegation alone:

• https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
• https://www.cisecurity.org/controls/v8

Coverage Gaps

Missed variant 1: certifier self-review of privileged access

campaign: "Q2 privileged access certification"
identity: "alice@example.com"
entitlement: "prod-admin"
certifier:
  user: "alice@example.com"
  basis: "resource owner"
decision:
  result: "approve"
  reason: "still needed"

Why it should be caught:

The skill asks whether a manager or resource owner certification workflow exists, and it flags missing certification decisions. It does not require a certifier eligibility check proving that the approver is not certifying their own access. A campaign can therefore look complete because every entitlement has an approve/revoke decision, while privileged users are approving their own continued access.

This should be a high-severity access governance gap when the entitlement is privileged or production-scoped. The skill should require evidence fields such as certifier_user_id, subject_user_id, certifier_relationship, is_self_review, independence_exception, and exception_expiry.

Missed variant 2: certifier can both administer and certify the same access

identity: "iam-admin-07"
entitlement_under_review: "finance-approver"
certifier:
  user: "iam-admin-07"
  active_roles:
    - "access-provisioning-admin"
    - "access-review-certifier"
system_controls:
  can_grant_finance_approver: true
  can_revoke_finance_approver: true
review_decision: "approve"

Why it should be caught:

The skill lists a generic SoD pair for User provisioning | Access certification, but it does not convert that into a required certifier-independence evidence gate during Step 2. A reviewer needs to know whether the certifier can directly grant, revoke, or modify the same access they are certifying. Otherwise, an access administrator can approve risky access and then change the target state after review, weakening the campaign's audit value.

The skill should flag certifiers who have provisioning authority over the reviewed system unless there is a documented compensating control, such as secondary approval, post-review reconciliation, immutable audit logs, and time-bounded admin activation.

Missed variant 3: delegated reviewer outside approved scope

reviewer_of_record: "engineering-director"
delegated_reviewer: "platform-team-lead"
delegation_scope:
  approved_systems: ["GitHub Enterprise"]
  approved_entitlements: ["repo-read", "repo-write"]
actual_decision:
  system: "Production AWS"
  entitlement: "iam-admin"
  result: "approve"

Why it should be caught:

The skill checks that delegated reviews are tracked, but it does not require scope validation. A delegated reviewer can be valid for one system and invalid for another. The certification output should compare the actual entitlement decision against the approved delegation scope, including system, environment, entitlement class, privileged status, and validity window.

Edge Cases

• Small organizations: The resource owner, manager, and administrator may be the same person. The skill should not demand impossible separation, but it should mark the result as an exception and require compensating controls.
• Machine and service accounts: The certifier may be a team owner instead of a human manager. The review should still verify that the certifier cannot unilaterally grant the service account the same access under review.
• Emergency access: A break-glass account may have a special certifier path. The important evidence is not normal manager approval, but independent post-use review, activation logs, and expiry-controlled exception approval.
• Reviewer reassignment near deadline: Last-minute reassignment can be legitimate, but the skill should require a reason, timestamp, approver, and allowed scope before accepting the decision.
• Nested ownership: A group owner may certify group membership while also being a member of that group. That should be reported as self-review or at least an independence exception.

Remediation Quality

• Fix resolves the vulnerability
• Fix doesn't introduce new security issues
• Fix doesn't break functionality
• Issues found: The fix should add certifier-independence gates to Step 2 without changing the overall six-step access review flow:
  • record reviewer of record, actual certifier, delegation chain, and decision timestamp;
  • compare certifier identity against the subject identity for self-review;
  • compare certifier roles against provisioning/admin roles for the reviewed system;
  • validate delegation scope against the actual system, entitlement, privilege level, and review window;
  • require compensating controls for unavoidable conflicts;
  • mark campaign completion as provisional when decisions exist but certifier eligibility is not evidenced.

Comparison to Other Tools

Tool	Catches this?	Notes
SailPoint / Saviynt-style IGA workflows	Partial	Commonly support campaign reassignment, delegation, reviewer identity, and exception workflows, but still require policy configuration to block self-review or conflicted certifiers.
Okta Identity Governance / Entra ID Governance	Partial	Can capture review decisions and reviewer assignments; certifier independence depends on access review policy design and audit evidence.
Generic SIEM or IAM scanners	No	They can show account activity or group changes, but they usually cannot prove that the certification decision was made by an independent, authorized reviewer.
Manual spreadsheet certification	Partial	Can record reviewer names, but it is prone to self-review, unauthorized delegation, and weak evidence unless explicit controls are added.

Overall Assessment

Strengths:

The skill is practical and well structured. It covers review scope, certification decisions, orphaned accounts, role explosion, SoD, enforcement, evidence retention, and audit-ready output. The existing AR-CERT-08 and SoD sections are good starting points for delegation and conflict handling.

Needs improvement:

The main gap is that certification completeness is treated mostly as a decision/evidence problem. A review can have complete approve/revoke decisions but still be unreliable if the wrong person made the decision, if the certifier approved their own access, or if the certifier could modify the same access they certified. This is a common failure mode in IGA campaigns because the campaign looks complete in metrics while independence and authority are not proven.

Priority recommendations:

1. Add a certifier eligibility check to Step 2 with self-review, reviewer-of-record, delegated reviewer, and delegation-scope fields.
2. Add a certifier SoD check that compares the certifier's active roles against provisioning/admin authority for the reviewed system.
3. Treat certification decisions as provisional when reviewer identity, delegation chain, or certifier independence cannot be evidenced.
4. Add exception handling for small teams and emergency access, requiring compensating controls and expiry rather than silently passing or failing.
5. Include certifier-independence metrics in the summary report, such as self-review count, delegated decision count, out-of-scope delegation count, and conflicted-certifier count.

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: PayPal or crypto; I can provide payout details privately after acceptance.

[bozicovichsantiago20-oss]

/attempt #1159

I am taking a focused implementation pass on skills/identity/access-review/ for certifier independence and delegation evidence: reviewer of record vs actual certifier, self-review detection, provisioning/admin conflict checks, delegation scope/time-window validation, exception handling for small teams and emergency access, and report metrics for provisional decisions.

Bounty target: Improver Moderate () if accepted. Payment details can be provided privately after maintainer acceptance.

[bozicovichsantiago20-oss]

Implemented in #1164