← Internal hub
internal · product depth

Risk-score weights tuner

Interactive playground for the 14-component risk-score formula. Adjust per-unit + max weights, set signal counts, see the final 0-100 score live. Use this in tuning calls with customers ("why is Charlotte 91?") and in tier-pricing demos.
Math. Each component contributes min(count × per_unit, max) points. Final score = sum, clamped to 100. Tiers: 0-25 low · 26-50 medium · 51-75 high · 76-100 critical. Defaults below come straight from DEFAULT_WEIGHTS in backend/app/domain/risk_score/service.py.

Components — per_unit · max · count

Component
per_unit
max
count
Contribution

Computed risk-score

0/100
low

Score tier = low. This identity would show with a RiskBadge in the drawer.

Demo scenarios

Click to load Charlotte (the over-permissioned admin) or other prepared scenarios:

Tier distribution preview

If this weight-config were applied to a tenant with 1000 identities of the shape below, the distribution would be:

TierIdentitiesShare
Reading the components
  • warning_critical / warning / info — IdentityWarning rows (SOL-calc derived). Critical-class typically misconfigured admin accounts.
  • advisor_critical / warning / info — PlatformRecommendation rows from the advisor framework. Filters OUT sod_violation (counted separately).
  • nhi_unowned — non-human identity (service account, AI agent, application, system, IoT) without an owner. Single-shot weight (max = per_unit) because each unowned NHI is critical regardless of count.
  • privileged_no_recent_cert — has HIGH/CRITICAL grants but no cert in the last 90 days. Suppressed when dormant_privileged_grant fires (don't double-count the same overdue review).
  • terminated_active_grants — identity status = TERMINATED but still has active grants. JML-flow failure signal.
  • stale_no_reconciled — identity never reconciled or last recon > 30d. Visibility gap.
  • open_smart_cert — SmartCertification tasks pending (mover-trigger / new-grant 30d).
  • dormant_grant / dormant_privileged_grant — entitlement grants where last_used_at < 90d ago. Privileged variant counts double.
  • sod_violation_warning / critical — toxic combo matches. Per-rule severity drives the bucket.
  • shadow_access — entitlements held only via transitive group membership (hop_count ≥ 2). Per-unit low (informative) but max meaningful (20+ = group-soup cleanup needed).
  • peer_outlier — excess grants beyond peer-median. From PeerGroupOutlierDetector cached payload (12h interval).