Back to All Scenarios
PASSEDsecurity / soc2_access_control_violation
SOC 2 Access Control Violation — Terminated Employee Still Active
An automated SOC 2 compliance scan discovers 14 terminated employee accounts that are still active across production systems. The offboarding automation failed silently for 3 months, and these accounts retain full production access including database admin and cloud console roles.
Pattern
UNKNOWN
Severity
CRITICAL
Confidence
85%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | UNKNOWN | UNKNOWN | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 18 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
HR system shows 14 employees terminated in last 3 months. All 14 accounts still active in AD, cloud IAM, and VPN. Offboarding automation script broken since January. No manual review process. SOC 2 audit in 1 month.
Injected Error Messages (2)
SailPoint identity governance CRITICAL — 14 terminated employee accounts still active across production systems, HR termination dates range from 2026-01-05 to 2026-03-15, automated deprovisioning workflow 'employee-offboard-v3' has been failing silently since 2026-01-02 due to broken API connector to HR system, active privileges include: 3 accounts with database admin rights, 5 accounts with cloud console admin, 8 accounts with VPN access, 14 accounts with production application access, SOC 2 CC6.1 access control violation
cloud IAM audit finding — terminated user accounts detected with active roles: 'jdoe@company.com' (terminated 2026-01-05) has Owner role on production project, 'msmith@company.com' (terminated 2026-02-12) has BigQuery Admin and Storage Admin, login activity detected on 3 of 14 terminated accounts in last 30 days, SOC 2 Type II access control finding requiring immediate remediation and root cause analysis
Neural Engine Root Cause Analysis
The SailPoint identity governance system has a broken API connector to the HR system that has been failing silently since January 2nd, 2026. This has caused the automated employee deprovisioning workflow 'employee-offboard-v3' to fail, leaving 14 terminated employee accounts active with critical privileges including database admin, cloud console admin, and production access. The root cause is likely a configuration issue, authentication failure, or network connectivity problem between SailPoint and the HR API endpoint.
Remediation Plan
1. Immediately disable all 14 terminated employee accounts manually to mitigate security risk. 2. Investigate the HR API connector configuration and test connectivity to the HR system. 3. Check authentication credentials and certificates for the API connection. 4. Review logs for the 'employee-offboard-v3' workflow to identify specific failure points. 5. Fix the API connector configuration or credentials. 6. Test the automated deprovisioning workflow with a test account. 7. Re-run the workflow for all affected terminated employees. 8. Implement alerting for workflow failures to prevent silent failures in the future.
Tested: 2026-03-30Monitors: 2 | Incidents: 2Test ID: cmnckefh208wnobqe91o23q6d