Add guest and shared account evidence gates

[malb200710-dev]

Bounty type

Skill Improvement bounty

Modified skill

skills/identity/access-review/SKILL.md

Issue

Fixes #1521

What was missing

The access-review skill mentioned guest/external and shared accounts, but it did not require sponsor state, business/access-package expiry, recent guest activity evidence, or individual-use attribution for shared/emergency accounts.

What changed

• Bumped �ccess-review to v1.0.1.
• Added AR-EXT-01 through AR-EXT-06 for external guest sponsorship, inactive sponsors, expired business relationship/package, activity evidence, nested group blind spots, and stale delegated/API access.
• Added required external access evidence fields for sponsor status, business expiry, recent activity, review source, and revalidation triggers.
• Added AR-SHARED-01 through AR-SHARED-04 for shared-account ownership without attribution, missing PAM/session/command evidence, unknown last user, and missing post-use review/rotation.
• Added output tables for External Access Evidence and Shared Account Attribution Evidence.
• Added summary category counts, pitfalls, and version history entry.

Validation

• Confirmed v1.0.1 version bump.
• Confirmed AR-EXT and AR-SHARED gates are present.
• Confirmed external access and shared attribution output sections are present.
• Confirmed version history was updated.
• Confirmed Markdown fence balance.

Bounty request

Requesting consideration for the SecuritySkills improver bounty if accepted/merged. Payment details can be provided privately after acceptance.