The control mapping engine.
Native Security's AI reads your cloud org structure, identifies every attached and unattached policy, and builds a policy graph — then sits in your deploy pipeline to enforce it.
Read-only access. Complete picture.
Native Security connects to your cloud organization APIs using read-only credentials. No data plane access. No agents installed. We read what already exists.
- AWS Organizations API — every SCP, every OU, every account
- Azure Policy REST API — assignments at subscription and management group scope
- GCP Organization Policy API — all constraint bindings across resource hierarchy
- Token scopes are documented and minimal. We publish exactly what we read.
ListPolicies(Filter: SERVICE_CONTROL_POLICY)
ListTargetsForPolicy(PolicyId: p-xxx)
DescribeOrganization()
ListOrganizationalUnitsForParent()
ListAccountsForParent()
# Read-only IAM policy required:
organizations:ListPolicies
organizations:DescribePolicy
organizations:ListTargetsForPolicy
organizations:ListRoots
organizations:ListOUs
One CI step. Every deploy checked.
Add a single step to your pipeline. Before any Terraform plan applies, before any CloudFormation stack deploys, Native Security evaluates the proposed resource changes against your org's policy graph.
- GitHub Actions native action — drop-in YAML step
- GitLab CI include — job definition with SCP evaluation
- Terraform Cloud Run Task — evaluate before plan apply
- Policy gate result: PASS / FAIL with violation detail
Run native-security/enforce-action@v1
with:
api-key: ${{ secrets.NS_API_KEY }}
plan-file: tfplan.json
Evaluating 23 resource changes...
Checking against policy graph (847 policies)
PASS aws_s3_bucket SCP-DenyPublicAccess
PASS aws_iam_role SCP-RequirePermBoundary
FAIL aws_iam_role_policy SCP-DenyAdminWithoutBoundary
Policy gate: FAIL
Violations: 1 Warnings: 0
Deploy halted. Fix: add PermissionsBoundary to role.
Coverage gaps found automatically.
After building the policy graph, Native Security's AI identifies structural gaps: policies defined at the organization root but not inherited by every OU, conditions missing from SCP statements, and control families with no native coverage at all.
- Identifies unattached policies with no OU scope
- Detects SCPs with missing NotAction or StringEquals conditions
- Maps coverage to NIST CSF PR.AC, PR.DS, and CIS L1 controls
- Simulation mode: preview what would have blocked in last 30 days
| Control Family | Coverage | Status |
|---|---|---|
| IAM Boundary | 94% | COVERED |
| S3 Public Access | 100% | COVERED |
| EC2 IMDSv1 | 66% | PARTIAL |
| KMS Encryption | 0% | GAP |
Connect the control planes you already have.
Cloud org APIs and CI/CD integrations. No proprietary agent or collector to run.
Read the docs or request access.
Full API reference, integration guides, and quickstart walkthroughs in the docs. Request early access to start mapping your controls today.