Four auditors, hidden in plain sight.
The bank has 4 internal auditors who conduct secret investigations. Their identities are concealed from the colleagues they oversee.
Risk Manager
What 60 of 64 employees see. Indistinguishable from the four real Risk Managers across the offices. Same role, same chat presence, same org chart.
- Appears in directories as Risk Manager
- Holds Risk Manager permissions
- Cannot be flagged or surfaced
Internal Ombudsman
What only the President and Security Specialist can see. Empowered to read any system in the bank without triggering alerts.
- Read access to every system
- Audit findings logged with concealed authorship
- Visibility limited to 2 senior roles
Zero Trust is not just about blocking access. It is about protecting the privacy and safety of the people who keep the organization honest.
Privacy & Secrecy in Plain English
Three concepts that protect the ombudsmen.
Add noise, protect people
When sharing statistics about a group, the system sprinkles a tiny amount of random "noise" into the numbers. The big picture stays accurate — but no single person's data can be pinpointed. Think of a class survey where everyone flips a coin before answering: the totals still make sense, but no individual answer can be traced back to one student.
Hide in the crowd
Every person in the data must blend in with at least k–1 others who share the same key traits. If k = 5, any combination of job title, location, and clearance level matches at least 5 people — never just one. It is like wearing identical team uniforms: even if you know the team number, you cannot single out a specific player.
Groups reveal nothing extra
Knowing which small group someone belongs to should tell you nothing extra about them. T-closeness checks that the spread of sensitive information inside every subgroup looks nearly identical to the whole dataset. If salaries are spread evenly across the whole company, they must look just as evenly spread inside every department — so the group gives nothing away.
Privacy properties
Three privacy properties protect the ombudsmen. Here is what is implemented today and what is planned.
| Property | What It Means | Today | Roadmap |
|---|---|---|---|
| k-anonymity | Indistinguishable from ≥ k–1 peers in the same group | Implemented — ombudsmen role-substituted to "Risk Manager"; same risk score as real Risk Managers | Increase k-floor to ≥ 5 |
| Access-controlled re-identification | Alias-to-real mapping exists but only privileged callers can resolve it | Implemented — anonymization_registry; only President and Security Specialist receive results | Add tamper-evident logging on every registry read |
| t-closeness | Sensitive attribute distributions close to masking peer group | Partial — attribute distributions match by construction | Formal t-closeness measurement on every aggregate Golden Record query |
| Differential privacy | Aggregate queries return statistically perturbed answers | Roadmap — Laplace-mechanism noise layer | ε ≤ 1.0 on all COUNT/AVG/histogram queries on the Executive Dashboard |