Use case

Access change

Grant, reduce, or expire access only after requester, owner, scope, and expiry are reviewed.

The Kernel is live. Company OS is preview. Enterprise is coming soon.

Map access flow Try the local Policy Compiler
Receipt shape
effect
Change a user or service-account permission.
policy
Role, owner, expiry, risk class, and least-privilege boundary must match.
approval
ESCALATE when scope is sensitive, owner is missing, or expiry is absent.
Systems touched

Identity provider, SaaS admin, Ticket or chat request, Policy registry

Side effect

Change a user or service-account permission.

Policy

Role, owner, expiry, risk class, and least-privilege boundary must match.

Approval

ESCALATE when scope is sensitive, owner is missing, or expiry is absent.

Receipt

Access receipt with actor, target, policy hash, approver, and expiry.

Evidence export

EvidencePack export for access review and rollback trace.

Turn this action into a reviewed HELM path.

Map access flow Verify a signed receipt