About this investigation

Stress-tested 4 assumptions: (1) management-board roster currency [HIGH-sens, LOW-conf]; (2) HudsonRock corpus reflects current credentials vs rotated [HIGH-sens, MOD-conf]; (3) Russia self-disclosure indicates good-faith compliance vs material-conduct concern [HIGH-sens, LOW-conf]; (4) NYDFS+class-action Epstein settlements close the matter [MOD-sens, LOW-conf]. The three HIGH-sens findings limit confidence on kj_006, kj_007, kj_008.

Two competing hypotheses tested on enforcement-pattern interpretation. H1 'systemic conduct-and-controls failure' vs H2 'Sewing-era corrective inflection'. H1 leading: 2026-04-30 OFSI penalty landing 7 years into Sewing tenure carries weight-2.0 inconsistency against H2 (ev_049 A-grade primary). H3 'isolated business-unit failures' eliminated by breadth across product silos.

Imagined 12-month failure modes for the leading hypothesis. Most material: (a) the 2026-04-30 OFSI penalty turns out to be the only post-2022 Russia lapse → H2 partially rehabilitated; (b) HudsonRock corpus is dated 2024 and DB rotated credentials at scale → R-01 / R-02 severity reduced. Both are plausible but not currently evidenced; surfaced as confidence-limiting on kj_001 (kept at HIGH given breadth) and kj_002 (kept at HIGH given naming pattern).

Constructed adversary perspective against the recon-surfaced attack surface. Yielded 7 red vectors prioritized by severity × exploitability: Citrix-RAS credential-reuse (SEVERE), executive credential-reuse (SEVERE), third-party-vendor impersonation (SEVERE), CT-log internal-naming reconnaissance (MOD), sanctions-typology probing (MOD), insider-leak (MOD), executive pretexting (LOW). Paired with 7 baseline blue controls + 3 generic baselines.