Skip to main content
IIOS — The platform for organizational reasoning
Operate

Security

Security in IIOS is architectural, not bolted on. Every request — from a person, a service, or an agent — passes through one policy engine, is encrypted in transit and at rest, and is recorded to an immutable ledger.

ForSecurity & complianceIT organizationsRisk & audit

Defense in depth

The platform layers independent controls so no single failure is catastrophic: federated identity, a central policy engine, encryption everywhere, network isolation per sovereignty boundary, and continuous audit. The control plane is the spine that ties them together.

One enforcement path
IdentitySSO · SCIMPolicy engineRBAC · ABACAudit ledgerimmutableSovereigntytenant boundaryEvery call
Identity, policy, and audit wrap every layer uniformly.

Core controls

ControlMechanismScope
Encryption in transitTLS 1.3 / mTLSAll service + client traffic
Encryption at restAES-256, BYOK / HSMGraph, events, evidence, backups
AuthorizationCentral RBAC + ABAC policy engineEvery request, no bypass
AuditAppend-only immutable ledgerReads, writes, agent actions
IsolationPer-boundary network + tenancyDeployment sovereignty domain

Policy as code

Access rules are declarative, versioned, and reviewed like any other code. The engine evaluates role and attribute conditions together, and the default is always deny.

policies/north-plant.hcl
# Policy is declarative and versioned. Deny is the default.
policy "north-plant-operators" {
  effect = "allow"
  actions = ["graph:read", "reason:invoke"]
  resources = ["plant:north/*"]
  condition {
    principal.classification >= resource.classification
    request.topology in ["dedicated", "on-prem"]
  }
}
No implicit trust
Nothing is trusted by network location alone. An in-cluster service still presents a scoped token and is evaluated by the same policy engine as an external caller.

Assurance & compliance

The platform is built to map cleanly onto the controls enterprise programs already require:

  • SSO/SCIM against your IdP — no parallel identity store
  • Customer-managed keys (BYOK/HSM) in dedicated and on-prem topologies
  • Immutable, exportable audit evidence for every access decision
  • Data residency and isolation enforced by the sovereignty boundary
  • Least-privilege, short-lived tokens for humans, services, and agents

Security patterns

Single enforcement point

One policy engine for all principals means one place to reason about, test, and audit access.

Encrypt everything, own the keys

Data is encrypted end to end, and regulated customers hold their own key material.

Prove it later

The immutable ledger turns "who saw what, when" into a query, not an investigation.

Assume breach

Short-lived tokens, deny-by-default, and isolation limit blast radius when something does go wrong.