| RISK-IDENT-01 | Security | JWT signing key compromise enables platform-wide impersonation | Low | Critical | High | Security team | AWS KMS with hardware-backed keys; key rotation 90 days; KMS access restricted to identity-service IAM role only; audit all key usage | Open |
| RISK-IDENT-02 | Security | Argon2id parameter tuning insufficient; credential database breach leads to mass password recovery | Low | High | High | Platform team | 64 MiB / 3 iterations / 1 thread; breach-list check on new passwords; account lock on failed attempts | Open |
| RISK-IDENT-03 | Availability | KMS availability dependency — full login outage if KMS unreachable | Medium | Critical | High | SRE | KMS multi-region; circuit breaker 5 failures; signed JWT cache in memory (15 min TTL); runbook | Open |
| RISK-IDENT-04 | Compliance | GDPR erasure not propagated to all downstream services | Medium | High | High | DPO + platform team | identity.user.deactivated.v1 event consumed by all services; erasure checklist enforced in DEFINITION_OF_DONE.md; audit trail | Open |
| RISK-IDENT-05 | Data integrity | Legacy credential migration introduces bcrypt hashes incompatible with argon2id verifier | Medium | Medium | Medium | Migration team | Re-hash on first login; fallback verifier for legacy hashes during migration window; monitor re-hash progress metric | Open |
| RISK-IDENT-06 | Security | OIDC JIT provisioning creates shadow accounts outside tenant admin visibility | Medium | Medium | Medium | Identity team | Emit identity.external_identity.linked.v1; surfaced in admin user list with backend=oidc; JIT audit log | Open |
| RISK-IDENT-07 | Performance | Effective license resolver ancestor walk adds latency under deep hierarchy | Low | Medium | Medium | Platform team | 5-min Redis cache; event-driven invalidation < 30 s; alert on resolver p99 > 200 ms | Open |
| RISK-IDENT-08 | Availability | Keycloak realm-per-tenant Keycloak outage disables broker-mode tenants | Medium | High | High | SRE + Keycloak team | Circuit breaker per provider; in-house fallback for tenants with both backends; Keycloak HA cluster | Open |
| RISK-IDENT-09 | Compliance | Session not invalidated within token TTL after tenant suspension | Low | High | High | Identity team | Proactive Redis revocation set on tenant.suspended event; maximum 15-min window; alert if event lag > 30 s | Open |
| RISK-IDENT-10 | Operational | Dual-publish legacy event aliases create confusion and double-processing | Medium | Medium | Medium | Platform team | Inbox deduplication prevents double processing; aliases removed at M2; migration cut-over tracked in MIGRATION_PLAN.md | Open |
| RISK-IDENT-11 | Scalability | Session table grows to 50 M+ rows; slow queries on revocation checks | Medium | Medium | Medium | DBA | Covering index on (user_id) WHERE revoked_at IS NULL; cron purge; partition by month in M1 | Open |
| RISK-IDENT-12 | Security | WebAuthn RP ID misconfiguration enables cross-origin credential theft | Low | High | High | Security team | RP ID pinned to platform domain; tested in contract suite; reviewed in security audit | Open |