Security

Identity & Account Hygiene

Foundational

Every action in the system is taken by an identity — a person, a service, or a job. If you cannot say for sure who did something, you cannot secure it, audit it, or defend it to a regulator. Clean identity is the base that every other control rests on.

Account hygiene is simple but important: one identity per actor, the least privilege that works, credentials that rotate, and access that ends as soon as the need ends. Most real attacks are not clever. They get in through a shared login, an over-privileged service account, a leaver who was never removed, or an MFA exception that became permanent.

For an AML platform, identity is also a compliance duty. We must be able to link every regulated decision to one real, named actor. A shared or unclear account does not just widen the attack surface. It removes accountability.

One actor, one identity

DoGive every actor — human, AI, or service — its own separate identity, so every action can be traced to exactly one of them.
DoPrefer managed, federated identity (Entra ID / SSO) over locally created credentials where you can, so joiners, movers, and leavers flow through one source of truth.
AlwaysRequire multi-factor authentication on every account that can access systems or data, with no exception.
ConsiderUsing service identities (managed identities / workload identity) instead of long-lived API keys for service-to-service auth — see Managed Identity & Least Privilege.
NeverShare an account, login, or password between people/actors. Every actor — human, AI, or service — must have its own identity.
NeverUse a personal account or personal device credentials to access, store, or process company or customer data.
NeverDisable, bypass, or "temporarily" skip MFA on any account with access to systems or data.

Least privilege & lifecycle

DoGrant the narrowest role that lets someone do their job. Widen it only on a specific, reviewed request, and prefer time-limited grants.
DoReview access regularly. Re-check who has what, and remove anything that is no longer needed.
DoRemove access promptly. When a person leaves or a contract ends, their access ends the same day, across every system.
ConsiderJust-in-time elevation for privileged actions instead of standing admin rights, so high access exists only for the minutes it is used.
Do notLet privilege build up. Grants made for a one-off task that are never removed are how ordinary accounts become dangerous ones.
NeverKeep a leaver's, contractor's, or unused account active. Access ends when the need ends.
NeverGrant standing production access "to be efficient". Access is least-privilege, time-limited, and logged.

Self-review checklist

AskCan every action this account takes be traced to one identifiable actor?
AskDoes this identity have any permission it doesn't actually use?
AskIf this person left today, would all of their access actually be gone by tonight?
AskIs MFA enforced here, or is there a quiet exception?

Why it matters: Identity is the control that makes every other control work. Authorisation, auditing, attribution, and incident response all assume you know who acted. Shared logins, old accounts, and too much privilege are the most common root causes of real breaches, because they are ordinary enough to ignore.