During an incident you have discovered another incident, now you have two incidents

API keys from your SSO provider have been breached.

In the process of switching banks to avoid a bank run, finance realizes a former employee has the signature authority for bank transfers.

Your production "encryption at rest" keys have been exfiltrated by an adversary.

Malicious access credentials have just been generated during an active production intrusion.

An active SSO session has been stolen from an engineer with production access.

Malware has landed on an engineer's laptop who can grant production access.

You have received notification that a classified document uploaded by an elected politician resides on your servers.

An insider investigation has stumbled upon a whistleblower gathering documents to submit to a regulator.

All secrets in your hosted CI are compromised.