When the Policy Exists Only in the Slide Deck
On Tuesday, January 14, 2026, at 8:47 sharp, Monsieur le Vicomte Jean-Baptiste de Vauquelin-Pétainville, Directeur Suprême de la Fabrique Identitaire of the Banque Continentale de Paris SA, reached the forty-second floor of the Tour Continentale at La Défense to present, to the assembled Méga-Conseil Stratégique, the 2026-2030 IAM Strategy of the Group, a deck of two hundred and forty-seven slides on which he had worked, together with the senior consultant Madame Mounia El Hamri of the consulting firm KPMcKinsey International & Partners, for the previous nine months.
The slides had been printed in four languages, bound in three different formats (executive summary, technical annex, board version with extra-large fonts for the elderly members of the Conseil), and pre-circulated by registered post to the seventeen members of the Conseil, the eleven secondary members, the three external observers, and the rapporteur of the Autorité de Contrôle Prudentiel et de Résolution, who would not, in fact, attend but had requested to receive the materials anyway.
Two attendees were absent from the seventeen-strong distribution list. The CISO, Karim Benabdallah, known on the IT corridor as «KB», had not been invited. The DSI, Giuseppe Tessitore, surnommé «Beppe» by the same corridor, had been invited as observer but had declined, citing a scheduled meeting with the SAP integration team that, in fact, was rescheduled within the hour. KB and Beppe had agreed, in their weekly Wednesday coffee on the eighteenth floor, that there was little they could usefully contribute to a meeting whose conclusion was already in the minutes.
The meeting room at the forty-second floor had been booked since the previous September. The coffee, sourced from the small kiosk in the gallery of the Tour, had been ordered the day before. Monsieur le Vicomte de Vauquelin-Pétainville wore the dark blue suit reserved for occasions of “highest strategic significance”.
Slide 23
On slide 23 there was a diamond. Inside the diamond, in Helvetica Neue 36-point bold, the words “Zero Trust”. Around the diamond, six arrows pointing inward, each one labeled, in 14-point regular, with one of the six pillars of the new IAM architecture: zero-trust, least-privilege, Just-in-Time access, dynamic risk scoring, continuous authentication, and identity-as-the-new-perimeter.
The arrows did not, in any technical sense, do anything. They were decorative. Madame El Hamri had spent, in her own subsequent recollection, three full afternoons aligning their angles, while her client Monsieur le Vicomte de Vauquelin-Pétainville debated, over the same three afternoons, the exact shade of blue of the diamond.
When slide 23 appeared on the projector, the Doyenne du Conseil de Conformité, Maître Anne-Sophie de Beauvilliers, who had been with the Group for thirty-one years and was three months from retirement, wept silently for approximately forty seconds. The Mégadirectrice Financière, Madame la Comtesse Éléonore de Montfaucon-Aubray, leaned over to her colleague the Mégadirecteur des Risques, Monsieur Henri-Charles d’Argenville, and whispered, “C’est encore mieux que la diapositive 23 de la stratégie 2024-2028”. The Mégadirecteur des Risques nodded gravely.
The cyber insurance broker, Monsieur Pierre-Marie du Châtelard-Lefranc, of the Compagnie d’Assurances Continentale et Royale, raised a trembling hand and announced, in a voice slightly cracked by professional emotion, that on the basis of slide 23 he could already commit to a reduction in the cyber policy premium of an amount to be determined in writing within forty-eight hours but in any case “significative”. He sat down.
The Mégadirectrice Financière clapped. Everyone clapped. The 2026-2030 IAM Strategy of the Banque Continentale de Paris SA was passed by acclamation. The minutes recorded a unanimous vote of confidence in Monsieur le Vicomte de Vauquelin-Pétainville and in the strategic vision of slide 23 in particular.
The Sub-Committee of December 18
The sub-committee of December 18, 2025, in which the implementation of slide 23 had been quietly downgraded, had been convened in a small meeting room of the thirty-ninth floor. KB had been present. Beppe had been present. Monsieur le Vicomte had not been present, but had been represented by his chief of staff, Madame Clarisse de Pré-Saint-Gervais.
KB had presented a six-page note explaining, in technical detail, why the Just-in-Time access architecture depicted on slide 23 required, before deployment, a baseline inventory of privileged accounts, an audit of the directory listing, a deprovisioning campaign of approximately fifteen thousand inactive accounts, and a re-architecting of the legacy authentication endpoints that pre-dated the SAP migration of 2004. He had estimated the work at fourteen months and two and a half full-time engineers.
Madame de Pré-Saint-Gervais had thanked KB for the analysis and had observed that, while operationally valuable, the timeline was incompatible with the presentation date of the strategy to the Méga-Conseil Stratégique. The sub-committee had agreed, in the minutes, to “defer the implementation phases of slide 23 to a subsequent strategic cycle, while maintaining the strategic articulation as currently documented”.
Beppe had pointed out that this meant slide 23 would be presented as a strategy that the Bank was not implementing. Madame de Pré-Saint-Gervais had smiled and observed that the Méga-Conseil Stratégique was concerned with strategic articulation, not implementation phases, and that the latter belonged to the operational governance which was the prerogative of the IT department.
KB and Beppe had walked back to the eighteenth floor in silence.
The Inconvenient Survey
That same January, on a Wednesday morning that Monsieur le Vicomte did not become aware of until much later, CyberArk had published the Identity Security Landscape report, in which it asked enterprises whether their Privileged Access Management strategies were ready for hybrid and multi-cloud environments. Seventy-six percent had said yes.
The CyberArk team had then asked, in a more discreet tone in a subsequent section, whether those same enterprises had actually implemented Just-in-Time access. One percent had said yes.
The seventy-five-point gap between claim and reality was, in the case of the Banque Continentale de Paris SA, the deferred implementation phases of slide 23 documented in the sub-committee minutes of December 18, 2025. The Méga-Conseil Stratégique had not read those minutes.
Sources: CyberArk, Identity Security Landscape 2026, cited through miniOrange (IAM Security Risks of 2026) and CyberSec Consulting (The Future of IAM); industry analyses January-April 2026.
Three Floors Below
Three floors below the forty-second floor, in the server room of the Tour Continentale, where the cooling system made a noise that the maintenance contract did not cover and that the maintenance team had, since 2014, classified as “non-actionable”, continued to exist fifteen thousand authentication accounts. None of them had been mentioned in slide 23, although a significant fraction of them had been mentioned in the six-page note KB had presented to the sub-committee of December 18.
The fifteen thousand accounts had been accumulated over twenty-two years of provisioning. Some belonged to employees who had left the bank. Some belonged to employees who had died. Some belonged to test installations of applications that had themselves been decommissioned during the 2017 reorganization. Some, the largest contingent, were service accounts created for specific operational purposes that had, since their creation, either been completed, abandoned, or forgotten.
One of these accounts was svc-lucien-batch. It had been created on March 11, 2003, by Monsieur Lucien Béchard, a contractor engaged on a six-month assignment for a data migration between the legacy core banking system and the SAP-based replacement. The migration had completed on June 4, 2004. Monsieur Béchard had been thanked, paid, and dismissed. Monsieur Béchard had subsequently been employed, in various other banks of the Paris region, until his retirement to Saint-Romain-en-Viennois on July 31, 2019.
The account svc-lucien-batch, having no end-date set in its provisioning record, continued to run. Every night, at 02:17 sharp, the scheduled task associated with it executed a series of operations against six legacy databases, three of which had been decommissioned in 2015. The operations took, on average, eleven minutes. They generated no logs. They had been documented, by Monsieur Béchard in 2003, on a piece of paper that no longer existed.
Forty percent of all accounts at the Banque Continentale de Paris SA, in line with the median enterprise, had no clear owner. Seventy percent of applications granted privileges that exceeded actual usage. Ten thousand non-human identities operated for every human user. The folder for AI agent governance, on the shared drive of the IAM department, contained a single PowerPoint file three slides long. The third slide said “Des questions?”.
Sources: Varonis research; miniOrange; Security Boulevard; IBM Think Insights; Built In; CDW; The Hacker News (Shrinking the IAM Attack Surface, April 2026).
The Audit
In February 2026, the external audit of the IAM environment of the Banque Continentale de Paris SA was conducted by the firm Cabinet Ernst & Lavergne Associés Internationale, in the person of the senior partner Maître Cyprien de Mariange-Falconnier. The audit lasted six weeks. The audit team examined, in total, fourteen documents, including the 2026-2030 IAM Strategy of two hundred and forty-seven slides, the Annex F of forty-three pages, the IAM Policy of one hundred and twelve pages, the Identity Governance Manual of seventy-eight pages, and slide 23 in particular.
The audit team did not examine the directory listing. KB, who had prepared a thirty-eight-page technical briefing for the audit and had been ready to walk the audit team through the directory listing line by line, was informed on the morning of the first audit day that “the audit will be focused on the strategic documentation framework”. Beppe, who had volunteered to demonstrate the legacy authentication endpoints, received an identical email.
Maître de Mariange-Falconnier, in his closing memo, observed that the strategic framework documented in slide 23 represented “une articulation best-in-class des principes contemporains de la gouvernance des identités”. The control statement was signed. The auditor was thanked. KB and Beppe filed their unread briefings in a SharePoint folder that, at the time of writing, contains forty-seven similar documents.
The Insurance Broker’s Epiphany
In March 2026, Monsieur du Châtelard-Lefranc, having had the time to draft the formal letter of premium adjustment, communicated to the Banque Continentale de Paris SA a reduction of the cyber policy premium of twelve point seven percent. The letter cited “la maturité démontrée de la stratégie IAM du Groupe telle qu’attestée par la documentation fournie”.
The Mégadirectrice Financière, Madame la Comtesse de Montfaucon-Aubray, recorded the saving in the Q1 financial review as “evidence of the ROI of strategic investment in compliance”.
The Breach
In July 2026, a security researcher working on threat intelligence at a third-party firm in Tallinn identified a series of unusual lateral movements within the customer-facing online banking platform of the Banque Continentale de Paris SA. He notified the Group via the responsible disclosure channel. The notification landed in the SOC inbox at 02:53 in the morning.
The SOC analyst on duty, Mademoiselle Fatima Bouazizi, who had joined the Bank eighteen months earlier from a managed security service provider in the nineteenth arrondissement of Paris, opened the notification at 03:02 and, working from the IP addresses listed in the disclosure, traced the lateral movements within forty minutes to a service account whose name, in the directory listing, was svc-lucien-batch.
She paged KB. KB confirmed the trace at 04:11 and authorized the immediate disabling of the account, with a fallback restoration window of twenty-four hours. He paged Beppe. Beppe identified the six legacy databases, the three decommissioned ones, and the open authentication endpoint of 2004 within ninety minutes.
The forensic investigation, formally led from that morning by the Cabinet Mandiant-Boullevardier Forensique Stratégique, confirmed at 14:00 what KB and Fatima had already established by 04:51. An attacker had compromised the credentials of svc-lucien-batch via a credential-stuffing attack against the legacy authentication endpoint of one of the databases the account was, in 2003, configured to access. The endpoint, in 2004, had been documented for decommissioning. The decommissioning had not been completed.
The breach affected approximately four hundred and seventy thousand customer records. The fine, eventually imposed by the Commission Nationale de l’Informatique et des Libertés, amounted to fourteen million euros. The notification to the European Banking Authority required an explanation of the IAM control framework. The explanation was, in essence, slide 23.
Eighty percent of breaches in 2026 involve compromised credentials. The vision is upstairs. The breach is downstairs. They were always different documents.
The Promotion
In September 2026, Monsieur le Vicomte Jean-Baptiste de Vauquelin-Pétainville was promoted to Directeur Suprême Émérite de la Fabrique Identitaire et de la Résilience Stratégique of the Banque Continentale de Paris SA. The promotion was justified, in the formal communication of the Président-Directeur Général, Son Excellence Monsieur Henri-Aubert de Pontchartrain, “pour l’élégance de la vision stratégique documentée dans la Stratégie IAM 2026-2030, et en particulier dans la diapositive 23, qui a établi un nouveau benchmark pour le secteur”.
Madame Mounia El Hamri was retained for a follow-on engagement on the 2027-2031 strategy. Maître Anne-Sophie de Beauvilliers retired, as planned, on June 30, 2026, with full honors and the Médaille du Travail Bancaire.
Karim Benabdallah, known on the IT corridor as «KB», was reassigned to “strategic projects within the office of the Chief Mega-Director of Resilience”, a role described in the internal communication as “highly strategic and forward-looking” and described, by KB to Fatima Bouazizi over coffee, as “the place where one is sent to write notes that nobody reads, until one resigns of one’s own accord”. Giuseppe Tessitore, surnommé «Beppe», took early retirement in November 2026 and is reportedly enjoying considerable success in the consulting market as an independent advisor on legacy authentication infrastructure.
Mademoiselle Fatima Bouazizi was retained in the SOC and recognized in the internal newsletter as “an example of the operational rigor of the second line of defense”. She received, additionally, a one-time bonus of seven hundred and fifty euros gross.
Monsieur Lucien Béchard, in retirement at Saint-Romain-en-Viennois, was made aware of the breach by his grandson, who showed him the article on the bank’s website. Monsieur Béchard remarked that he could not, he was sorry, remember exactly what svc-lucien-batch had been configured to do, but that, in his view, the issue could probably be resolved without escalating it too much.
Why It Persists
Imaginary Access Management persists, at the Banque Continentale de Paris SA and in the median enterprise, for four reasons.
First, the directory listing is the accumulated artifact of twenty-two years of provisioning, and nobody currently employed by the Group at decision level was present for most of it. Cleaning it is high-cost, low-visibility, and has no clear end. Producing a new slide 23 is low-cost, high-visibility, and has a defined deliverable.
Second, the institutions that validate IAM posture, the Méga-Conseil Stratégique, the Cabinet Ernst & Lavergne, the Compagnie d’Assurances Continentale et Royale, the customer security questionnaires of the Group’s largest corporate clients, read documentation. They do not examine the directory listing. The validation infrastructure has been built around the examinable artifact, not the risk-bearing one. The people who could examine the directory listing, KB, Beppe, Fatima, are not invited to the meetings where the validation happens.
Third, the IAM vendors of the period 2015-2025 have sold capabilities that the Group has bought without operationalizing. The capabilities exist in the procurement records. The operational practice does not. The strategy is on slide 23. The configuration is in the legacy access model of 2003.
Fourth, the IAM staffing of the Group is structurally split. The junior and operational layer, multicultural and competent, handles daily provisioning and incident response. The senior architect layer, vieille France and on the forty-second floor, maintains slide 23. The middle layer that would translate slide 23 into the directory listing is, at the Banque Continentale de Paris SA as in the median enterprise, thin or absent, and the rare middle managers who attempt to bridge the two layers (Beppe is the textbook example) tend to take early retirement.
These four conditions are individually rational. Together they produce the equilibrium in which Imaginary Access Management is stable. Not safe. Stable in the sense in which the Méga-Conseil Stratégique continues to applaud.
Slide 23 of the 2026-2030 IAM Strategy of the Banque Continentale de Paris SA was, in October 2026, formally retired and replaced with slide 23 of the 2027-2031 strategy. The new slide 23 contains a diamond. Inside the diamond, in Helvetica Neue 36-point bold, the words “Fabrique Identitaire Augmentée par l’IA”. Around it, eight decorative arrows. The Méga-Conseil Stratégique, in the presentation of November 12, 2026, applauded for eleven seconds. The new Doyenne du Conseil de Conformité, who had taken over the role from the retired Maître de Beauvilliers, wept silently for thirty-eight seconds, two seconds less than her predecessor. Monsieur du Châtelard-Lefranc announced a further reduction of the premium.
The directory listing, three floors below, was not modified.
svc-lucien-batch continues to run every night at 02:17 sharp. Fatima Bouazizi keeps a dashboard widget that shows its execution status, which she checks every morning, in case the next breach also comes through it.
All my “insane” books on cybersecurity and governance are here 👉 https://www.amazon.it/stores/author/B0FB47T6Q4/allbooks