At $LastCompany, someone gave them Contributor (Create/Read/Update/Delete) access to Azure because it was easier than scoping to 5 roles they required. I wouldn't be shocked if we were not only ones.
Edit: Their software should really check and refuse to work if someone does that but obviously Vanta doesn't care. They can begin scanning and billing.
It's what's annoying about NIST and DFARS: you can be fully compliant despite having made stupid decisions as long as you have documented that you are in fact making this stupid decision.
Thanks for the feedback. What we should probably do is take the credential, start scanning, and then nag them with a failing test about overly-permissive roles. Our own role is an easy check because we know what to expect, but there's other best practices here we can check for (and in some cases do, though not 100% comprehensively across all clouds.)
Edit: Their software should really check and refuse to work if someone does that but obviously Vanta doesn't care. They can begin scanning and billing.