Skip to content
ANCHOR

Compliance Ratings

Compliance ratings are a visibility layer for privileged access health. They help teams quickly see where policy coverage, verification, rotation, account hygiene, drift, and audit evidence need attention.

Rating Rating

Ratings summarize coverage, freshness, drift, hygiene, and review readiness.

Work Job signal

Verification, rotation, reconcile, and session results shape posture.

Action Action item

Weak signals point to cleanup work instead of raw export hunting.

Explain Explain

Posture stays attached to resources, accounts, policy, logs, and evidence.

What Ratings Represent

Section titled “What Ratings Represent”

Compliance Ratings are not paperwork scores. They are operational signals drawn from privileged access state:

  • Is the resource covered by the expected policy?
  • Does the effective policy match the intended operating boundary?
  • Are privileged accounts verified, owned, rotated, and reconciled?
  • Are there stale accounts, orphaned identities, unmanaged keys, or excessive standing access?
  • Did recent jobs succeed, fail, or produce unresolved findings?
  • Are Anchor Connect sessions governed, bounded, and reviewable?
  • Do Ledger-backed events support the evidence trail?
  • Do Compass findings explain where risk is concentrated?

Representative Rating Inputs

Section titled “Representative Rating Inputs”

Ratings can reflect signals such as:

  • Policy attached to the resource, account, or scope.
  • Recent verification status.
  • Rotation freshness where rotation is applicable.
  • Stale or unmanaged account detection.
  • Ownership clarity for privileged accounts.
  • Failed job or unresolved drift signals.
  • Anchor Connect session activity and termination status.
  • Required audit fields present in logs.
  • Ledger-backed integrity signals for important security-relevant events.
  • Compass findings for drift, hygiene, exposure, and evidence gaps.

Rating Shape

Section titled “Rating Shape”

The following response is representative. It describes the kind of review summary teams can automate against.

{
  "scope_id": "scope_prod",
  "rating": "strong",
  "signals": {
    "policy_coverage": "high",
    "rotation_posture": "healthy",
    "drift_findings": "low",
    "stale_account_risk": "monitored",
    "audit_evidence": "ready"
  },
  "review_items": [
    {
      "type": "verification_failure",
      "resource_id": "res_prod_linux",
      "severity": "medium"
    }
  ]
}

Policy Drift and Ratings

Section titled “Policy Drift and Ratings”

Ratings become more useful when they point to the reason a review is needed. Drift is one of the clearest signals: expected policy state and observed operational state no longer match.

Compass Context

Section titled “Compass Context”

Anchor Compass helps make ratings explainable. A weak rating should not leave teams guessing. It should point toward the finding that matters: missing policy coverage, failed verification, stale privileged account, overdue rotation, unmanaged key, session evidence gap, or drift between intended and observed state.

Why It Matters

Section titled “Why It Matters”

Ratings help security and audit teams prioritize the work that affects privileged access health. They are not a certification claim or a guarantee of compliance. They are operational signals that make access review faster to understand and easier to explain.