Policy Layers in System Initiative
System Initiative is an AI Native Infrastructure Automation Platform that builds digital twins of your infrastructure. It enables you to define and enforce policy across three distinct layers, each serving different governance needs.
Overview
System Initiative allows you to write policy in three complementary ways, from preventive controls to detective controls to compliance verification:
1. Native Cloud Provider Policy
Description: Model and enforce the native policy mechanisms available in your cloud provider.
Examples:
- AWS Resource Control Policies (RCP)
- AWS Service Control Policies (SCP)
- Azure Policy
Characteristics:
- Preventive: Blocks non-compliant resources from being created
- Hard enforcement: Resources cannot be deployed if they violate policy
- Provider-native: Uses the cloud provider's built-in policy engine
- Centralized control: Typically applied at organization or account level
Use case: When you need to prevent specific actions or resource configurations from ever being created (e.g., "no S3 buckets in eu-west-1" or "all EC2 instances must use approved AMIs").
2. Component-Level Qualifications
Description: Define requirements and best practices for individual component types within System Initiative.
Examples:
- Ensure all
AWS::S3::Bucketresources have encryption enabled - Verify all
AWS::EC2::Instanceresources use specific instance types - Check that
AWS::RDS::DBInstancehas backup retention configured
Characteristics:
- Detective: Flags non-compliant configurations but doesn't prevent creation
- Soft enforcement: Allows operators to make informed decisions about remediation
- Component-specific: Applied to specific resource types
- Operator-driven resolution: You decide when and how to reconcile flagged issues
Use case: When you want to maintain best practices and standards but need flexibility for operators to handle exceptions or special cases. The system alerts you to potential issues, but you maintain control over the response.
3. Control Document Evaluation with AI Agents
Description: Write high-level control documents that describe your compliance requirements, then use AI agents to evaluate your infrastructure against those controls.
Examples:
- "All data at rest must be encrypted"
- "No public internet access to databases"
- "Logging must be enabled for all audit-relevant services"
- "Multi-factor authentication required for privileged access"
Characteristics:
- Compliance-focused: Maps to regulatory frameworks (SOC 2, HIPAA, PCI-DSS, etc.)
- AI-powered evaluation: Agents interpret control language and assess infrastructure
- Detailed reporting: Provides comprehensive reports on control adherence
- Natural language: Write controls in plain English rather than code
Use case: When you need to demonstrate compliance with regulatory requirements or internal security standards. The AI agent evaluates your actual deployed infrastructure and generates reports showing which controls are met and which require attention.
How the Layers Work Together
These three policy layers complement each other to provide defense in depth:
- Native cloud policies prevent the worst violations from ever occurring
- Component qualifications catch configuration drift and suboptimal patterns during design
- Control document evaluation provides ongoing compliance verification and audit reporting
By combining all three layers, System Initiative enables you to build secure, compliant infrastructure while maintaining the flexibility needed for operational efficiency.