Recommendations

Prioritized controls, all implementable with Snowflake's native tooling.

Tier and owner conventions. P0 — must close before any new feature work touches the account; P1 — sequenced within the next quarter; P2 — sustained governance, owned in steady state. Owner labels point to the team most likely to hold the control day-to-day in a typical enterprise org (Identity, Platform, SOC, Data Eng, Governance/Legal); adjust to local org structure.

Immediate — close the UNC5537 gap pattern and the post-patch window

Control	Implementation
P0Enforce MFA on all human users Identity · low effort	Set `AUTHENTICATION POLICY` with `MFA_ENROLLMENT = REQUIRED` at account level. Verify no user bypass exceptions exist in `LOGIN_HISTORY`.
P0Network policy on every service and key-pair user Identity · medium effort	Key-pair users without a network policy are the most realistic 2026 credential-exfil target (Chain F). Apply per-user network policies limiting source IPs to known CI / orchestration ranges. Use Trust Center's "missing network policy" finding to enumerate gaps.
P0Rotate all credentials older than 90 days Data Eng · high effort	Focus first on key-pair private keys in CI runners, dbt profiles, and Airflow connections — the highest-value exfil targets most likely to appear in old infostealer logs. Use the IR-style key-rotation-age query on the detection page to drive the work.
P0Update connectors and the Cortex Code CLI Platform · low effort	Patch CVE-2025-24789 (JDBC), CVE-2025-24791 (Python connector), CVE-2023-30535/34232 (JDBC/Node SSO injection), and CVE-2026-6442 (Cortex Code CLI ≥ 1.0.25).
P0Disable debug logging in production connectors Platform · low effort	Debug-level connector logging writes encryption master keys and cached tokens to log files (CVE-2025-27496 cohort). Set `log_level = INFO` in all production configurations.
P0SIEM-side scanning for secret patterns in connector logs SOC · medium effort	Even after disabling debug logging, historical SIEM indices may still contain key material from the CVE-2025-27496 / -46329 cohort. Add SIEM rules flagging `BEGIN PRIVATE KEY`, JWT prefixes, and Snowflake session-token shapes in connector log streams. Triage and purge as needed.
P0Retrospective hunt for CVE-2026-6442 exposure SOC · medium effort	The Cortex Code CLI patch shipped 2026-02-28. For every host that ran Cortex Code prior to that date, hunt the chain B retrospective steps: EDR egress correlation during Cortex sessions, Snowflake `LOGIN_HISTORY` anomalies across the window, and token rotation for any host that cannot be cleared.

Short-term — reduce blast radius and cross-cloud exposure

Control	Implementation
P1Scope Storage Integration IAM roles Platform · medium effort	Every Storage Integration should bind to an IAM role with access scoped to the minimum necessary bucket prefix. Tag-based access policies on S3 are the recommended enforcement mechanism.
P1Audit External Functions for over-privileged backend roles Platform · medium effort	Review the execution role of every Lambda or Cloud Function backing an External Function. Any role with `iam:*`, `secretsmanager:GetSecretValue`, or broad EC2 permissions is a privilege-escalation path from any Snowflake user with USAGE on that function.
P1Inventory Native Apps and disable auto-update on sensitive accounts Platform · low effort	Query `ACCOUNT_USAGE.APPLICATIONS` and review every app's granted privileges. For sensitive production accounts, disable auto-update and require manual approval for version bumps.
P1Baseline SHARES / REPLICATION_GROUPS and alert on diffs SOC · low effort	Direct Share creation and Replication Group setup (Chain G) bypass query-level audit at data motion. The only chance to catch this path is the DDL event and the `ACCOUNT_USAGE` object inventory diff. Maintain a baseline of documented partner / replication accounts and alert on every additive change.
P1SPCS — review every EXTERNAL ACCESS INTEGRATION Platform · medium effort	Wildcard `ALLOWED_NETWORK_RULES` (Chain H) are the realistic SPCS exfil channel. Enumerate every integration; require explicit hostname allow-listing; remove or scope any wildcard rule (`.amazonaws.com`, `.azurewebsites.net`, generic CDN endpoints).
P1Enable ACCOUNT_USAGE streaming to SIEM SOC · medium effort	The ~45-minute Account Usage latency is too slow for real-time response. Configure Snowflake Trail export or Kafka-based streaming ingest of `INFORMATION_SCHEMA` for sub-minute alerting.
P1PAT inventory and rotation policy Identity · medium effort	Treat Programmatic Access Tokens like any other long-lived bearer token: maximum lifetime ≤ 90 days, mandatory network policy attachment, and an automated review of `ACCOUNT_USAGE.PROGRAMMATIC_ACCESS_TOKENS` for PATs older than policy or with no recent use.
P1SCIM token rotation and IdP-side access review Identity · low effort	The SCIM bearer token sits on the IdP side and grants user / role manipulation on Snowflake. Rotate on the same cadence as the IdP's admin credentials; restrict SCIM administration on the IdP to a minimal admin population.

Ongoing — AI, agentic, and audit-replication governance

Control	Implementation
P2Enable Cortex AI Guardrails in Horizon Catalog SOC · low effort	Configure prompt-injection and jailbreak prevention policies. Treat Guardrails as a detection layer, not a prevention boundary — human review of flagged events is required.
P2Classify data before indexing into Cortex Search Data Eng · high effort	Any document indexed by Cortex Search becomes a potential injection delivery channel for downstream agents (Chain I). Exclude PHI/PII documents from Cortex Search until injection-resistant pipelines are validated.
P2Use ALLOWED_INTERFACES to segregate Snowflake Intelligence access Identity · low effort	Restrict `ai.snowflake.com` to roles that have been approved for AI use. Users with broad data access but no AI use case should not hold the `CORTEX_USER` role.
P2Treat Cortex inference as data leaving the boundary Governance/Legal · medium effort	Cortex final-response generation passes prompts and grounding context through Anthropic or Azure-OpenAI models. Update the data-classification policy to state explicitly which protected data classes may pass through Cortex inference; audit which tables are accessible to Cortex Analyst against that policy.
P2MCP tool descriptor allowlisting and version pinning Platform · medium effort	Maintain an explicit allowlist of MCP servers Cortex Agents may call. Pin each entry to a specific descriptor hash; alert on any new MCP server or descriptor churn (Chain I). Treat MCP tool output as untrusted context.
P2Confirm cross-region audit replication SOC · low effort	An attacker targeting a secondary region can leave forensics in a region the SOC doesn't routinely query. Configure replication of audit databases across all regions the account uses; verify with the audit-replication-health query in the detection page.

Remediation timeline — 30 / 60 / 90 / 180 day phasing

Controls grouped by realistic execution window for a mid-size enterprise (single platform team, single SOC, single identity team). Effort estimates are wall-clock weeks of focused engineering work, not calendar duration — a control listed as “1 week” expects one engineer's focused attention for that week. Parallel execution across teams collapses the calendar; sequential execution within a team extends it. The phasing assumes parallel execution within each window.

Reading the timeline. Each row names the control, its chain (or "cross-cutting"), the team that owns the change, and the estimated effort. The “Why this window” column explains the sequencing: some P0s genuinely cannot wait (mandatory MFA gating the human-credential surface); some P1s sequence after P0s because the detection rules require the controls to be in place first (the enrichment pipeline depends on the watchlists the inventory steps populate).

Days 0–30 — close the highest-velocity gaps

Control	Chain	Owner	Effort	Why this window
Enforce MFA on all human users (`AUTHENTICATION POLICY` with `MFA_ENROLLMENT = REQUIRED`)	A, D	Identity	1–2 days	Single account-level setting; gates the human-credential surface that drove UNC5537. No upstream dependency.
Inventory all service and key-pair users without a bound network policy (Trust Center "missing network policy" scanner)	A, F, J	SOC + Identity	1 week	Inventory must come before the lock-down step so the team knows the population. Trust Center surfaces this directly.
Bind network policy to every service / key-pair user (allow-list of documented CI / orchestration egress)	A, F	Identity	1–2 weeks	The single largest residual-risk reduction post-UNC5537. Per-user policy enables phased rollout (start with the highest-grant users).
Pin Cortex Code CLI ≥ 1.0.25 across all developer endpoints (package-manager rollout + EDR check)	B	Platform + Endpoint	1–2 weeks	Closes CVE-2026-6442. Retrospective hunt across the pre-patch exposure window is a parallel SOC effort, not a blocker.
Enumerate every SPCS `EXTERNAL ACCESS INTEGRATION`; remove any wildcard `ALLOWED_NETWORK_RULES`	H	Platform + Data Eng	1–2 weeks	Chain H residual drops to Low once wildcards are gone. The chain's necessary condition is the wildcard; once removed, the chain no longer applies.
Deploy the 4 production-ready Sigma rules (no enrichment dependency)	A (pair), F, H	SOC	1 week	Day-one detection coverage for the chains whose rules are `production_ready`. No upstream dependency.

Days 31–60 — close blast-radius and inventory gaps

Control	Chain	Owner	Effort	Why this window
Enumerate every Storage Integration; remove wildcard `storage_allowed_locations`; bind IAM role with bucket-policy-side controls	E	Platform + Cloud Sec	2–3 weeks	Configuration-level fix; cross-cloud blast-radius reduction. Sequencing after the day-30 inventory because the customer must know which integrations exist before scoping them.
Disable auto-update on every Native App with grants on PHI-bearing schemas; require manual review per version bump	C	Platform + Governance	1 week	Closes the Chain C auto-upgrade vector. Manual version pinning is the compensating control while the manifest-diff detection rules are wired up.
Deploy the streaming-ingest sidecar (`detection/snowflake/streaming-ingest/`) to bypass ACCOUNT_USAGE 45-min latency	A, F, J	Platform + SOC	2 weeks	The streaming pipeline turns minute-scale latency into seconds-scale for the chains that depend on real-time detection. Terraform + Function App ship as concrete config.
IdP audit ingestion + per-source ingestion watermark pipeline (Sentinel KQL / Splunk SPL recipe in `ENRICHMENT.md` §3)	D, L	SOC + Identity	2–3 weeks	Unblocks `federated_login_anomaly.yml` and `oauth_integration_scope_drift.yml`. The synthetic-event validation step in ENRICHMENT.md is the gate before promoting to alert.
Populate `OPS.SECURITY.APPROVED_SHARE_CONSUMERS` and `OPS.SECURITY.APPROVED_REPLICATION_TARGETS` watchlists; switch the Chain G rules to alert mode	G	Platform + Governance	1–2 weeks	The Chain G rules are watchlist-gated; populating the watchlist is the unblock. Joint Platform + Governance ownership because legitimate consumers come from the BAA inventory.

Days 61–90 — close detection gaps via enrichment

Control	Chain	Owner	Effort	Why this window
Build the SIEM-side enrichment pipeline (role-baseline p90, business-hours, stage watchlist, integration allowlist, manifest-diff)	A, C, E, F, G, J, K, M, H+	SOC + Data Eng	4–6 weeks (parallelizable)	The largest single deployment lift in the program. Unblocks 20 rules across 9 chains. The enrichment-templates directory ships SQL + lookup definitions; the work is per-tenant adaptation.
Deploy the Cortex Agent per-step trace sidecar (Snowpark wrapper or Trail `cortex_agent.*` event family)	I	Platform + SOC	2–3 weeks	Unblocks all 5 Chain I rules. Until deployed, Chain I detection coverage is zero; the policy-layer compensating control (row-access policies on PHI tables) is load-bearing.
Inventory partner integrations; cross-reference against BAA registry; bind network policy where partner publishes stable egress CIDRs	J	Vendor Risk + Identity	2–3 weeks	Chain J residual drops to Medium with this work. Vendors without stable egress CIDRs are themselves a finding — escalate to the architectural move (scoped Direct Share with partner-as-consumer).
Connector-stack SBOM scan + driver-version rollout (JDBC, Python, Node.js, .NET, Go, C/C++ on every CI / orchestration host)	cross-cutting	Platform + Endpoint	2–3 weeks	Closes the secret-leakage cohort (CVE-2025-27496, CVE-2025-46329, etc.) and the transitive-dependency CVEs that surface via SBOM scans.

Days 91–180 — close structural gaps (covered entity-specific)

Control	Chain	Owner	Effort	Why this window
Cortex Guardrails healthcare-tier policy deployment + Sweeney-class re-identification detection	I	Platform + Privacy	2–3 weeks	The default Guardrails policy is not tuned for healthcare-specific abuse. The repository's harness `family=Healthcare` tier characterizes residual delta; the customer-side action is enabling and tuning.
Row-access and masking policies on every PHI-bearing table (per-role minimum-necessary scope)	A, I (and any Cortex agent reading PHI)	Data Eng + Privacy	4–6 weeks	The load-bearing technical control for HIPAA §164.502(b) Minimum Necessary. Sequencing late because it requires the privacy office's per-role classification (an upstream governance prerequisite, not a technical one).
OCR-grade audit retention pipeline (6-year retention sink for ACCOUNT_USAGE projections and Trail events)	cross-cutting	Platform + SOC	3–4 weeks	Snowflake's first-party retention (365 days) is insufficient for the OCR reconstruction window. The streaming-ingest sidecar from Day 31–60 is the producer side; the customer owns the long-retention sink.
Cross-account share acquisition runbook + BAA contractual pre-arrangement for consumer-side `ACCESS_HISTORY`	G	Governance + Legal	2–3 weeks	Chain G's source-side audit blind spot is structural — only the consumer's audit shows the reads. Pre-arranging the acquisition path in the BAA closes the IR gap before it is needed.
Architectural move: scoped Direct Share with partner-as-consumer (replacing partner-held-credentials where feasible)	J	Platform + Data Eng + Vendor Risk	multi-quarter	The complete close for Chain J. Multi-quarter because each partner integration is an independent contract + technical change. Sequence by partner-held credential risk — partners with ACCOUNTADMIN-adjacent users first.

Continuous — sustained governance

Control	Owner	Cadence	Notes
Review `APPROVED_SHARE_CONSUMERS` / `APPROVED_REPLICATION_TARGETS` / `APPROVED_EXFIL_STAGES` / `APPROVED_CONTAINER_REGISTRIES` watchlists	SOC + Governance	Quarterly	Stale watchlists are silent detection gaps. A quarterly cadence balances thoroughness against operational overhead.
SBOM scan of connector stack pinned versions across CI / orchestration hosts	Platform + Endpoint	Quarterly + on CVE disclosure	Driver releases bundle dependency-CVE rollups; quarterly catches the routine cohort, on-disclosure catches the urgent ones.
OCR reconstruction tabletop — can the org produce a full audit trail of who accessed PHI table X between dates Y and Z (Y ≥ 18 months back)?	Privacy + SOC + Legal	Annual	The tabletop surfaces audit-retention gaps before OCR asks. Any gap is a §164.312(b) finding regardless of whether any chain has been exercised.
FP/FN harness rerun on the bulk-exfil baseline (and any rule whose enrichment changes)	SOC	Semi-annual	The `fp_fn_harness/` directory ships the corpus. Re-measure sensitivity / specificity when baselines shift (new pipelines, new approved roles, new business-hours windows).