Skip to content
ANCHOR

Audit Evidence

Anchor makes privileged activity easier to review by recording the context around important operations. Logs are strongest when they are tied to users, resources, accounts, policies, outcomes, and the operational workflow that produced them.

Work Operation

Privileged work produces resource, account, policy, job, and actor context.

Record Record

Operational and audit records preserve the review story without secret material.

Integrity Integrity

Ledger-backed events can support trust in the history being reviewed.

Review Review

Compass and ratings turn evidence into the next review or remediation action.

Evidence Philosophy

Section titled “Evidence Philosophy”

Legacy PAM evidence often begins as a search problem: find the right export, match it to the right ticket, explain which policy was supposed to apply, and reconstruct the account state later.

Anchor starts from the opposite direction. Evidence is produced by the operating workflow. A policy decision, secret reveal, machine retrieval, verification job, rotation job, reconcile action, session launch, component trust change, or setting update should already carry the context a reviewer needs.

Evidence Dimensions

Section titled “Evidence Dimensions”

Anchor’s public evidence model is built around reviewable dimensions:

  • Actor: who requested, performed, denied, or approved the action.
  • Actor type: user, system, component, or API client.
  • Target: which resource, account, scope, component, or policy was involved.
  • Policy: what control logic governed the action.
  • Operation: what was requested or changed.
  • Result: whether the action succeeded, failed, was blocked, was denied, or requires review.
  • Reason: why privileged access was requested when a reason is required.
  • Time: when the event occurred.
  • Correlation: how related events connect across jobs, sessions, and review workflows.

Event Classes

Section titled “Event Classes”

Useful audit evidence includes:

  • Authentication success and failure.
  • Secret creation, reveal, checkout, retrieval, injection, verification, rotation, and reconciliation.
  • Account creation, update, deletion, verification, rotation, and reconcile outcomes.
  • Policy creation, update, assignment, and override.
  • Scope creation, update, deletion, and delegated access changes.
  • Session launch, redemption, status report, termination request, end, recording creation, recording view, and recording deletion.
  • Component registration, heartbeat, trust, untrust, disable, enable, drain, credential rotation, and credential revocation.
  • Security setting, license, backup, health, and system administration events.

Example Evidence Timeline

Section titled “Example Evidence Timeline”

The value is not just that events exist. The value is that reviewers can follow the operational story.

Review Value

Section titled “Review Value”

Auditors, security reviewers, IAM/PAM teams, and leadership should not need to reconstruct privileged activity from unrelated systems. Anchor organizes evidence around the operational object being reviewed, so questions like “who had access,” “which policy applied,” “what changed,” and “what failed” are easier to answer.

Sensitive Data Handling

Section titled “Sensitive Data Handling”

Audit records should preserve useful context without exposing secrets. Anchor’s public model emphasizes evidence, redaction, and operational metadata rather than secret material.

That distinction matters in real reviews. Evidence should show the actor, target, policy, result, request context, and reason without exposing passwords, private keys, raw tokens, signatures, recording bytes, or plaintext secret material.