Cleared, Compliant, At Risk.

This is Article 4 of the Connected or Exposed series, which examines why public sector organisations struggle to answer compound operational questions.

Access is granted for a reason. The records are supposed to track whether that reason still holds.

They often don't, at least not continuously and not in connection with each other. The clearance file says cleared, the compliance system says training completed, the access log shows permissions granted. Each answers its own question. However, they don't answer the compound question: for this person, right now, are the clearance, the training, and the access still in alignment with the role they actually hold?

That question gets asked reactively, after a departure, or an incident, or an audit. 

The first layer leaves a paper trail, however incomplete it may be. The second leaves almost none. A person's position in the operational network changes their risk profile in ways that no clearance file, access log, or HR record captures. Two people can carry identical formal profiles and sit in completely different positions in the network. That distinction doesn't appear in any system.

What the record says

The clearance process captures a snapshot of what was verified at the time of investigation: citizenship, finances, foreign contacts, conduct history. What it does not do, in most implementations, is maintain continuous currency against each of those dimensions as circumstances change.

The result is a class of risks that look compliant on paper.

The first pattern is stale vetting. A role requires citizenship verification for the function it carries- access to PII at scale, involvement in mission-critical infrastructure, clearance eligibility for a programme with a foreign adversary dimension. The verification was completed and recorded. What isn't in the record is whether the verification is current, or whether the role has since expanded to carry functions that the original check wasn't scoped to cover. The record says "cleared." It doesn't say whether the clearance reflects the current role, the current access, or the current risk profile.

The second pattern is compliance disconnected from exposure. Training completion rates are tracked, almost universally. Whether the right people completed the right training for the access they actually hold is a different question, and it's rarely asked in connected form. A personnel record shows required training completed. An access provisioning log shows that the same individual holds elevated permissions across several data sets containing sensitive personal information. The compliance record and the access record live in separate systems. No one has traversed the relationship between them to ask whether the training coverage is proportionate to the exposure. Until something happens, that gap is invisible.

Both patterns share a structure: the record is accurate in isolation. The risk is in the combination- what someone holds versus what's been verified against it, and when.

What the record doesn't show

There is a third pattern, and it's the hardest to see in fragmented data.

Access accumulates. Someone joins a programme at a particular clearance level, for a particular function. Over time the role expands. They move to adjacent programmes and their network grows. Each individual grant of access was legitimate.

The picture looks different when reviewed cumulatively though- access level against current role, current role against programme involvement, programme involvement against the reach the person now actually has. This isn’t because anyone made a bad decision. It’s because no decision was ever made about the cumulative picture. It was never visible as a whole.

The pattern recurs across sectors and jurisdictions. Elevated access, accumulated over time, is rarely reviewed against the current reality of what the person does. The investigation happens after the fact and the conclusion is always the same: the elevated access should have been caught earlier, and would have been, had anyone been looking at the full profile rather than the individual components. 

The 2025 Insider Risk Report puts the baseline behind this: 93 percent of security leaders say insider threats are as difficult or harder to detect than external cyberattacks. Only 23 percent express strong confidence in stopping them before serious damage occurs. The gap isn't analytical ambition- it's that acting on the full picture requires data that currently lives in systems that don't talk to each other.

The compound question spans multiple dimensions. Answering it requires traversal across HR records, clearance status, access provisioning logs, and employment history. In most agencies, that traversal is not automated. It doesn't happen until something forces it.

The network nobody mapped

Insider risk programmes typically assess individuals in isolation.

Clearance level: high.
Access: broad.
Training: complete.
Risk: elevated.

What that assessment doesn't account for is where the person sits in the operational network.

Network position changes the risk calculation. Two people can hold identical clearance levels and formally equivalent access, but sit in completely different places in the cross-agency network. One is a node. The other is a bridge- a trusted contact across jurisdictions, with awareness of operational context across multiple programmes, and with the informal relationships to move information without triggering formal access records. Their potential impact, if compromised or recruited, is of a different order. So is their value to an adversary. 

The issue is not simply whether someone remains authorised. It is whether the organisation still understands the operational reality of who can influence, access, coordinate, or expose critical activity.

The state adversary targeting pattern makes this concrete. A sophisticated recruitment operation doesn't pursue recently departed personnel only for their individual knowledge. It pursues their network: who they can introduce, who trusts them, what relationships they can navigate. That reach doesn't expire with the employment. An organisation that hasn't modelled network influence doesn't know what transferred when the person left.

This is the gap in conventional insider risk programmes: they generate alerts based on individual indicators such as a missed training cycle, an anomalous access event, a foreign contact disclosed during reinvestigation. Those indicators matter. But without network position as a variable, the prioritisation is incomplete. The person who bridges cross-agency coordination channels, who sits at the intersection of multiple sensitive programmes, who is three informal relationships from operational plans they're not directly cleared for warrants a different level of scrutiny than their individual record alone would produce.

Seeing it requires modelling who actually works with whom, across which boundaries, with what reach. And then mapping that against clearance level and access to identify where network position creates exposure that the individual record doesn't show.

One data problem

Stale vetting, compliance gaps, accumulated access, and unmapped network influence look like separate problems. They share a root cause: data that is fragmented, not maintained continuously, and not connected in a way that allows compound questions to be answered.

Consider a scenario familiar to anyone working coalition operations. Three personnel, each passing individual checks without issue, are working across different agencies on a joint mission. One holds access scoped to a programme that ended eight months ago and was never reviewed. One has developed a foreign contact since their last check. The third is the informal connector between the two agencies- trusted across both, aware of operational context beyond their formal clearance scope, and far more consequential if compromised than a conventional risk assessment would suggest. No single data source sees all three facts. No single system holds enough of the picture to ask the right question.

A graph model treats relationships as first-class data. Not computed at query time but stored, maintained, and traversable as the network changes. A person connects to their current role, their active access grants, their clearance status, their employment history, and the colleagues they actually collaborate with across agency lines. When a role changes, the relationship changes. When access is revoked, the connection is severed. When someone new becomes the informal bridge between two agencies, that connection appears in the model, not because someone filed a report, but because the interaction pattern is there.

That structure makes the following questions tractable. Which clearance holders carry access that predates their current role by more than twelve months? Which personnel with PII access have missed required training cycles? Which individuals occupy positions in the operational network that amplify their risk profile through the programmes they bridge and the cross-agency trust they carry, beyond what their clearance and access records alone would indicate? These aren't exotic queries but standard traversals across a connected model. The same questions, asked against fragmented records in siloed systems, either can't be answered at all or can only be answered after something has already gone wrong.

Connected organisations surface the access risk combinations before someone else does. Exposed ones find out after the fact.