Report: Assessment 2026 v0.10 - IAM Security Assessment

Maturity Report

Assessment 2026 v0.10 - 26/02/2026

Export PDF

3.16

Overall Score (0-5)

25

Assessed Controls

15

Identified Gaps

0

Critical Gaps

Maturity by Domain

Compliance by Framework

Compliance = Level ≥ 3

Maturity Distribution

Maturity Gaps (Current Level < 4)

Control	Domain	Current	Target	Gap	Priority
JML-002 Review trigger on transfers: a change of role in H...	Identity Lifecycle (JML)	2	4	2 levels	High
JML-004 Quarterly Access Certification campaigns with auto...	Identity Lifecycle (JML)	2	4	2 levels	High
JML-005 Detection of orphan accounts (Reconciliation): Com...	Identity Lifecycle (JML)	2	4	2 levels	High
PAM-002 Separate accounts: adm-user (no email/web) for man...	Privileged Access (PAM)	2	4	2 levels	High
MON-001 Centralize Audit/Sign-in Logs in a SIEM. Retention...	Monitoring (MON)	2	4	2 levels	High
MON-002 Automatic blocking based on Risk (User/Sign-in Ris...	Monitoring (MON)	2	4	2 levels	High
MON-003 Alert on unverified illicit or high-privilege OAut...	Monitoring (MON)	2	4	2 levels	High
MON-005 Monitor anomalies in Service Principals (read volu...	Monitoring (MON)	2	4	2 levels	High
JML-001 Automate 'Birthright' provisioning via HR, creatin...	Identity Lifecycle (JML)	3	4	1 levels	Medium
JML-003 Automate exit 'Kill Switch': Blocking and revocati...	Identity Lifecycle (JML)	3	4	1 levels	Medium
PAM-004 Implement a Tiered Model (Tiering/Red Forest): Tie...	Privileged Access (PAM)	3	4	1 levels	Medium
PAM-005 2 monitored Emergency (Break Glass) accounts, clou...	Privileged Access (PAM)	3	4	1 levels	Medium
PAM-006 Require dedicated Privileged Access Workstations (...	Privileged Access (PAM)	3	4	1 levels	Medium
MON-004 P1 alerts for changes to Tier 0 groups (Global/Dom...	Monitoring (MON)	3	4	1 levels	Medium
MON-006 User feedback ('Not me') in MFA generates an immed...	Monitoring (MON)	3	4	1 levels	Medium

Recommendations Roadmap

JML-002 High

Review trigger on transfers: a change of role in HR initiates access recertifica...

2 3

Action: Revisão manual obrigatória via Ticket.

JML-004 High

Quarterly Access Certification campaigns with automatic revocation if there is n...

2 3

Action: Anual (Todos) via Planilha Excel.

JML-005 High

Detection of orphan accounts (Reconciliation): Compare AD vs HR weekly to find o...

2 3

Action: Comparação manual mensal (Vlookup).

PAM-002 High

Separate accounts: adm-user (no email/web) for management and user for daily use...

2 3

Action: Contas separadas, acessadas do mesmo PC.

MON-001 High

Centralize Audit/Sign-in Logs in a SIEM. Retention: 90 days (hot) / 365 days (co...

2 3

Action: Backup manual esporádico para Storage.

MON-002 High

Automatic blocking based on Risk (User/Sign-in Risk) for high-risk events....

2 3

Action: Alerta por e-mail (Investigação humana).

MON-003 High

Alert on unverified illicit or high-privilege OAuth app consents....

2 3

Action: Aprovação manual pelo Admin (Workflow).

MON-005 High

Monitor anomalies in Service Principals (read volume, new IPs, atypical hours)....

2 3

Action: Baseline manual de comportamento.

JML-001 Medium

Automate 'Birthright' provisioning via HR, creating accounts disabled until the ...

3 4

Action: Scriptado (Powershell) disparado por ticket.

JML-003 Medium

Automate exit 'Kill Switch': Blocking and revocation of tokens in <15 min after ...

3 4

Action: Scriptado (Batch noturno).

PAM-004 Medium

Implement a Tiered Model (Tiering/Red Forest): Tier 0 admins never log on to Tie...

3 4

Action: Bloqueio Técnico (GPO) parcial/learning.

PAM-005 Medium

2 monitored Emergency (Break Glass) accounts, cloud-only, excluded from MFA and ...

3 4

Action: 2 contas cloud-only, alertas configurados.

Maturity Report

3.16

25

15

0

Confirm

Warning

Import Data