RIGHT-SIZE · ACCESS LENS

Least privilege from real usage.

Paste entitlements against observed usage. ACCESS LENS flags standing privilege, drift, and over-permissioned grants — and refuses a least-privilege claim without usage evidence.

Deterministic gate online

ACCESS LENS deterministic workbench

Least privilege from real usage

API manifest

Step 1 · Your packet — edit this sample, or paste your own↑ Upload your own file

Deterministic — the same packet returns the same verdict and hash, every run. Your result appears on the right →

VerdictREFUSE - OVER-PERMISSIONED

Blocked. The runner found release-breaking evidence gaps or unsafe behavior.

🔒 DETERMINISTIC RECEIPT0 runtime LLM callssame input → same verdict, every runcorpus_seal 942c7e0e83ffe400…input_hash 52e6b8c440e83503…engine engineering-suite-runner-v0.1.0

Privilege postureover-permissioned

Standing vs. just-in-time

Driftdetected

Granted-but-unused entitlements

Recertificationmissing

Time-bound + periodic review

SeverityFindingRemediation

high

ACCESS-PRIV-001 · Standing privileged access

Admin / root / wildcard / prod-write entitlements are held on a standing basis.

Privileged-grant signal detected.

Convert standing privilege to time-bound, just-in-time elevation.

high

ACCESS-DRIFT-001 · Entitlement drift (unused access)

Entitlements are granted but show little or no matching usage.

Unused-entitlement signal detected.

Revoke unused entitlements; enforce least privilege from observed usage.

medium

ACCESS-REVIEW-001 · No periodic review / expiry

Access lacks a recertification cadence or expiry (standing / permanent grant).

Standing-grant / no-expiry signal detected.

Add time-bound grants and a recurring access review.

CORPUS_SEALsha256:942c7e0e83f

Engineering suite deterministic rule corpus

PACKET_HASHsha256:52e6b8c440e

Input packet hash

RUNNERengineering-suite-runner-v0.1.0

ACCESS LENS right-size gate

DECISIONREFUSE - OVER-PERMISSIONED

3 finding(s), score 55