EntropyX Governance

Google Workspace

Service account authentication utilizing domain-wide delegation to provide comprehensive directory access across organizational units, enabling complete visibility into user identities, group structures, application permissions, and administrative hierarchies through the Google Admin SDK and Directory API

• ✓ User sync (email, name, department, manager)
• ✓ Group sync (name, description, members)
• ✓ Permission sync (group assignments, roles)
• ✓ Google Admin SDK + Directory API

AWS IAM

Programmatic access leveraging IAM read-only permissions to deliver complete account visibility, capturing user identities, group memberships, role assignments, managed and inline policies, credential status, and last activity timestamps through the boto3 SDK with IAMReadOnlyAccess policy attachment for secure, non-invasive infrastructure assessment

• ✓ User sync (username, ARN, last login)
• ✓ Group sync (group name, policies)
• ✓ Role & Policy sync (managed & inline)
• ✓ boto3 + IAMReadOnlyAccess

Azure AD

App registration configuration with Microsoft Graph API access permissions to enable enterprise directory integration, synchronizing user principal names, display names, department assignments, security group definitions, group memberships, enterprise application registrations, and service principal configurations through httpx-based API communication for comprehensive Azure Active Directory governance

• ✓ User sync (UPN, display name, department)
• ✓ Group sync (name, description, mail)
• ✓ Permission sync (role assignments, memberships)
• ✓ Microsoft Graph API + httpx

Access Summary Report

Comprehensive executive dashboard providing real-time visibility and actionable intelligence across your entire identity infrastructure. Monitor user account distribution, security group memberships, application access patterns, and permission assignments with aggregated statistics spanning AWS IAM, Azure Active Directory, and Google Workspace. Gain immediate insight into your organization's identity posture with dynamic metrics that update as your environment evolves, enabling data-driven decisions for access governance and compliance initiatives.

Compliance Report

Advanced compliance intelligence engine that continuously analyzes user access patterns, permission grants, and authentication behaviors to automatically identify accounts deviating from established security policies and regulatory requirements including SOC 2, ISO 27001, HIPAA, and GDPR. The platform flags users with excessive privileges, dormant accounts, missing multi-factor authentication, or unauthorized access to sensitive resources, then provides contextual, prioritized remediation guidance with specific next steps such as revoking unnecessary permissions, initiating access recertification workflows, or enforcing stronger authentication requirements.

Risk Assessment Report

Sophisticated risk scoring algorithm that evaluates your organization's security posture by analyzing privileged access distribution, dormant accounts, permission sprawl, authentication weaknesses, and policy compliance gaps across all connected identity providers. The engine calculates a comprehensive security risk score with granular factor analysis, breaking down contributions from each risk category by severity and impact. This enables security teams to prioritize remediation efforts based on quantifiable risk reduction potential while generating audit ready documentation for compliance reporting.

Privileged Access Report

Comprehensive privileged account monitoring system that maintains continuous visibility into all administrative credentials across your multi-cloud environment, including human administrator accounts, service accounts, API keys, and system identities with elevated permissions. The platform automatically tracks privilege usage patterns, identifies dormant administrative access that hasn't been utilized within defined timeframes, detects excessive permissions granted beyond role requirements, and flags service accounts with overly broad privileges or missing rotation policies. Security teams receive detailed inventories of all privileged identities with usage analytics and risk assessments, enabling proactive management of high-risk accounts.

Access Anomalies Report

Intelligent anomaly detection system that continuously monitors user behavior and access patterns across all identity providers to identify deviations from established baselines including after-hours access, geographic anomalies, unusual resource requests, and privilege escalation attempts. Each detected anomaly receives an automated severity score based on risk factors such as data sensitivity, user role, and behavioral context, enabling security teams to prioritize investigations efficiently. The platform aggregates anomaly statistics by department and business unit, revealing organizational access trends and highlighting teams with elevated risk profiles that may require additional security awareness training or policy enforcement.

Group Membership Report

Advanced group intelligence analysis that evaluates security group compositions, role assignments, and membership hierarchies across all connected identity providers to identify structural inefficiencies and security risks. The system performs size analysis to flag oversized groups with excessive membership, detects nested group complexities that obscure effective permissions, and identifies redundant or obsolete groups lacking active members or purpose. Security teams receive prioritized cleanup recommendations including specific groups to consolidate, memberships to revoke, and organizational structures to optimize, transforming group management from reactive administration into strategic access architecture.

Executive Dashboard

Centralized view aggregating key metrics from multiple report endpoints including total user counts, active versus inactive account ratios, compliance percentage scores, security risk scores, and detected anomaly counts. The dashboard fetches data in parallel from access summary, compliance, risk assessment, stale accounts, permission changes, and access anomalies reports to provide leadership with consolidated visibility. High-priority issues are displayed with severity indicators including critical alerts for stale accounts over 90 days inactive, missing manager assignments, and privileged access grants. Manual refresh button updates all metrics on demand.

User Lookup & Investigation

Cross-platform user search functionality by email address that queries the database to retrieve complete identity profiles from Google Workspace, AWS IAM, and Azure Active Directory. Results display user information including email, display name, department, manager email, source platform, active status, last login timestamp, and account creation date. The system aggregates associated permissions with permission types and levels, security group memberships, and application access grants. One-click JSON export generates downloadable user access reports containing all retrieved data suitable for audits or investigations.

Security Alerts & Monitoring

Alert generation system that queries the database for potential security issues including stale accounts (users inactive for 90+ days), missing manager assignments for active users, and administrative permission grants. Alerts are categorized by severity into critical (administrative permissions), warning (stale accounts), and info (missing managers), with each alert containing user email, source platform, timestamp, and description. Users can acknowledge alerts to dismiss them from the active queue. The alerts view includes filtering by severity level (all, critical, warning, info) and optional display of previously acknowledged alerts. Auto-refresh polling queries the backend every 30 seconds for updated alerts.

Multi-Format Support

PDF questionnaires (PyPDF2), Word documents (python-docx), Excel spreadsheets (openpyxl) with automatic format detection and 10MB file limit

AI Extraction Engine

Claude Sonnet 4.5 integration with structured JSON output, automatic Q&A pair extraction, and category classification across 11 domains

Risk Scoring Algorithm

Base score of 100 points with critical deductions (-15 to -25), high severity (-8 to -12), medium issues (-5), and bonus points for certifications (+2 to +3)

Backend (Python 3.11+)

FastAPI, SQLAlchemy, Pydantic, Anthropic Claude, google-api-python-client, boto3, httpx, PyPDF2, python-docx, openpyxl

Frontend (Next.js 14)

React 18, TypeScript, TailwindCSS, Axios, Lucide React, Next.js App Router with file-based routing

Database & Security

SQLite (dev), PostgreSQL (prod), AES-256 Encryption, CORS Protection, Input Validation, SQL Injection Prevention

SOC 2 Type II

Quarterly privileged access reviews, access certifications, continuous monitoring, and evidence generation for audit compliance

ISO 27001

Controls A.9 Access Control, A.12.4 Logging with access summary, group membership, and campaign tracking for audit evidence

PCI-DSS

Requirements 7.1, 7.2, 8.1 for access control with privileged access reports and risk assessment documentation

HIPAA

HIPAA Security Rule §164.308(a)(3) and §164.308(a)(4) for workforce access management, access authorization, and minimum necessary access controls

GDPR

Article 32 Technical and Organizational Measures with access transparency, data subject rights, and regular access review documentation

NIST CSF

Functions Identify, Protect, Detect with asset management, anomaly detection, and risk assessment capabilities

FedRAMP

AC-2 Account Management and AC-6 Least Privilege controls for federal cloud authorization with automated access reviews and privilege monitoring

CIS Controls v8

Control 5.1 Establish and Maintain an Inventory of Accounts and Control 6.1 Establish Access Control Policies for privileged account management

CMMC Level 2

AC.L2-3.1.1 through AC.L2-3.1.22 access control practices for Department of Defense contractors with role-based permissions and session management

CCPA

§1798.100(d) Business purpose disclosures and §1798.150 Security procedures with vendor risk assessments, data access controls, and consumer rights management

FISMA

Built on NIST 800-53 controls AC-2, AU-6, CA-7 for federal information security with continuous monitoring, access management, and audit capabilities

CSA STAR

Cloud Controls Matrix IAM-01 through IAM-11 and GRC-02 for cloud identity governance with multi-cloud access management and risk assessment