Platform

The control mapping engine.

Native Security's AI reads your cloud org structure, identifies every attached and unattached policy, and builds a policy graph — then sits in your deploy pipeline to enforce it.

AI Control Inventory

Read-only access. Complete picture.

Native Security connects to your cloud organization APIs using read-only credentials. No data plane access. No agents installed. We read what already exists.

  • AWS Organizations API — every SCP, every OU, every account
  • Azure Policy REST API — assignments at subscription and management group scope
  • GCP Organization Policy API — all constraint bindings across resource hierarchy
  • Token scopes are documented and minimal. We publish exactly what we read.
AWS Organizations API — read-only
ListPolicies(Filter: SERVICE_CONTROL_POLICY)
ListTargetsForPolicy(PolicyId: p-xxx)
DescribeOrganization()
ListOrganizationalUnitsForParent()
ListAccountsForParent()

# Read-only IAM policy required:
organizations:ListPolicies
organizations:DescribePolicy
organizations:ListTargetsForPolicy
organizations:ListRoots
organizations:ListOUs
Guardrail Enforcement Pipeline

One CI step. Every deploy checked.

Add a single step to your pipeline. Before any Terraform plan applies, before any CloudFormation stack deploys, Native Security evaluates the proposed resource changes against your org's policy graph.

  • GitHub Actions native action — drop-in YAML step
  • GitLab CI include — job definition with SCP evaluation
  • Terraform Cloud Run Task — evaluate before plan apply
  • Policy gate result: PASS / FAIL with violation detail
GitHub Actions CI log
Run native-security/enforce-action@v1
  with:
    api-key: ${{ secrets.NS_API_KEY }}
    plan-file: tfplan.json

Evaluating 23 resource changes...
Checking against policy graph (847 policies)

PASS  aws_s3_bucket           SCP-DenyPublicAccess
PASS  aws_iam_role             SCP-RequirePermBoundary
FAIL  aws_iam_role_policy      SCP-DenyAdminWithoutBoundary

Policy gate: FAIL
Violations: 1  Warnings: 0
Deploy halted. Fix: add PermissionsBoundary to role.
AI Gap Analysis

Coverage gaps found automatically.

After building the policy graph, Native Security's AI identifies structural gaps: policies defined at the organization root but not inherited by every OU, conditions missing from SCP statements, and control families with no native coverage at all.

  • Identifies unattached policies with no OU scope
  • Detects SCPs with missing NotAction or StringEquals conditions
  • Maps coverage to NIST CSF PR.AC, PR.DS, and CIS L1 controls
  • Simulation mode: preview what would have blocked in last 30 days
gap-analysis • ai scan complete 6 gaps found
Control Family Coverage Status
IAM Boundary 94% COVERED
S3 Public Access 100% COVERED
EC2 IMDSv1 66% PARTIAL
KMS Encryption 0% GAP
Integrations

Connect the control planes you already have.

Cloud org APIs and CI/CD integrations. No proprietary agent or collector to run.

AWS Organizations
Available
Azure Mgmt Groups
Available
GCP Org Policy
Available
GitHub Actions
Available
GitLab CI
Available
Terraform Cloud
Available
CloudFormation
Available
Pulumi
Coming Soon

Read the docs or request access.

Full API reference, integration guides, and quickstart walkthroughs in the docs. Request early access to start mapping your controls today.