Why Verity?¶
The Problem: Stale Access Is the #1 Identity Attack Vector¶
Every organisation grants access. Few organisations revoke it on time.
The result is access decay — a steady accumulation of permissions that no one uses, no one monitors, and no one revokes until a post-breach forensic report highlights the six-month-old service-account token that an attacker used to move laterally across your cloud estate.
The Numbers
- 60 %+ of cloud breaches involve over-provisioned or orphaned credentials. (Verizon DBIR, 2024)
- The average enterprise has 3.5× more entitlements than are actively used. (Gartner, 2023)
- 83 % of organisations cannot detect unused access within 30 days. (Osterman Research, 2023)
- Annual access reviews catch problems once every 365 days — attackers need hours.
Traditional Identity Governance and Administration (IGA) platforms address this with periodic certification campaigns: once a quarter, managers receive a spreadsheet of entitlements, rubber-stamp "approve all," and move on. The access that should have been revoked survives another 90 days.
timeline
title Traditional Access Review Cycle
section Q1 Review
Jan : Review campaign launched
Feb : Managers approve 95 % unchanged
Mar : Campaign closes — stale access persists
section Gap
Apr : No visibility
May : No visibility
Jun : No visibility — attacker exploits stale SA
section Q2 Review
Jul : Next campaign — breach discovered in forensicsHow Verity Helps¶
Verity is an Access Decay Intelligence Platform. Instead of periodic campaigns it provides:
| Capability | What It Means |
|---|---|
| Continuous Scoring | Every access grant receives a 0–100 decay score, updated as new signals arrive — not once a quarter. |
| Evidence-Based Reviews | Review packets include usage history, peer comparison, and risk context so reviewers make informed decisions in seconds. |
| Intelligent Routing | Reviews reach the person who actually owns the resource, with automatic escalation when SLAs are at risk. |
| Safe Remediation | Revocations execute through the same connectors that ingested the data, with dry-run mode, blast-radius limits, and rollback. |
The result: stale access is detected within hours, reviewed within days, and remediated before it becomes a breach vector.
The Five Processing Planes¶
Verity processes access data through five distinct planes. Each plane scales independently, communicates via Kafka, and can be deployed as one or more microservices.
graph LR
subgraph Ingest["① Ingest Plane"]
direction TB
C1[Entra ID Connector]
C2[AWS IAM Connector]
C3[GitHub Connector]
C4[Custom Connectors]
end
subgraph Normalise["② Normalise Plane"]
direction TB
IR[Identity Resolution]
AC[Asset Classification]
GR[Graph Builder]
end
subgraph Score["③ Score Plane"]
direction TB
DE[Decay Engine]
PM[Peer Model]
SM[Sensitivity Multiplier]
end
subgraph Review["④ Review Plane"]
direction TB
RG[Review Generator]
WF[Workflow Engine]
NF[Notifications]
end
subgraph Remediate["⑤ Remediate Plane"]
direction TB
RA[Remediation Actions]
DR[Dry-Run Validator]
AL[Audit Logger]
end
Ingest -->|Kafka| Normalise -->|Kafka| Score -->|Kafka| Review -->|Kafka| Remediate
style Ingest fill:#7c4dff,color:#fff,stroke:none
style Normalise fill:#651fff,color:#fff,stroke:none
style Score fill:#536dfe,color:#fff,stroke:none
style Review fill:#448aff,color:#fff,stroke:none
style Remediate fill:#40c4ff,color:#000,stroke:none① Ingest Plane¶
Connectors pull audit logs, entitlement snapshots, and identity metadata from upstream systems (Entra ID, AWS IAM, GitHub, Okta, and more). Raw events are published to Kafka with at-least-once delivery guarantees.
② Normalise Plane¶
The Normalise Engine resolves identities across systems (e.g., mapping an AWS IAM role to an Entra ID user), classifies assets by sensitivity, and builds a relationship graph that captures who-has-access-to-what.
③ Score Plane¶
The Decay Engine consumes normalised events and computes a composite decay score (0–100) for every access grant. The scoring model blends six weighted factors — recency, trend, organisational context, peer comparison, review history, and asset sensitivity. Scores are persisted in TimescaleDB as a time-series hypertable.
→ Deep dive: Scoring Model
④ Review Plane¶
When a score crosses a configurable threshold (default: 50), the Review Generator creates a review packet — a self-contained evidence bundle with everything a data owner needs to make an informed keep-or-revoke decision. The Workflow Engine (powered by Temporal) tracks SLAs, sends reminders, and escalates overdue reviews.
→ Deep dive: Review Lifecycle
⑤ Remediate Plane¶
Once a reviewer decides to revoke or reduce access, the Remediation service executes the action through the same connector framework used for ingest. Safety mechanisms include dry-run validation, blast-radius limits, and automatic rollback. Every action is logged immutably to ClickHouse.
→ Deep dive: Remediation Pipeline
Core Components¶
Sources (Connectors)¶
Sources are the adapters that connect Verity to upstream identity and access systems. Each connector implements a standard interface with two capabilities:
- Read — Pull audit events, entitlements, and metadata during the Ingest phase.
- Write — Execute remediation actions (revoke, reduce, suspend) during the Remediate phase.
Built-in connectors ship for:
| Connector | Read | Write | Protocol |
|---|---|---|---|
| Microsoft Entra ID | Microsoft Graph API | ||
| AWS IAM | AWS SDK (STS, IAM) | ||
| GitHub | GitHub REST / GraphQL | ||
| Okta | Okta SCIM / API | ||
| Google Workspace | Google Admin SDK | ||
| PostgreSQL (roles) | SQL / pg_stat | ||
| Generic SCIM | SCIM 2.0 | ||
| Custom (webhook) | HTTP POST |
Scoring (Decay Engine)¶
The Decay Engine is the analytical heart of Verity. It receives normalised access events and computes a continuously updated score using six weighted factors.
→ Full details: Scoring Model
Reviews¶
Reviews are the human decision point. Verity generates evidence-rich review packets and routes them to the right person at the right time, tracked by Temporal workflows with SLA enforcement.
→ Full details: Review Lifecycle
Remediation¶
Remediation is the action layer. When a review decision is made — or when a policy triggers automatic action — the Remediation service executes safely through the connector framework.
→ Full details: Remediation Pipeline
Benefits¶
-
Consumer-Driven Scoring
Scores are computed from actual usage signals — not static rules. The model adapts to your organisation's real access patterns, reducing false positives.
-
Works With Your Existing Stack
Verity does not replace your IdP or PAM. It sits alongside existing identity infrastructure, consuming events and orchestrating reviews through your current tools.
-
Multi-Platform, Multi-Cloud
Score access decay across Entra ID, AWS, GitHub, Okta, Google Workspace, and custom systems — all normalised into a unified identity graph.
-
Less Brittle Than Periodic Reviews
Continuous scoring replaces quarterly certification campaigns. Problems are detected in hours, not months.
-
Graph-Based Relationships
Verity builds a live identity-to-resource graph, enabling queries like "show all access paths from this contractor to PCI-scoped databases."
-
Flexible Deployment
Run on Kubernetes, Docker Compose, or bare metal. Each plane scales independently. Deploy all-in-one for small environments or distributed for enterprise scale.
-
Ready-to-Use Connectors
Ship with 8 built-in connectors and a webhook adapter for everything else. New connectors follow a standard interface — typically a day's work.
-
Compliance-Ready
Immutable audit trail in ClickHouse with 7-year retention. Pre-built reports for SOX, SOC 2, ISO 27001, and NIST 800-53 access review controls.
When Not to Use Verity¶
Verity is opinionated software. It excels at continuous access-decay detection and remediation for organisations at scale. It is not the right tool for every situation:
Consider alternatives if …
You have fewer than ~50 users. Verity's value scales with the number of identities, entitlements, and systems. For very small teams a shared spreadsheet or your IdP's built-in review features may be sufficient.
You already run a mature IGA platform (SailPoint, Saviynt, CyberArk IGA). If your existing platform already provides continuous analytics and you are happy with it, Verity would duplicate functionality. However, Verity can complement an IGA by providing an independent scoring layer — talk to us if this interests you.
You need real-time, inline access blocking. Verity is an asynchronous, evidence-based system. It detects decay, routes reviews, and remediates — but it does not sit in the authentication path. For real-time policy enforcement, pair Verity with a Policy Decision Point (PDP) like OPA or Cedar.
You only need database-level access control. If your sole concern is database roles and row-level security, a dedicated database-access tool (e.g., Teleport, StrongDM) may be more appropriate.
Explore the Documentation¶
-
Access Decay Theory
Understand the concept of access decay, the signals that drive it, and why traditional approaches fail.
-
Scoring Model
Deep dive into the six-factor scoring model, risk levels, SLA matrix, and storage strategy.
-
Review Lifecycle
Follow a review from generation through routing, decision, and execution.
-
Remediation Pipeline
Learn how Verity safely executes revocations with dry-run, blast-radius limits, and rollback.
-
Architecture Overview
Technical deep dive into the 19-service architecture, data flow, and infrastructure.
-
Quick Start
Get Verity running locally in under 10 minutes with Docker Compose.