Home

:material-shield-lock: Verity

The Access Decay Intelligence Platform that continuously scores how stale every access grant has become, then orchestrates reviews and remediation — before over-provisioned access becomes a breach vector.

Quick Start Concepts API Reference

The Problem Verity Solves¶

Access permissions are granted often but revoked rarely. Over time, unused permissions accumulate — creating a growing attack surface that traditional IAM tools miss:

60%+ of cloud breaches involve over-provisioned or stale credentials
Annual access reviews miss 364 days of drift between cycles
Manual reviews are rubber-stamp exercises — reviewers approve 95%+ without context
No risk prioritization — a dormant admin account is treated the same as an active read-only user

The Access Decay Problem

A contractor finishes a project but keeps Databricks admin access. A team member transfers departments but retains Synapse write permissions. An API service account hasn't been used in 8 months but still has production database access. Each of these is an access decay incident waiting to become a breach.

How Verity Works¶

Verity processes access data through five processing planes, each responsible for a distinct stage of the access-decay lifecycle:

graph LR
    A["<b>① Ingest</b><br/>Connectors pull audit<br/>events & permissions"] --> B["<b>② Normalise</b><br/>Identity resolution<br/>& asset classification"]
    B --> C["<b>③ Score</b><br/>Decay engine computes<br/>0–100 risk scores"]
    C --> D["<b>④ Review</b><br/>Review packets routed<br/>to data owners"]
    D --> E["<b>⑤ Remediate</b><br/>Automated revocation<br/>& compliance logging"]

    style A fill:#7c4dff,color:#fff,stroke:none
    style B fill:#651fff,color:#fff,stroke:none
    style C fill:#536dfe,color:#fff,stroke:none
    style D fill:#448aff,color:#fff,stroke:none
    style E fill:#40c4ff,color:#000,stroke:none

Plane	What Happens	Key Services
Ingest	Platform connectors stream audit events and permission snapshots into Kafka	Connectors, Ingest Worker
Normalise	Raw identifiers mapped to canonical principals and assets	Normalise Engine, Identity Resolver
Score	6-factor decay model produces 0–100 composite score per grant	Decay Engine
Review	Evidence-rich packets routed to data owners with SLA tracking	Review Generator, Workflow Engine
Remediate	Approved revocations executed safely with full audit trail	Remediation Service, Audit Writer

Learn more about the architecture

Platform Capabilities¶

6 Platform Connectors

Azure AD, Microsoft Fabric, Azure Synapse, Databricks, PostgreSQL, and HR systems — with a Connector SDK for building your own.

Connectors
Continuous Decay Scoring

6-factor scoring model evaluates recency, trend, peer comparison, organizational context, review history, and asset sensitivity to produce a 0–100 decay score.

Scoring Model
Intelligent Review Routing

Evidence-rich review packets are routed to data owners with SLA tracking, escalation chains, and delegation — powered by Temporal workflows.

Review Lifecycle
Safe Remediation

Approved revocations execute against source platforms via the same connector framework. Dry-run mode, blast radius limits, and rollback capability built in.

Remediation
Immutable Audit Trail

Every action — scoring, review decision, remediation — is logged to ClickHouse with full before/after state. Query-ready for compliance auditors.

Audit
Real-Time Dashboard

React + TypeScript SPA with decay heatmaps, review queues, compliance dashboards, and full REST API for automation and integration.

Dashboard

Key Benefits¶

Continuous, Not Periodic

Replace annual rubber-stamp reviews with continuous scoring that catches decay the moment it begins.
Risk-Prioritized

Focus reviewer attention on the 5% of grants that actually need it, not all 10,000.
Works With Existing Systems

Connects to your existing identity and data platforms — Azure AD, Databricks, Synapse, Fabric, PostgreSQL.
Compliance-Ready

SOX Section 404, HIPAA access controls, SOC2 CC6.1-CC6.3 — with continuous evidence generation.
Extensible SDK

Build custom connectors for any platform with the Verity Connector SDK. Domain models and common library included.
Cloud-Native Deployment

Docker Compose for development, Helm charts for Kubernetes production. Full CI/CD pipeline included.

By the Numbers¶

6 Platform Connectors

19 Microservices

0–100 Decay Score Range

425+ Automated Tests

5 Processing Planes

48h Critical SLA

Quick Install¶

Docker ComposeKubernetes (Helm)

# Clone and start
git clone https://github.com/mjtpena/verity.git
cd verity
cp .env.example .env
docker compose up -d

# Verify services
docker compose ps

# Open the dashboard
open http://localhost:3000

# Add Bitnami repo for dependencies
helm repo add bitnami https://charts.bitnami.com/bitnami

# Install Verity
helm install verity infra/helm/verity/ \
  --namespace verity \
  --create-namespace \
  --values infra/helm/verity/values.yaml

First time?

Head to the Quick Start guide for a detailed walkthrough including prerequisites and verification steps.

Explore the Documentation¶

Concepts

Understand access decay theory, the scoring model, review lifecycle, and remediation pipeline.

Why Verity?
Getting Started

Prerequisites, installation, configuration, and building your first custom connector.

Get Started
Architecture

System overview, data-flow diagrams, database schema, and security model.

Architecture
Services

Deep-dive into each of the 19 microservices — configuration, APIs, and internals.

Services
API Reference

Complete REST API documentation for principals, assets, grants, scores, reviews, and audit.

API Docs
Use Cases

Enterprise IAM governance, cloud data platform security, and regulatory compliance.

Use Cases
Deployment

Docker Compose, Kubernetes/Helm, CI/CD pipelines, and production readiness checklist.

Deploy
Operations

Monitoring, alerting, runbooks, and troubleshooting guides for production environments.

Operations