User Management

Identity Aware Correlation

Enterprise attacks that exploit legitimate credentials operate within what the identity layer authorizes making them structurally invisible to correlation engines that link events through IP addresses, hostnames, and file hashes. Sath's Identity Aware Correlation layer, within the SIEM & XDR platform, reorganizes the correlation model around the governed identity and its entitlement record, the joining axis that credential-based attack campaigns are specifically designed to exploit.

Get a Demo
IDHub Dashboard

The Structural Failure Infrastructure-Centric Correlation Cannot Fix

The most significant shift in enterprise attack methodology is not increased malware sophistication—it is the systematic pivot to legitimate credential use as the primary attack surface. Adversaries compromise credentials through phishing, purchase them from initial access brokers, or extract them from memory and password reuse across services. Once in possession of valid credentials, they authenticate. They operate within the organizational identity layer's permissions. From the perspective of any correlation engine that links events through observable infrastructure artifacts—shared IP addresses, consistent hostnames, matching file hashes—they are functionally invisible.

This is not a detection problem. The detection engine cannot improve its sensitivity to events that, at the level of the correlation model, are never assembled into a campaign narrative. When an attacker uses a compromised credential to access an endpoint in one domain, a cloud environment in a second, and a SaaS application in a third—each authenticated as a legitimately authorized user—those events arrive at a correlation engine as three unrelated, low-signal events from three separate domains. No infrastructure artifact links them. Each, in isolation, may not meet any detection threshold. Together, as a campaign under one identity thread, they describe a lateral movement sequence that the correlation model should make immediately visible.

Sath's Identity Aware Correlation layer addresses this structural failure at its source: the correlation model itself. Instead of organizing the event stream around shared infrastructure artifacts, the IAC layer organizes it around the governed identity entity—using IDHub's entitlement graph as the correlation topology and the governed identity as the primary joining key across endpoint, network, cloud, SaaS, and application event streams. The result is a correlation architecture in which credential-based campaigns operating across domain boundaries surface as identity-threaded narratives, not disconnected single-domain anomalies.

Identity Aware Correlation

What Identity Aware Correlation Is—and Is Not

Architectural positioning for security architects and SOC evaluators.

Identity Aware Correlation is not the platform, not a detection engine, not a telemetry ingestion layer, and not a forensic investigation tool. It is the correlation methodology layer: the component that reorganizes the normalized event stream around the governed identity entity, using IDHub's entitlement graph as the structural correlation topology, so that the detection engine and investigation functions operate on identity-threaded event sequences rather than infrastructure-organized event logs.

The platform's operational sequence makes this position precise:

  • The collection and normalization layers determine what data is gathered from which sources and normalize it into a structured event stream.
  • The Unified Security Telemetry layer applies cross-source correlation through shared infrastructure artifacts—linking events that share IP addresses, hostnames, and file hashes into coherent streams.
  • The Identity Aware Correlation layer reorganizes those streams around the governed identity entity—threading events from all domains that belong to the same identity into a unified, entitlement-annotated sequence with governance context at each event.
  • The Real Time Threat Detection engine applies behavioral models and risk scoring to those identity-threaded sequences to generate high-confidence threat signals.
  • The Automated Incident Response layer acts on confirmed signals.
  • The Investigation & Forensics layer performs the structured forensic analysis of confirmed incident records with evidence integrity and legal accountability.

Identity Aware Correlation sits between data normalization and behavioral detection. Whether the detection engine receives infrastructure-organized event logs or identity-threaded event sequences with entitlement context determines the quality of the signal it can produce. That quality difference is the operational case for this layer's existence.

The Unified Security Telemetry, Real Time Threat Detection, Endpoint Threat Visibility, Automated Incident Response, and Investigation & Forensics layers are documented separately.



Core Capabilities

Identity Aware Correlation Capabilities

Cross-Domain Identity Thread Reconstruction

The IAC layer uses the governed identity entity—not shared infrastructure artifacts—as the primary joining key for organizing events across endpoint, network, cloud, SaaS, and application domains, producing a unified, entitlement-annotated activity thread for each identity across all systems and authentication sources within any defined time window.

  • Endpoint process event attribution linking telemetry from the endpoint collection layer to the specific authenticated identity whose session was active at the time of each event, regardless of whether the authentication source is local, domain-joined, or federated into the organizational directory

  • Network flow correlation binding connection events to the governed identity whose authenticated session was active on the originating host, enabling identity-attributed network analysis across corporate and remote segments without dependence on static IP-to-user mappings

  • Cloud API call attribution mapping cloud platform events—IAM policy changes, data service calls, resource provisioning and deletion—to the governed identity that authenticated to execute them, with entitlement-record verification at each event to confirm access was within authorized scope [Planned]

  • SaaS application event threading correlating user actions within SaaS platforms to the governed identity's organizational entitlement record, enabling cross-application activity analysis from a single identity-centric view without dependence on each SaaS platform's native audit log completeness or formatting [Planned]

  • Multi-session identity reconciliation resolving events attributed to the same governed identity across simultaneous or sequential sessions on different devices, applications, or networks into a single coherent identity thread—eliminating the session fragmentation that allows cross-system lateral movement to appear as unrelated single-source anomalies

  • Cross-domain time-window correlation assembling the complete, entitlement-annotated activity record of any governed identity across all covered domains within any analyst-defined time window, with consistent event attribution regardless of which authentication system generated the originating session record

Entitlement-State Correlation

Rather than applying statistical behavioral models to approximate what is normal for an identity, the IAC layer uses IDHub's governance record—the organization's documented authorization intent—as the authoritative baseline against which all correlated access events are assessed, producing governance-grounded correlation signals that identify out-of-scope access regardless of whether it deviates from behavioral history.

  • Entitlement match assessment for every correlated access event, determining whether the accessing identity's IDHub governance record includes an explicit, currently valid entitlement for the specific system, data category, or application function accessed, at the time the access was made

  • Access-path consistency verification confirming that the route by which access was obtained—direct grant, role inheritance, or delegated permission—is consistent with the documented access path recorded in IDHub for that specific identity and system combination, surfacing access that exploits unintended inheritance chains

  • Over-privilege access correlation identifying access events where an identity reached systems or data within their technical permissions but outside the specific entitlement scope documented as their business-need authorization—a condition behavioral models cannot detect because the access is historically normal, but governance records identify as unauthorized in scope

  • Role-scope boundary correlation surfacing access events where an identity's actions exceed the documented functional purpose of their assigned organizational role: technically executable by current permissions, governance-inconsistent with the role's recorded organizational scope and intended function

  • Entitlement coverage gap flagging identifying access events on systems for which IDHub carries no corresponding entitlement record for the accessing identity, surfacing these as governance-unaccounted access that requires review before it can be assessed as authorized or unauthorized [Planned]

  • Certification-currency-aware correlation incorporating the review and approval state of each entitlement—whether access has been formally certified in the current review cycle, is pending certification, or has been flagged for revocation—as a governance-quality dimension in the correlation confidence weighting applied to each correlated event

Identity Lifecycle Event Correlation Anchoring

Governance events recorded in IDHub—access grants, role changes, certification lapses, deprovisioning instructions, and privilege modifications—are treated by the IAC layer as prospective temporal anchors: events that raise the correlation weight of all subsequent behavioral events attributed to that identity across all covered domains, so that cross-domain activity following a governance change is assembled with higher correlation sensitivity before reaching the detection engine for analysis.

  • New access grant proximity correlation organizing the complete cross-domain activity record of an identity in the period immediately following an entitlement addition—assembling all events from all domains into a single sensitivity-elevated thread so the detection engine receives the complete behavioral context of how newly granted access was exercised, rather than isolated single-domain events

  • Role modification behavioral thread elevation automatically assembling cross-domain activity attributed to an identity following a role change—correlating behavioral events across all domains against the specific permission boundaries the role modification introduced, so that access patterns inconsistent with the modification's documented purpose are organized into a coherent thread rather than distributed across separate domain queues [Planned]

  • Certification lapse cross-domain sensitivity elevation raising the correlation weight applied to all subsequent activity attributed to identities whose access certifications have lapsed, failed formal review, or remain uncompleted beyond policy-defined windows—without requiring a behavioral anomaly to trigger this elevation

  • Deprovisioning-in-progress access event organization correlating continued access events across all covered domains for identities whose deprovisioning has been instructed but not yet verified complete, assembling those events into a single identity thread that surfaces to the detection engine as a coherent signal rather than low-signal noise distributed across multiple systems

  • Privilege modification scope correlation assembling the cross-domain activity record of an identity immediately following a privilege change against the specific system scope the modification introduced, organizing that record into an elevated-sensitivity thread so the detection engine can assess whether post-modification access patterns exceeded the modification's documented organizational purpose [Planned]

  • Orphaned account cross-domain activity consolidation correlating any access event attributed to identities whose accounts should be inactive—departed employees, expired contractor engagements, eliminated organizational roles—into a single identity thread presented to the detection engine as a consolidated, high-priority signal rather than isolated events attributed to stale account identifiers

Privileged and Non-Human Identity Correlation

Administrative accounts, shared credentials, service accounts, and API keys operate under distinct governance structures and access authorization models that differ fundamentally from standard user identity norms; the IAC layer applies dedicated correlation logic to these identity types, using their specific documented operational boundaries, PAM session scope, service account function definitions, and API key authorization records in IDHub—as the governance baseline rather than attempting to apply standard entitlement-state models to identity classes for which those models are structurally inappropriate.

  • PAM session activity correlation threading each privileged access management session—check-out, execution, and check-in—as a governed event sequence against the specific system access authorization recorded in IDHub for that privileged account and session, surfacing any action taken during the session that exceeds the documented authorization scope of the specific privileged session invoked

  • Shared account event attribution applying concurrent-use analysis, session time sequencing, and workstation correlation to attribute shared administrative account events to specific governed individuals in scenarios where shared credential use is operationally required but individual accountability for each action must be maintained for compliance and governance purposes

  • Service account operational scope correlation continuously matching service account activity across all covered domains against the specific system interactions and API calls documented as within that account's operational authorization in IDHub, surfacing connections, queries, or calls outside the account's documented functional scope as out-of-scope activity threads for the detection engine [Planned]

  • API key activity threading correlating API key usage events across cloud platforms, development environments, and SaaS systems to the governed identity's authorization record in IDHub for the key, enabling key-attributed event organization without dependence on application-level logging coverage being consistent or complete across all systems the key is used against [Planned]

  • Break-glass account invocation correlation threading all activity executed under emergency administrative credentials to the governed identity that invoked them, the IDHub authorization record that permitted the invocation, and the documented business justification—constructing a complete, governance-accountable record of every emergency access event across all systems touched during the emergency session

  • Non-human identity entitlement scope drift correlation identifying service accounts and automated processes whose operational activity has expanded beyond the entitlement scope documented in IDHub—a common operational indicator of compromised automation credentials, unauthorized service account reconfiguration, or shadow administrative processes that have accumulated access beyond their original authorization

Third-Party and Non-Employee Identity Correlation

Contractor, vendor, partner, and outsourced-service identities typically carry time-bounded, scope-limited entitlements with reduced ongoing governance oversight relative to employee identities, despite frequently accessing significant organizational systems; the IAC layer extends identity-threaded correlation to these external identity classes, using their specific governance records as the correlation baseline and applying particular attention to the time-boundary and scope-limitation characteristics that distinguish external identity entitlements from employee entitlements.

  • Contractor identity activity threading correlating all system access and behavioral events attributed to contractor identities against their specific, time-bounded entitlement scope in IDHub—surfacing access that extends beyond approved project scope, outside contract validity period, or into systems not included in the engagement authorization record [Planned]

  • Vendor access session correlation threading vendor identity activity across all systems accessed during support, maintenance, or service delivery sessions against the specific access authorization documented for that engagement, with automatic out-of-scope detection for access that extends beyond the documented support perimeter or engagement type

  • Third-party federation correlation extending identity-aware correlation into partner-federated identity scenarios where externally managed identities are granted organizational access through SAML or OIDC federation, correlating federated identity events against the scope of the federation agreement and the organizational entitlement record governing that federation relationship

  • Entitlement expiry boundary correlation continuously verifying that access events attributed to time-limited contractor and vendor identities fall within the documented authorization validity window, flagging access that persists beyond entitlement expiry dates as a governance boundary violation requiring immediate review and remediation

  • Third-party access recertification gap correlation identifying contractor and vendor identities whose time-bounded access has not been formally renewed or recertified within policy windows, and correlating continued access events against those recertification gaps to surface the specific risk of active access under governance-uncertified entitlements [Planned]

  • External identity access pattern anomaly threading correlating unusual access activity—off-hours presence, data volume patterns inconsistent with the engagement's documented service scope, access to systems outside the project perimeter—from third-party identities across all correlated domains, enabling the detection engine to receive an organized, identity-attributed cross-domain thread rather than distributed, unlinked single-source events

Federated Identity Correlation Across Authentication Domain Boundaries

Enterprise authentication environments span multiple authentication sources—on-premises Active Directory, cloud identity providers, SaaS platform directories, and federated identity services—that each maintain independent session records and do not share authentication state; the IAC layer correlates events across authentication domain boundaries using IDHub's canonical identity resolution record as the unifying joining key, eliminating the correlation gaps that authentication-source fragmentation creates for credential-based campaign detection.

  • Active Directory to cloud IdP event stitching correlating events authenticated through on-premises Active Directory against events from the same identity authenticated through cloud identity providers, constructing a unified authentication thread that does not fragment at the hybrid identity boundary where most credential-based campaigns deliberately exploit tooling gaps

  • SSO session to downstream application event threading resolving single sign-on session authentication records to the specific application-level actions they enabled, binding the SSO authentication event to downstream application events within the same identity thread rather than treating the authentication and the action as separate, unlinked events from different systems

  • Cross-IdP behavioral correlation connecting identity events across enterprise cloud identity providers, for organizations operating multiple IdPs across business units, acquired subsidiaries, or partially consolidated post-merger identity environments where cross-IdP correlation would otherwise require custom, brittle integration work [Planned]

  • SaaS authentication-to-action correlation threading SaaS platform events—data access, configuration changes, bulk export operations, administrative modifications—to the authenticated identity session that authorized them, regardless of whether the SaaS platform's native audit logging captures full session-to-action attribution at the granularity organizational governance requires

  • Authentication-source-agnostic joining logic ensuring that identity correlation functions across events originating from different authentication sources without requiring those sources to share session state, token format, or logging schema—using IDHub's canonical identity resolution record as the consistent joining key rather than relying on cross-system session consistency that enterprise authentication environments were not designed to maintain

  • Authentication attribution gap detection identifying sessions, API calls, or resource access events that cannot be resolved to an authenticated, governed identity—either because authentication logging was incomplete or because access bypassed normal authentication paths—surfacing these as unresolvable identity attribution voids that require investigation before the events can be assigned a governance disposition [Planned]

The Question This Layer Is Built to Answer

The platform's other layers answer well-defined questions: Were we monitoring? Did we detect it? Did we respond correctly? What exactly occurred, and can we prove it?

Identity Aware Correlation is built to answer the question that must be answered before detection can produce high-confidence signals about credential-based campaigns: When any event stream from any domain in the enterprise environment references an authenticated identity, can the correlation model immediately organize all events from that identity—across every system they touched, from every authentication source they used—into a single, entitlement-annotated thread, and determine whether each event in that thread was within or outside the authorized scope of their governance record?

This question cannot be answered by a correlation architecture that organizes events around infrastructure artifacts. A network flow, a cloud API call, a SaaS data export, and an identity lifecycle event may share no IP address, no hostname, and no file hash. They share a governed identity. The IAC layer uses that identity as the joining key and IDHub's entitlement graph as the correlation topology—making that shared identity the structurally visible connection that infrastructure-centric models cannot see.

Executive Security Value


Credential-Based Campaign Detection Quality

Credential-based attacks that operate across domain boundaries generate events that arrive at a detection engine as isolated, low-signal, single-domain observations. Each event individually may not meet any detection threshold. The IAC layer assembles them into a single identity-threaded sequence before they reach the detection engine—giving the detection function a campaign narrative to analyze rather than three disconnected data points. The detection quality improvement is a direct function of the correlation model reorganization.

Insider Threat Investigation Efficiency

Insider threat investigations require answering a precise question: what did this specific individual do, across every system they accessed, during the relevant window? Without identity-threaded correlation, answering that question requires querying multiple separate systems, manually matching timestamps across incompatible log formats, and assembling a cross-domain picture under investigation pressure. The IAC layer produces that cross-domain activity thread continuously—as an operational byproduct of correlation, not as a post-event manual reconstruction task.

Third-Party Access Governance Visibility

Organizations know what contractor and vendor identities are technically authorized to access. They rarely know what those identities actually do across all systems in real time, particularly when vendor activity spans multiple applications with separate audit logs. IAC applies entitlement-state correlation to external identity classes using their specific, time-bounded governance records as the baseline—closing the real-time visibility gap between what third-party access governance authorizes and what third-party identities do across all correlated domains.

Authorized-Access Blast Radius Scoping

When a privileged identity is flagged as potentially compromised, the immediate operational question is the potential access scope: which systems is this identity authorized to reach? That question is answered by the entitlement graph—not by forensic investigation of what was accessed. IAC provides this scope projection operationally, in real time, enabling the response team to scope containment decisions and communications based on the governance topology before forensic investigation has concluded what was actually accessed.

SoD Enforcement Evidence Continuity

Traditional SoD monitoring evaluates access rights in governance configuration—what combinations of permissions are prohibited. It does not continuously verify that SoD-controlled business processes were not, in practice, executed by a single identity across different systems in the same transaction window. IAC's cross-domain SoD violation correlation produces a continuous, evidence-grade record of whether SoD boundaries were observed in actual cross-domain execution—the difference between demonstrating that SoD controls are configured and demonstrating that SoD controls are functioning.

Authorization Traceability: The Regulatory Evidence Obligation Identity-Aware Correlation Is Uniquely Positioned to Address

This is not the monitoring coverage evidence addressed by the Endpoint Threat Visibility layer. Not the detection-as-compliance evidence the detection engine produces. Not the breach notification and incident management evidence the response layer generates. Not the forensic investigation evidence the Investigation & Forensics layer produces. It is a fourth, distinct regulatory evidence obligation: demonstrating that actual access behavior was within documented authorization scope—not sampled at a point in time, but verifiable across the full scope of access events during an audit or incident period.

Target framework alignment for authorization traceability (planned):

  • PCI-DSS v4.0 — Requirement 7 (Restrict Access to System Components and Cardholder Data by Business Need): Requirement 7 mandates that access to system components is restricted to only those individuals whose job function requires it. Demonstrating compliance with Requirement 7 is not satisfied by showing that access control configurations exist—it requires demonstrating that actual access events were within the scope of documented business-need authorization. IAC's entitlement-state correlation produces a continuous, event-level record of whether each access event to cardholder data environment systems was matched by an IDHub entitlement that authorized that access for that identity's documented job function. This is the operational evidence Requirement 7 demands, not the access control architecture evidence that system configuration reviews provide.
  • SOX Section 404 — IT General Controls (Segregation of Duties and Least-Privilege Access Continuity): External auditors assessing SOX IT General Controls evaluate whether SoD requirements and least-privilege access principles were operationally enforced throughout the full audit period—not just whether they were configured at a point in time. IAC's entitlement-state correlation and cross-domain SoD violation correlation produce the evidence of operational enforcement: a continuous record of whether access events were within least-privilege scope and whether SoD boundaries were observed in actual cross-domain business process execution throughout the audit period. Configuration evidence demonstrates design intent; IAC's correlation output demonstrates enforcement reality.
  • GDPR Article 25 — Data Protection by Design and Default: Article 25 requires controllers to implement data protection principles—including data minimization and purpose limitation—by design and by default. In access control terms, this means that access to personal data must be limited to identities whose documented processing purpose requires it, and that this limitation must be implemented as a functioning system rather than a documented policy. IAC's entitlement-state correlation provides continuous operational evidence that access to personal data systems was matched to a documented entitlement with a recorded business purpose—the by-design and by-default access limitation Article 25 requires as an operational output, not just a configuration artifact.
  • HIPAA §164.312(a)(1) — Technical Safeguards: Access Control (Role-Based Access to ePHI): The HIPAA Security Rule requires covered entities to implement technical policies and procedures allowing only authorized persons to access ePHI. Demonstrating that this technical safeguard functions in practice—not just that it is configured—requires evidence that actual ePHI system access events were attributed to identities with an active, role-appropriate entitlement record for those systems. IAC's correlation of ePHI system access events against IDHub's role-based entitlement records produces this operational access-control-in-practice evidence across all correlated ePHI systems, without requiring separate, system-by-system access log reviews. [Planned]
  • ISO/IEC 27001:2022 — Annex A.9.1 and A.9.4 (Access Control Policy and System and Application Access Control): ISO 27001 requires both a documented access control policy and demonstrable evidence that the policy is enforced in the operation of the information systems it governs. ISO auditors look for evidence of access control function—not just access control design. IAC's entitlement-state correlation continuously maps actual access events against the governance record that documents what access is authorized, producing the access-control-in-practice evidence that Annex A.9 requires at certification and surveillance audit. The correlation output is the operational evidence of policy enforcement that documentation alone cannot provide.
  • DORA Article 9 — ICT Access Rights Management (Financial Entities' Access Control Requirements): DORA Article 9 requires financial entities to develop, document, and implement ICT access rights management policies that ensure access to ICT systems is granted only to persons for whom such access is necessary for their functions. Financial entities must demonstrate that these policies function operationally, not merely that they are documented and configured. IAC's entitlement-state correlation and cross-domain identity threading produce the continuous, event-level evidence that DORA Article 9's access rights management mandate requires: a verifiable record that each access event to ICT systems was matched by a governance-documented functional necessity for that identity. [Planned]

IDHub as the Correlation Backbone

How IDHub functions at the Identity Aware Correlation layer—and why this role is structurally different from every other IDHub function in the platform.

Across the Sath SIEM & XDR platform, IDHub performs a different architectural function at each layer. On the Real Time Threat Detection engine, governance events flow into the detection correlation pipeline as a live telemetry source—real-time lifecycle signals that the detection engine uses to add identity context to alert scoring. On the Automated Incident Response layer, IDHub is the programmatic execution arm for identity containment—the system through which credential revocation and account suspension execute as first-class playbook steps. On the Endpoint Threat Visibility layer, IDHub binds the authenticated user's current identity profile to endpoint telemetry events at the moment of collection—real-time per-event attribution. On the Investigation & Forensics layer, IDHub's governance record is queried retroactively to reconstruct the exact entitlement state a user held at a specific historical timestamp—a forensic function that answers whether access was authorized at the precise moment the suspicious activity occurred, for legal and regulatory evidence purposes.

On the Identity Aware Correlation layer, IDHub performs none of these four functions. It performs a fifth: it is the correlation graph backbone—the structural model of organizational access relationships against which the IAC layer builds and queries the correlation topology.

Three specific data structures IDHub provides make this function possible, and each is architecturally distinct from IDHub's role on any other platform layer:

The entitlement graph. IDHub maintains a complete, continuously updated graph of organizational access relationships: who holds access to what systems and data categories, through which access path (direct grant, role membership, or delegated permission), with the certification status of each entitlement and its documented business justification. This graph is the correlation topology the IAC layer applies when deciding how to organize cross-domain events. It is not a behavioral model of what users typically do. It is the organization's documented authorization intent, structured as a queryable graph that the correlation layer reads in real time. When the IAC layer needs to determine whether an access event is within or outside authorized scope, it queries this graph—not a statistical behavioral baseline.

The canonical identity resolution record. IDHub maintains the authoritative record linking each governed individual to every account, authentication token, and system credential associated with them across the enterprise: on-premises directory accounts, cloud IdP registrations, SaaS platform identities, API credentials. This record is the joining key the IAC layer uses to correlate events across authentication source boundaries. Events from different authentication domains that share no infrastructure artifact are linked through this resolution record—making the governed identity the consistent connection point that session state, token formats, and logging schemas cannot provide.

The governance history record. Every access grant, role modification, entitlement change, certification decision, and deprovisioning instruction in IDHub is timestamped and retained. The IAC layer uses this history not for forensic reconstruction (that is I&F's function) but for operational correlation sensitivity management: when a governance event occurs—a new access grant, a certification lapse, a privilege modification—the IAC layer reads the governance history to determine the nature and scope of the change, then elevates correlation sensitivity for subsequent events attributed to that identity across all covered domains. This is a forward-looking, operational function. The governance history tells the correlation layer what changed so it can weight what the identity does next accordingly.

Target Use Cases

The Identity Aware Correlation layer is engineered to address the following high-priority security scenarios where the identity thread is the structural connection that makes an otherwise-invisible attack campaign, governance failure, or compliance gap visible.

Credential-Based Lateral Movement Across Domain Boundaries When an attacker uses a compromised account to move from endpoint to cloud to SaaS—each access event individually appearing as a low-signal anomaly in a different domain queue—IAC's cross-domain identity threading assembles all three events into a single, entitlement-annotated sequence. The detection engine receives a campaign narrative, not three disconnected data points. The lateral movement becomes visible not because any individual event crossed a detection threshold, but because the identity thread connecting them crosses a governance-scope boundary.

Insider Activity Outside Authorized Scope Insider risk scenarios frequently involve individuals who access systems and data they are technically permitted to access but whose access is outside the documented business-need scope of their organizational role. Behavioral models cannot reliably flag this condition—the access is historically normal. Entitlement-state correlation identifies it directly: the governance record does not include an entitlement for this identity at this system for this data category. The IAC layer surfaces this as a governance-grounded correlation signal without requiring behavioral deviation as the trigger.

Third-Party and Supply Chain Identity Exploitation Supply chain attacks frequently operate under legitimate vendor credentials with legitimate system access—making behavioral distinction from authorized vendor activity difficult. IAC's entitlement-scope correlation for third-party identities applies the time-bounded, scope-limited governance record as the baseline: is this vendor identity's activity within the specific systems and functions the engagement authorization documents? Access that exceeds documented engagement scope surfaces as an out-of-scope correlation signal, regardless of whether it resembles historical vendor behavior.

Post-Merger Identity Environment Correlation Gap Closure Organizations integrating acquired entities frequently operate partially consolidated identity environments—multiple directories, multiple IdPs, multiple SaaS platforms—where cross-entity activity cannot be correlated through shared authentication infrastructure. IAC's federated identity correlation and cross-IdP threading use IDHub's canonical identity resolution record to correlate across authentication domain boundaries, closing the correlation gap that merger-integration environments create before directory consolidation is complete.

Segregation of Duties Violation Identification in Distributed Systems SoD enforcement tools monitor access rights. They do not monitor whether a single identity executed both sides of a controlled process across different systems in the same transaction window—because that requires correlating execution events across systems that were not designed to share transaction-level audit data. IAC's cross-domain SoD violation correlation assembles the cross-system execution record for each identity thread and applies the SoD constraint library, surfacing actual SoD violations in practice rather than potential violations in access configuration.

Pre-Incident Authorization Scope Projection for Response Scoping When a potentially compromised identity is flagged, the response team's first operational question is the potential blast radius: which systems is this identity authorized to reach? The entitlement graph in IDHub answers this question immediately—not through forensic investigation of what was accessed, but through the correlation topology that documents what is accessible. IAC makes this projection available operationally, enabling informed containment scoping before investigation has run its course.

Frequently Asked Questions