ConductorOne · mstanbCO · Apr 6, 2026 · Apr 7, 2026 · Apr 7, 2026
diff --git a/product/admin/expressions-examples.mdx b/product/admin/expressions-examples.mdx
@@ -80,7 +80,7 @@
 ```

 <Warning>
 **Manager lookups can return empty results.** When `GetManagers` returns `[]` in an approver expression, the approval step is silently skipped. Always add fallback approvers - see [Approver selection patterns](#approver-selection-patterns) below.
 </Warning>

 ### Access conflict detection
@@ -462,7 +462,7 @@

 **Business problem:** Regular managers may not be available on weekends to approve urgent access requests.

 **Expected outcome:** Weekend requests are routed to on-call approvers.

 **Condition expression:**

@@ -523,7 +523,7 @@

 **Customer scenario:** A company stores hire dates in custom profile fields and wants to validate they're not in the future.

 **Business problem:** Invalid hire dates can cause issues with onboarding automations.

 **Expected outcome:** Only users with valid past hire dates are processed.

@@ -537,7 +537,7 @@

 ## Approver selection patterns

 These patterns are for **policy step approvers** - expressions that return one or more users. The critical rule: always include fallback approvers to prevent steps from being silently skipped.

 ### Why fallbacks matter

@@ -616,5 +616,6 @@
 - **[CEL expressions reference](/product/admin/expressions-reference)** - Complete reference for all available objects, functions, and time functions
 - **[Workflow expressions](/product/admin/expressions-workflows)** - Pass data between automation steps using the ctx object
 - **[Troubleshooting expressions](/product/admin/expressions-troubleshooting)** - Debug common errors and understand failure modes
+- **[Use external insights in CEL policy conditions](/product/admin/external-insights#use-external-insights-in-cel-policy-conditions)** - Reference security findings and risk scores from Wiz and CrowdStrike in access decisions
 
 
diff --git a/product/admin/expressions-reference.mdx b/product/admin/expressions-reference.mdx
@@ -57,7 +57,7 @@

 ### Enum types

 Enums are predefined constants. Always use the full enum name (e.g., `UserStatus.ENABLED`, not just `ENABLED`).

 #### UserStatus

@@ -83,7 +83,7 @@
 | `TaskOrigin.WEBAPP` | Created in ConductorOne web interface |
 | `TaskOrigin.SLACK` | Created via Slack integration |
 | `TaskOrigin.API` | Created via API |
 | `TaskOrigin.JIRA` | Created via Jira integration |
 | `TaskOrigin.COPILOT` | Created via Copilot |
 | `TaskOrigin.PROFILE_MEMBERSHIP_AUTOMATION` | Created by automation |
 | `TaskOrigin.TIME_REVOKE` | Created by time-based revocation |
@@ -120,7 +120,7 @@
 These are complex types returned by functions or available as variables.

 <Info>
 **User vs AppUser:** These are different types. A `User` is a person in the ConductorOne directory (your identity provider sync). An `AppUser` is that person's account within a specific application (their GitHub account, Okta account, etc.). One User can have many AppUsers across different apps.
 </Info>

 #### User
@@ -227,13 +227,13 @@

 | Variable | Type | Available in | Description |
 |:---------|:-----|:-------------|:------------|
 | `subject` | User | Policies, Groups, Automations, Campaigns, Account provisioning | The current user being evaluated |
 | `account` | AppUser | Policies only | The application user (account) associated with the access request |
 | `task` | Task | Policies only | The current access request |
 | `entitlement` | Entitlement | Policies only | The entitlement being requested |
 | `appOwners` | list&lt;User&gt; | Policy step approvers only | Owners of the application |
 | `ctx` | Context | Automations only | Workflow context and trigger data |
 | `ip` | IP | Policies, Automations | Requestor's IP address (when available) |

 ---

@@ -245,11 +245,11 @@

 | Function | Accepts | Returns | Availability |
 |:----------|:---------|:---------|:--------------|
 | `c1.user.v1.HasApp` | user, app ID | Boolean | Policies, Groups, Automations, Account provisioning |
 | `c1.user.v1.HasEntitlement` | user, app ID, entitlement ID | Boolean | Policies, Groups, Automations, Account provisioning |
 | `c1.user.v1.GrantedFromEnrollment` | user, app ID, entitlement ID | Boolean | Policy conditions only |
 | `c1.user.v1.AutomaticallyGrantedFromEnrollment` | user, app ID, entitlement ID | Boolean | Policy conditions only |
 | `c1.user.v1.ListAppUsersForUser` | user, app ID | List of AppUser | Automations, Account provisioning |

 **What can go wrong:**
 - Invalid app ID or entitlement ID returns `false` for boolean functions (no error thrown)
@@ -259,13 +259,13 @@

 | Function | Accepts | Returns | Availability |
 |:----------|:---------|:---------|:--------------|
 | `c1.directory.users.v1.FindByEmail` | email | user | Policies, Groups, Automations, Account provisioning |
 | `c1.directory.users.v1.FindByName` | display name | user | Policies, Groups, Automations, Account provisioning |
 | `c1.directory.users.v1.GetByID` | user ID | user | Policies, Groups, Automations, Account provisioning |
 | `c1.directory.users.v1.GetManagers` | user | list of users | Policies, Groups, Automations, Account provisioning |
 | `c1.directory.users.v1.DirectReports` | user or list of users | list of users | Policies, Groups, Automations, Account provisioning |
 | `c1.directory.groups.v1.FindByName` | group name | group | Policies, Groups, Automations, Account provisioning |
 | `c1.directory.apps.v1.GetEntitlementMembers` | app ID, entitlement ID | list of users | Policies, Groups, Automations, Account provisioning |

 **What can go wrong:**
 - `FindByEmail` fails if email doesn't exist in directory - verify emails before deploying
@@ -289,19 +289,19 @@
 ```
 </Warning>

 <Tip>
 Go to an application or entitlement's details page to look up its ID, or use [Cone](/product/cli/install/).
 </Tip>

 <Info>
 **Function availability varies by context.** 

 Note that automation triggers do NOT have access to directory or user library functions - they can only access the `ctx.trigger` object and basic enums.
 </Info>

 ### Time functions

 ConductorOne provides comprehensive time functions for working with dates and times in CEL expressions. These functions are available in **all CEL contexts** (Policies, Groups, Automations, Account provisioning).

 #### Core time functions

@@ -389,6 +389,35 @@
 The `now()` function returns the same value throughout a single expression evaluation. All timestamps are stored in UTC internally; timezone parameters only affect parsing and formatting.
 </Warning>
 
+### External insights functions
+
+These functions are available in policy conditions when [external insights](/product/admin/external-insights) are configured. They let you reference security findings and risk scores from connected tools directly in access decisions.
+
+#### Issue insights
+
+Issue insights are discrete security findings (for example, critical CVEs or misconfigurations) synced from Wiz Insights.
+
+| Function | Accepts | Returns | Availability |
+|:----------|:---------|:---------|:--------------|
+| `c1.app_user.v1.HasSecurityInsight(account)` | account | `bool` | Policy conditions |
+| `c1.app_user.v1.GetSecurityInsights(account, source)` | account, source name | `list` | Policy conditions |
+| `c1.app_user.v1.HasSecurityInsightWithSeverity(account, source, severity)` | account, source name, severity | `bool` | Policy conditions |
+
+Severity values: `"CRITICAL"`, `"HIGH"`, `"MEDIUM"`, `"LOW"`, `"INFORMATIONAL"`. The `HasSecurityInsightWithSeverity` comparison is case-insensitive; direct field comparisons are not.
+
+#### Risk scores
+
+Risk scores are normalized values (0–100, higher = more risk) synced from CrowdStrike.
+
+| Function | Accepts | Returns | Availability |
+|:----------|:---------|:---------|:--------------|
+| `c1.app_user.v1.HasRiskScore(account)` | account | `bool` | Policy conditions |
+| `c1.app_user.v1.GetRiskScore(account, source)` | account, source name | `c1.risk_score.v1` | Policy conditions |
+
+The source name must exactly match the connector app's display name in your tenant (for example, `"Wiz Insights"` or `"CrowdStrike"`). The match is case-sensitive.
+
+For full examples and best practices, see [Use external insights in CEL policy conditions](/product/admin/external-insights#use-external-insights-in-cel-policy-conditions).
+
 ## Objects
 
 ### Subject object
@@ -417,7 +446,7 @@
 | `subject.manager_id` | string | User's manager ID | `subject.manager_id != ""` | Check if user has manager |

 <Info>
 Both `subject.manager` (email) and `subject.manager_id` (ID) are available. Use `manager` for email-based comparisons and `manager_id` to check existence or for ID-based lookups with `GetByID`.
 </Info>

 #### Organizational fields
@@ -508,11 +537,11 @@
 | `ip.is4` | Boolean | Whether IP is IPv4 | `ip.is4` | IPv4-specific logic |
 | `ip.is6` | Boolean | Whether IP is IPv6 | `ip.is6` | IPv6-specific logic |
 | `ip.isPrivate` | Boolean | Whether IP is private | `ip.isPrivate` | Internal network access |
 | `ip.isLoopback` | Boolean | Whether IP is loopback | `ip.isLoopback` | Localhost detection |
 | `ip.isGlobalUnicast` | Boolean | Whether IP is global unicast | `ip.isGlobalUnicast` | Public IP detection |
 | `ip.isMulticast` | Boolean | Whether IP is multicast | `ip.isMulticast` | Multicast traffic detection |
 | `ip.isInterfaceLocalMulticast` | Boolean | Whether IP is interface local multicast | `ip.isInterfaceLocalMulticast` | Local multicast detection |
 | `ip.isLinkLocalMulticast` | Boolean | Whether IP is link local multicast | `ip.isLinkLocalMulticast` | Link local multicast detection |
 | `ip.isUnspecified` | Boolean | Whether IP is unspecified | `ip.isUnspecified` | Invalid IP detection | 

 ### IP CIDR object
@@ -531,7 +560,7 @@

 ### Quick object reference table

 | Object | Policies | Groups | Automations | Campaigns | Account provisioning |
 | :--- | :--- | :--- | :--- | :--- | :--- |
 | subject | <Icon icon="square-check" iconType="solid"  color="#65DE23"/> | <Icon icon="square-check" iconType="solid"  color="#65DE23"/> | <Icon icon="square-check" iconType="solid"  color="#65DE23"/>* | <Icon icon="square-check" iconType="solid"  color="#65DE23"/> | <Icon icon="square-check" iconType="solid"  color="#65DE23"/> |
 | user | <Icon icon="square-check" iconType="solid"  color="#65DE23"/> | <Icon icon="square-check" iconType="solid"  color="#65DE23"/> | <Icon icon="square-check" iconType="solid"  color="#65DE23"/>* | <Icon icon="square-check" iconType="solid"  color="#65DE23"/> | <Icon icon="circle-minus" iconType="solid"  color="red"/>️ |
@@ -540,9 +569,9 @@
 | entitlement | <Icon icon="square-check" iconType="solid"  color="#65DE23"/> | <Icon icon="circle-minus" iconType="solid"  color="red"/>️ | <Icon icon="circle-minus" iconType="solid"  color="red"/>️ | <Icon icon="circle-minus" iconType="solid"  color="red"/>️ | <Icon icon="circle-minus" iconType="solid"  color="red"/>️ |
 | ctx | <Icon icon="circle-minus" iconType="solid"  color="red"/>️ | <Icon icon="circle-minus" iconType="solid"  color="red"/>️ | <Icon icon="square-check" iconType="solid"  color="#65DE23"/> | <Icon icon="circle-minus" iconType="solid"  color="red"/>️ | <Icon icon="circle-minus" iconType="solid"  color="red"/>️ |
 | ip | <Icon icon="square-check" iconType="solid"  color="#65DE23"/> | <Icon icon="circle-minus" iconType="solid"  color="red"/>️ | <Icon icon="square-check" iconType="solid"  color="#65DE23"/> | <Icon icon="circle-minus" iconType="solid"  color="red"/>️ | <Icon icon="circle-minus" iconType="solid"  color="red"/>️ |
 | ip CIDR | <Icon icon="square-check" iconType="solid"  color="#65DE23"/> | <Icon icon="circle-minus" iconType="solid"  color="red"/>️ | <Icon icon="square-check" iconType="solid"  color="#65DE23"/> | <Icon icon="circle-minus" iconType="solid"  color="red"/>️ | <Icon icon="circle-minus" iconType="solid"  color="red"/>️ |

 \* In Automations, user data is accessed through the `ctx` object (e.g., `ctx.trigger.newUser`, `ctx.trigger.oldUser`)

 ### Subject object
 **Available in:** <Icon icon="square-check" iconType="solid"  color="#65DE23"/> Policies <Icon icon="square-check" iconType="solid"  color="#65DE23"/> Groups <Icon icon="square-check" iconType="solid"  color="#65DE23"/> Automations <Icon icon="square-check" iconType="solid"  color="#65DE23"/> Campaigns <Icon icon="square-check" iconType="solid"  color="#65DE23"/> Account provisioning  
@@ -566,7 +595,7 @@
 subject.department == "Engineering" && subject.status == UserStatus.ENABLED
 ```

 *In Automations:*
 ```go
 // Automation trigger - when user status changes
 subject.status == UserStatus.DISABLED
@@ -603,7 +632,7 @@
 user.department == "Engineering"
 ```

 *In Automations:*
 ```go
 // Automation step - modify specific user
 user.status == UserStatus.DISABLED
@@ -686,7 +715,7 @@
 ### IP address object
 **Available in:** <Icon icon="square-check" iconType="solid"  color="#65DE23"/> Policies <Icon icon="circle-minus" iconType="solid"  color="red"/>️ Groups <Icon icon="square-check" iconType="solid"  color="#65DE23"/> Automations <Icon icon="circle-minus" iconType="solid"  color="red"/>️ Campaigns <Icon icon="circle-minus" iconType="solid"  color="red"/>️ Account provisioning  
 **Description:** Used for network-based access control and filtering  
 **Usage:** Available in policies and automations for network-based logic

 **Context-specific examples:**

@@ -699,7 +728,7 @@
 ip.is4
 ```

 *In Automations:*
 ```go
 // Automation trigger - when IP is from private network
 ip.isPrivate
@@ -708,7 +737,7 @@
 ### IP CIDR object
 **Available in:** <Icon icon="square-check" iconType="solid"  color="#65DE23"/> Policies <Icon icon="circle-minus" iconType="solid"  color="red"/>️ Groups <Icon icon="square-check" iconType="solid"  color="#65DE23"/> Automations <Icon icon="circle-minus" iconType="solid"  color="red"/>️ Campaigns <Icon icon="circle-minus" iconType="solid"  color="red"/>️ Account provisioning  
 **Description:** Used for network range-based access control and filtering  
 **Usage:** Available in policies and automations for network range checking

 **Context-specific examples:**

@@ -718,7 +747,7 @@
 cidr('10.1.2.0/24').contains(ip('10.1.2.5'))
 ```

 *In Automations:*
 ```go
 // Automation trigger - when IP is in specific range
 ip('10.1.2.5').within(cidr('10.1.2.0/24'))
@@ -727,7 +756,7 @@
 ### Context object (ctx)
 **Available in:** <Icon icon="circle-minus" iconType="solid"  color="red"/>️ Policies <Icon icon="circle-minus" iconType="solid"  color="red"/>️ Groups <Icon icon="square-check" iconType="solid"  color="#65DE23"/> Automation Triggers <Icon icon="square-check" iconType="solid"  color="#65DE23"/> Workflow Steps <Icon icon="circle-minus" iconType="solid"  color="red"/>️ Campaigns <Icon icon="circle-minus" iconType="solid"  color="red"/>️ Account provisioning  
 **Description:** Provides access to workflow execution context and trigger data  
 **Usage:** Used in automations to access trigger data and previous step outputs

 **Available fields:**

@@ -767,13 +796,13 @@
 <Warning>
 **Important:** 

 Automation triggers have limited function access. They do NOT have access to directory functions (`c1.directory.*`) or user entitlement checking functions (`c1.user.v1.HasApp`, etc.). Only basic user/account field access and status enums are available.
 </Warning>

 ## Important notes

 ### Use camelCase 
 CEL expressions should be written in camelCase. ConductorOne is moving away from snake_case for consistency and readability. Existing expressions in snake_case will still work, but new ones should follow the camelCase convention. 

 ### Null safety with has()
 Use the `has()` macro to check for existence of optional fields, especially in profile maps:
@@ -791,8 +820,8 @@
 c1.directory.users.v1.FindByEmail(subject.email) && subject.department == "Engineering"
 ```

 ### Function memoization
 Directory function calls are automatically memoized within a single expression evaluation, so calling the same function multiple times is safe and efficient.

 ### Template syntax
 Only Workflow Steps support `{{ expression }}` template syntax for embedding CEL expressions in strings.

diff --git a/product/admin/external-insights.mdx b/product/admin/external-insights.mdx
@@ -59,14 +59,130 @@
 
 Approvers can see an identity's current risk score and risk factors in a request task before submitting their decision.
 
+## Use external insights in CEL policy conditions
+
+Beyond surfacing risk data in the UI, you can reference external insights directly in [CEL policy conditions](/product/admin/expressions-reference#external-insights-functions) to automate access decisions based on a user's security posture.
+
+External insights expose two data types through CEL, each from a different connector:
+
+| Data type | Connector | CEL path | Description |
+|-----------|-----------|----------|-------------|
+| Issue insights | Wiz Insights | `account.security_insights` | Discrete security findings such as critical CVEs, misconfigurations, and exposed secrets |
+| Risk scores | CrowdStrike | `account.risk_score` / `account.risk_scores` | Normalized identity risk scores (0–100, higher = more risk) |
+
+<Note>
+All CEL functions that accept a source app name use the **display name** of the connector app in your tenant. The defaults are `"Wiz Insights"` and `"CrowdStrike"`. If you've renamed a connector app, use the renamed name instead. The match is **exact and case-sensitive**.
+</Note>
+
+### Issue insights (Wiz)
+
+Issue insights represent discrete security findings synced from Wiz. Each insight has three fields: `source` (the connector app name), `value` (a description like `"3 Critical CVEs"`), and `severity` (`"CRITICAL"`, `"HIGH"`, `"MEDIUM"`, `"LOW"`, or `"INFORMATIONAL"`).
+
+**Helper functions**
+
+| Function | Returns | Description |
+|----------|---------|-------------|
+| `c1.app_user.v1.HasSecurityInsight(account)` | `bool` | `true` if the account has any issue insights from any source |
+| `c1.app_user.v1.GetSecurityInsights(account, source)` | `list` | All issue insights from the named source |
+| `c1.app_user.v1.HasSecurityInsightWithSeverity(account, source, severity)` | `bool` | `true` if the account has at least one issue from the named source at the given severity (case-insensitive) |
+
+**Examples**
+
+Deny access when critical Wiz findings exist:
+
+```go
+c1.app_user.v1.HasSecurityInsightWithSeverity(account, "Wiz Insights", "CRITICAL")
+```
+
+Block privileged access on HIGH or CRITICAL Wiz issues:
+
+```go
+c1.app_user.v1.HasSecurityInsightWithSeverity(account, "Wiz Insights", "CRITICAL")
+  || c1.app_user.v1.HasSecurityInsightWithSeverity(account, "Wiz Insights", "HIGH")
+```
+
+Auto-approve when no Wiz issues exist:
+
+```go
+c1.app_user.v1.GetSecurityInsights(account, "Wiz Insights").size() == 0
+```
+
+### Risk scores (CrowdStrike)
+
+Risk scores are normalized values from 0 (no risk) to 100 (highest risk). Each score has two fields: `source` (the connector app name) and `normalized_score` (the integer score).
+
+You can access scores in two ways:
+- **Map** — `account.risk_score` is keyed by source display name and returns the score as an integer.
+- **List** — `account.risk_scores` returns a list of score objects, useful for cross-source queries.
+
+**Helper functions**
+
+| Function | Returns | Description |
+|----------|---------|-------------|
+| `c1.app_user.v1.HasRiskScore(account)` | `bool` | `true` if the account has risk scores from any source |
+| `c1.app_user.v1.GetRiskScore(account, source)` | `c1.risk_score.v1` | The risk score object for the named source (returns `normalized_score` of `0` if missing) |
+
+**Examples**
+
+Block access when the CrowdStrike score exceeds a threshold:
+
+```go
+c1.app_user.v1.GetRiskScore(account, "CrowdStrike").normalized_score > 70
+```
+
+Require extra approval for elevated risk:
+
+```go
+c1.app_user.v1.HasRiskScore(account)
+  && c1.app_user.v1.GetRiskScore(account, "CrowdStrike").normalized_score > 50
+```
+
+Auto-approve when CrowdStrike reports low risk:
+
+```go
+"CrowdStrike" in account.risk_score && account.risk_score["CrowdStrike"] <= 20
+```
+
+Deny access if no CrowdStrike score exists (device may be unmanaged):
+
+```go
+!("CrowdStrike" in account.risk_score)
+```
+
+### Combining sources
+
+You can combine Wiz issue insights and CrowdStrike risk scores in a single condition.
+
+Escalate when CrowdStrike risk is elevated and Wiz has critical findings:
+
+```go
+("CrowdStrike" in account.risk_score && account.risk_score["CrowdStrike"] > 50)
+  && c1.app_user.v1.HasSecurityInsightWithSeverity(account, "Wiz Insights", "CRITICAL")
+```
+
+Require a clean posture from both sources for sensitive access:
+
+```go
+("CrowdStrike" in account.risk_score && account.risk_score["CrowdStrike"] <= 30)
+  && !c1.app_user.v1.HasSecurityInsightWithSeverity(account, "Wiz Insights", "HIGH")
+  && !c1.app_user.v1.HasSecurityInsightWithSeverity(account, "Wiz Insights", "CRITICAL")
+```
+
+### CEL best practices for external insights
+
+- **Put cheap checks first.** Place simple attribute comparisons (like `subject.department`) before insight or risk-score lookups, which trigger lazy data loads.
+- **Guard with existence checks.** Use `HasRiskScore` or `"CrowdStrike" in account.risk_score` before reading scores to avoid zero-default edge cases. Use `HasSecurityInsight` before iterating insights.
+- **Use the correct source name.** The source name must exactly match the app display name in your tenant.
+- **Prefer helper functions for severity checks.** `HasSecurityInsightWithSeverity` compares severity case-insensitively, but direct field comparisons like `i.severity == "CRITICAL"` are case-sensitive.
+
 ## Supported external insights sources
 
 <Columns cols={2}>
   <Card title="CrowdStrike Falcon Identity Protection" icon="shield-check" href="/baton/crowdstrike">
-    Ingest Falcon identity risk scores into ConductorOne. 
+    Ingest Falcon identity risk scores into C1. 
   </Card>
   <Card title="Wiz Insights" icon="shield-check" href="/baton/wiz-insights">
-    Ingest Wiz identity risk scores into ConductorOne. 
+    Ingest Wiz identity risk scores into C1. 
   </Card>
 </Columns>