security model

Autonomy, but not a black box.

Every automated IAM tool either runs on rails (dashboards + checklists) or dispatches opaque agents you're asked to trust. We reject the second and improve on the first. Every defense below is code you can read, policy you can edit, and a log line an auditor can verify.

three guarantees

What's between an LLM and your production directory.

01 · POLICY-GATED

Every action passes OPA.

Rego policies are code you own — version-controlled, code-reviewed, deployed alongside the rest of your infrastructure. Allow, deny, require-HITL, block. Every packet the executor receives is signed with a per-tenant HMAC-SHA256 key; unsigned packets fail closed at the doer.

02 · HUMAN-IN-THE-LOOP

The risky 5% routes to an approver.

Privileged accounts, production owners, HRIS disagreement, recent escalations — anything that crosses your risk threshold fires a one-time signed approval link to your security team's Slack. Approve or reject with cryptographic attribution; the actor identity makes it into the audit chain.

03 · WORM AUDIT

Tamper-evident by design.

Every decision, every execution, every credential lease emits a SHA-256-chained event to a write-once ledger. SOC 2, SOX and ISO 27001 auditors verify the chain themselves with a single endpoint — you don't have to trust us.

threat model

What we explicitly defend against.

01 / Prompt injection

Adversarial intake

A deterministic post-filter scans every raw input for known injection markers ("ignore previous instructions", schema-shaped payloads, role-shift attempts). Hits clamp parse confidence below 0.4, scrub the target identity from the packet, and add an prompt_injection_suspected flag that fires HITL.

deterministic post-filter
02 / Stale credentials

JIT vault leases

The doer never holds a long-lived API token. Vault issues a 60-second lease per execution and revokes immediately. A per-tenant Vault path means no cross-tenant blast radius.

vault · approle · 60s ttl
03 / Forged decisions

Signed packets

The gatekeeper signs every decision packet with a per-tenant HMAC-SHA256 key. The doer verifies on both HTTP and Kafka paths. Mismatched signatures emit a doer.signature_rejected audit event and silently drop. Rotation runbook in VAULT_PROD_SETUP.md. Roadmap: migrating to asymmetric Ed25519 signing so a compromised doer cannot forge gatekeeper decisions.

hmac-sha256 · per-tenant keys
04 / Reversibility

Soft / hard phases

Every offboard is a two-phase commit. Soft phase (deactivate + revoke sessions) is instant. Hard phase (delete user, reclaim license) defers 5 minutes. A reinstate inside the window restores the account end-to-end. After 5 minutes, the delete is durable.

two-phase · 5min reinstate window
what we don't do

The boundaries.

design partners · q3 2026

Read the security primitives.

The OPA policies, the packet-signing implementation, and the WORM audit chain — published under a source-available evaluation license. Clone the repo, run opa test policies/ against the production-identical policies, audit the code yourself before you sign anything.

View on GitHub Book a security review