user-engine/docs/evidence-gap-examples.md

# Evidence Gap Examples

Status: candidate
Updated: 2026-06-05

`user-engine` should not pretend missing review or governance material exists.
When identity-domain context lacks evidence, policy, control, review, or task
references, the gap must be explicit and handoff-ready.

## Gap Shape

```yaml
gap_id: evidence:no-audit-records
subject:
  concept: Account
  identifier: acct_example
scope: tenant:acme
reason: No local audit or external evidence reference supports this identity-domain claim.
proposed_disposition: create_or_link_lifecycle_task
owner: user-engine adapter boundary
```

## Privileged Membership Without External Review

```yaml
gap_id: review:tenant-admin-membership
subject:
  concept: Access Grant
  identifier: mem_example
scope: tenant:acme
reason: Tenant admin membership has local audit evidence but no external access review reference.
proposed_disposition: link AccessReview through EvidenceReferenceExporter or create review task through LifecycleTaskSink.
```

## Policy Or Control Reference Missing

```yaml
gap_id: control:tenant-isolation-reference
subject:
  concept: Membership Relationship
  identifier: mem_example
scope: tenant:acme
reason: Membership is tenant-scoped, but no external policy/control reference was supplied.
proposed_disposition: resolve policy and control through PolicyControlReferenceResolver.
```

## Lifecycle Task Handoff

```yaml
task_reference:
  concept: Task
  identifier: task_from_lifecycle_sink
source_gap: review:tenant-admin-membership
summary: Review tenant-admin membership for tenant:acme.
evidence:
  - concept: Evidence Source
    identifier: aud_example
```

These examples are intentionally adapter-neutral. The task, review, policy, and
control source of truth belongs to the surrounding NetKingdom systems unless a
future workplan assigns one of those responsibilities to `user-engine`.