| RISK-PLTADM-01 | Security | Unauthorized config mutation gives attacker control over platform security settings (MFA defaults, session timeouts) | Low | Critical | High | Security team | SUPER_ADMIN JWT scope required; audit log; alert on config mutation spike | Open |
| RISK-PLTADM-02 | Availability | Redis cache unavailable degrades flag evaluate latency above SLO | Medium | High | High | SRE | Redis HA cluster; fail-open DB fallback; alert | Open |
| RISK-PLTADM-03 | Availability | Health poller crash causes incomplete health picture during incident | Medium | High | High | SRE | Kubernetes CronJob restart policy; alert on poll gap; separate on-call runbook | Open |
| RISK-PLTADM-04 | Operational | Allow-list drift: operators need new config keys but code list is not updated | Medium | Medium | Medium | Platform team | Allow-list managed in code with PR review; request process documented | Open |
| RISK-PLTADM-05 | Data integrity | Stale flag cache after archive — downstream service operates with enabled flag | Low | Medium | Medium | Platform team | Event-driven cache invalidation on archive event; 60 s TTL cap | Open |
| RISK-PLTADM-06 | Security | SMTP credentials stored as plain config value exposed via GET | Low | High | High | Security team | type: secret keys return ***REDACTED***; stored via Secrets Manager | Open |
| RISK-PLTADM-07 | Compliance | Config audit history pruned before 7-year retention requirement | Low | Medium | Medium | Platform team | config_history retention policy set to 7 years; archive to S3 after 2 years | Open |