Start free trial

Features

What the ledger records.

Guardrail Ledger tracks Azure guardrail drift — policy assignments, exemptions, RBAC, and tags — against a stored baseline. Each deviation can be accepted with an owner, approver, and expiry on file so auditors see who signed off, not just what changed.

  • Azure Policy drift

    Daily diff of policy assignments and exemptions against the last baseline, per subscription and scope.

  • RBAC drift

    Role assignment changes are compared daily so access drift surfaces with the scope where it landed.

  • Tag drift

    Resource-tag changes are tracked against the baseline so tagging drift is visible alongside policy and RBAC.

  • Defender for Cloud mapping

    Recommendations arrive with the control name they affect, not a raw recommendation ID, plus landing-zone deviation flags.

  • Exposure pattern detection

    Public IPs, internet-facing storage accounts, and widened Key Vault access are flagged against ISO 27001:2022 A.8.20.

  • Exception ledger

    Every accepted deviation gets an owner, approver, expiry date, and reason of record — mapped to CIS Azure Foundations and ISO 27001:2022 A.8.9.

  • ITSM drift digest

    New deviations from the daily scan open tickets in your ITSM so routing and ownership start at detection.

  • Monthly audit packs

    Signed exports are written to Cloudflare R2 with time-limited download URLs — drift history and sign-off records in one file.

  • Read-only collectors

    Assisted collectors read Azure Policy, exemptions, RBAC, and tags. Nothing is written back to your Azure estate.

How it works.

  1. Connect your subscriptions

    Assisted collector setup grants read access to Azure Policy, exemptions, RBAC, and tags. Nothing is written back to your estate.

  2. Drift is detected and routed

    Each scan compares current state to the last baseline. New deviations and Defender findings map to controls, and the drift digest opens ITSM tickets.

  3. Exceptions and audit records land

    Accepted deviations enter the exception ledger with owner, approver, and expiry. At month end, a signed audit pack is ready for your auditor.

Start tracking guardrail drift.

Connect your Azure subscriptions, record exceptions with approvers on file, and hand auditors a signed monthly pack.

See pricing Book a demo