Skip to content
IdentrailIDENTRAIL
Log in

Machine identity trust graph

See every machine identity path before it becomes risk.

Identrail connects cloud, cluster, repository, and OIDC identity signals into one live risk graph so teams can prioritize exposure and ship safer access changes.

LiveGitHub starsLiveDocker pulls
Collection
Read-only by default
Coverage
AWS, K8s, GitHub, OIDC
Output
Prioritized risk graph
  • Open-core under Apache-2.0
  • Read-only onboarding model
  • Self-hosted and hosted paths
  • Public docs and release history
AWS IAM liveEvidence ready

Production workspace / AWS IAM

AssumeRole path detected
Critical path
Source identityGitHub Actions OIDCpayments-api / deploy-production.yml
Privilege boundaryAWS IAM role: billing-prodBoundary allows shared namespace assumption
Target resourcePostgreSQL billing ledgerprod-billing / read-write eligible path
Owner-ready fixRestrict `sub` and namespace tagsSimulation reports no workload breakage
GitHub Actions OIDCAWS IAM IdPbilling-prod rolePostgreSQL ledger
  1. 01
    GitHub Actions OIDC token verifiedrepo: payments-api / deploy-production.yml
    Verified
  2. 02
    AssumeRole path detectedsts:AssumeRole reaches billing-prod in 4 hops
    Active
  3. 03
    Privilege boundary inheritedaws:PrincipalTag condition allows broad namespace reuse
    Review
  4. 04
    Evidence packet assembledJWT claims, trust policy, and API call proof attached
    Ready

Reviewed across your identity stack

  • AWS IAM
  • Kubernetes
  • GitHub
  • OpenID
  • Terraform
  • Docker
  • PostgreSQL
  • Prometheus

Why teams miss machine identity risk

Signals only matter when they reveal the path.

IAM policies, Kubernetes RBAC, repository exposure, and OIDC workflow identities are reviewed in separate tools. Identrail connects them into one operating view, then shows blast radius, ownership, and the next action.

AWS IAMrole assumptions and policy edges
Kubernetesservice accounts, RBAC, namespaces
GitHub/OIDCworkflow identity and token claims

Identrail trust graph

One connected machine identity path
Source evidenceBlast radiusFirst safe fix
01Before

Isolated alerts

Each control plane looks acceptable until the machine identity path crosses boundaries.

02During

Evidence stitching

Identity collection joins IAM, Kubernetes, repository, and OIDC signals into one chain.

03After

Safe remediation

Owners get the affected workload, blast-radius context, and a recommended next step.

Trust operations layer

One operating view for machine identity risk.

Identrail gives security and platform teams the same operating picture: live trust paths, policy evidence, blast-radius context, and a practical next step for each owner.

Exposure triage

Turn scattered identity signals into one owner-ready queue.

High confidence
Primary risk pathProduction database reachable
Signal matchAWS role + K8s service account + OIDC claim drift

Evidence

  • Trust policy allows broad workflow subject claims
  • ClusterRoleBinding grants namespace-spanning workload access
  • Reachable resource is tagged production and regulated

Operator playbook

  1. Confirm owner
  2. Review evidence bundle
  3. Prioritize first fix

Product tour

Connect sources, trace risk, and ship the first safe fix.

Validate IAM, Kubernetes, GitHub, and OIDC signals, preview the impact, and give teams a clear remediation plan.

01
Connector scope

Connect source systems

Validate AWS IAM, Kubernetes, GitHub Actions, and OIDC signals with scoped collection.

02
Exposure path

Trace real exposure

Show the identity, workload, role, and resource chain with severity context.

03
Policy simulation

Simulate the safest change

Preview trust-policy and RBAC edits before anything touches production.

04
Review bundle

Export the review bundle

Package source proof, owner notes, policy diffs, and residual risk for review.

Production workspace

Owner-ready risk path

Evidence ready

Reachable path

GitHub workflow can reach billing data through AWS role trust.

High
IdentityGitHub Actions OIDC
PrivilegeAWS IAM role: billing-prod
Workloadpayments-api namespace
ResourcePostgreSQL billing ledger

Safe fix simulation

Restrict subject claim and namespace tags
- sub = "*"+ sub = "repo:payments-api:prod"+ namespace = "payments-api"

Review bundle

Ready for owner review
  • Source proof
  • Policy diff
  • Affected workload
  • Owner timeline

Operational Workflow

From read-only discovery to safe enforcement

Each stage produces a concrete artifact security and platform teams can review before taking action.

  1. 01 / Discover

    Build the trust graph

    Collect AWS IAM, Kubernetes, GitHub, and OIDC identity metadata in read-only mode.

    Output: identity graph snapshot with source evidence links

  2. 02 / Prioritize

    Rank reachable risk paths

    Score findings by severity, privilege depth, and production blast-radius potential.

    Output: ranked findings queue with owner-ready context

  3. 03 / Simulate

    Preview hardening safely

    Preview trust-policy changes and estimate affected workloads before enforcement.

    Output: remediation plan with expected impact summary

  4. 04 / Operate

    Roll out with controls

    Deploy in stages with rollback options and track resolution outcomes.

    Output: audit-ready remediation timeline and status history

Adoption Paths

Choose the deployment model that fits your operating constraints.

01Maximum control

Open Source

Best for: self-hosted evaluation and internal control.

Time to value
Same day with Docker/Kubernetes setup
Control level
Full infrastructure and data ownership
Support model
Community and docs-led
View open-source setup →
02Fastest path

Hosted SaaS

Best for: fastest onboarding and operational simplicity.

Time to value
Minutes to first trust-path scan
Control level
Managed platform with guided rollout
Support model
Product support and assisted onboarding

Recommended for teams that need the fastest first scan.

Start hosted evaluation →
03Private control

Enterprise

Best for: private tenancy, procurement, and compliance control.

Time to value
Planned onboarding with architecture review
Control level
Private deployment and regional controls
Support model
Enterprise SLA and named partner team
Contact enterprise team →
Compare plan detailsTalk through procurement

Comparison

Why teams choose Identrail over closed black-box workflows

CategoryIdentrailTypical closed alternatives
Trust-path explainabilityShows full identity chain with policy evidence and affected resourcesOften returns abstract risk findings without chain-level context
Rollout safetyRead-only collection, simulation-first remediation, staged enforcementPolicy hardening usually relies on external tooling and manual checks
Open-core transparencyPublic repository, documentation, and release historyLimited implementation visibility and slower verification by engineers
Developer and platform fitBuilt for security + platform collaboration with inspectable outputsSecurity-only workflows can be harder for platform teams to operationalize

Ready to evaluate

Map your first production trust path in minutes

Start with a read-only scan, review evidence, then decide whether to self-host, use hosted SaaS, or move to enterprise deployment.