Autonomy, but not a black box.
Every automated IAM tool either runs on rails (dashboards + checklists) or dispatches opaque agents you're asked to trust. We reject the second and improve on the first. Every defense below is code you can read, policy you can edit, and a log line an auditor can verify.
What's between an LLM and your production directory.
Every action passes OPA.
Rego policies are code you own — version-controlled, code-reviewed, deployed alongside the rest of your infrastructure. Allow, deny, require-HITL, block. Every packet the executor receives is signed with a per-tenant HMAC-SHA256 key; unsigned packets fail closed at the doer.
The risky 5% routes to an approver.
Privileged accounts, production owners, HRIS disagreement, recent escalations — anything that crosses your risk threshold fires a one-time signed approval link to your security team's Slack. Approve or reject with cryptographic attribution; the actor identity makes it into the audit chain.
Tamper-evident by design.
Every decision, every execution, every credential lease emits a SHA-256-chained event to a write-once ledger. SOC 2, SOX and ISO 27001 auditors verify the chain themselves with a single endpoint — you don't have to trust us.
What we explicitly defend against.
Adversarial intake
A deterministic post-filter scans every raw input for known injection markers ("ignore previous instructions", schema-shaped payloads, role-shift attempts). Hits clamp parse confidence below 0.4, scrub the target identity from the packet, and add an prompt_injection_suspected flag that fires HITL.
JIT vault leases
The doer never holds a long-lived API token. Vault issues a 60-second lease per execution and revokes immediately. A per-tenant Vault path means no cross-tenant blast radius.
Signed packets
The gatekeeper signs every decision packet with a per-tenant HMAC-SHA256 key. The doer verifies on both HTTP and Kafka paths. Mismatched signatures emit a doer.signature_rejected audit event and silently drop. Rotation runbook in VAULT_PROD_SETUP.md. Roadmap: migrating to asymmetric Ed25519 signing so a compromised doer cannot forge gatekeeper decisions.
Soft / hard phases
Every offboard is a two-phase commit. Soft phase (deactivate + revoke sessions) is instant. Hard phase (delete user, reclaim license) defers 5 minutes. A reinstate inside the window restores the account end-to-end. After 5 minutes, the delete is durable.
The boundaries.
- We don't store customer credentials. The whole stack runs in your own cloud — long-lived tokens live in a Vault deployed into your infrastructure, with rotation tooling and JIT leases only. On Done-for-You we operate that Vault for you; you can revoke our access at any time.
- We don't ship a UI for editing OPA policy. Policy is git-versioned alongside the rest of your infrastructure. The admin UI shows policy read-only.
- We don't run a "general agent" loop. Every pipeline — offboard, provision, role-change, access-review — is a finite state machine with named stages and a deny-by-default OPA gate. There's no open-ended autonomy and nothing executes outside the identity-lifecycle domain.
- We don't dial home. No telemetry beacons, no usage analytics. The only outbound traffic from a tenant deployment is the portals it's configured to call.
Read the security primitives.
The OPA policies, the packet-signing implementation, and the WORM audit chain — published under a source-available evaluation license. Clone the repo, run opa test policies/ against the production-identical policies, audit the code yourself before you sign anything.