Question
A behavioral alert flags `svc-ci-deploy`, a service account whose normal job is to deploy to staging on weekdays 09:00–18:00. In the last 6 hours it: authenticated at 03:00 (off-hours for it), enumerated secrets in the **prod** vault path it had latent read access to, and called cloud APIs it has never called before (`s3:ListAllMyBuckets`, `kms:Describe*`) — all technically within its (over-broad) permissions, so nothing was denied. The credential is a long-lived static key stored in CI. CI shows no corresponding pipeline run. How do you triage whether this account is compromised, contain it, and remediate?
Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.