The detail behind the four layers — grouped by the job each capability does, with an honest read on what's live, in beta, or planned. No green-check theater.
Status reflects current product maturity and is confirmed in writing in any signed customer artifact. We'd rather tell you something is in beta than pretend it ships today.
You can't govern what you can't see. Most teams can't name half their service accounts, let alone their AI agents — so governance starts by making every identity visible in one place.
Human users, service accounts, API keys, and AI agents correlated across legacy and cloud into a single, queryable graph.
Campaigns that end in an auditor-grade evidence pack — reviewers certify against real access, not stale entitlements.
Self-service requests, approvals, and automatic reconciliation against the systems of record you already run.
The access that causes breaches is rarely new — it's the dormant admin rights and quietly over-privileged agents nobody revisited. Protect is about catching those before an attacker does.
Detect and block toxic access combinations before they're granted, with policy you can read and audit.
Surface dormant admin accounts, unused entitlements, and over-privileged agents that quietly accumulate risk.
A pre-LLM guardrail aligned to OWASP ASI — inspect tool-use and prompts before an agent can act on them.
Most tools tell you a revoke was requested. The question an auditor actually asks is whether it happened — across every system, with proof. Revoke isn't done until removal is verified and sealed.
HR or IdP signal triggers revoke across AD, Okta, AWS, and SaaS in seconds — then verifies removal actually happened.
Compromised account? Dry-run, two-person approval, revoke everywhere, verify, and seal — one controlled motion.
A customer-managed gateway dials out over mTLS. No inbound ports to open — built for restricted networks.
This is the gap I spent 26 years watching go unanswered: the decision lived in one system, the proof in spreadsheets and email. Prove makes the evidence math — verifiable on your own, without trusting us.
Every revoke, grant, and approval sealed into a SHA-256 hash-chain, signed with ECDSA — change one record and the chain breaks.
Evidence written to your own S3 with Object Lock and retention boundaries you set. Your keys (BYO-KMS) — we can't read it without you.
Generate a framework-mapped evidence pack (e.g. SOX §404) on demand — verifiable offline, without trusting us.
A scoped proof shows these capabilities working against your real systems — and hands you the evidence pack to keep.