Cloud isn't SaaS, but governance tools keep pretending it is#
In a SaaS app, access is simple. There's a finite list of entitlements. "Salesforce Admin." "Jira Reporter on Project X." They sync into your governance platform once, and when someone needs access, they're pointed to the right row.
Cloud infrastructure works nothing like that. In cloud platforms like Azure, role-based access control (RBAC) is expressed as a pairing of a role and a scope: Contributor on a subscription, Reader on a management group, Key Vault Secrets User on a single vault. A role granted at a parent scope flows down to every resource beneath it. The set of valid combinations is the product of every role times every scope, and in an enterprise tenant that number can be enormous. Customers may sync over 1 million Azure entitlements covering only subscriptions and management groups. Full coverage of their environment would produce roughly 50 million combinations.
Most identity tools were built on the SaaS assumption. This is where traditional IGA patterns and many Cloud Infrastructure Entitlement Management (CIEM) approaches face a challenge. When they meet a cloud tenant, they take one of two approaches: flatten the hierarchy into rows or simplify it by limiting what gets synced. Both create problems. And those problems compound as enterprises deploy AI agents that need governed access to the same hierarchy.
Current approaches have a cost#
The first cost is precision. Tools that flatten the hierarchy pre-materialize every role-scope combination into a row, stripping the parent-child relationships that define what a grant actually means. A requester scrolling a flat list of thousands of identical-looking entitlements can't tell the difference between Contributor at a subscription and Contributor at a resource group three levels down. They request more than they need because the tool can't express anything narrower.
Tools that simplify take the opposite approach: they cap how many subscriptions they read or filter scopes before sync. The hierarchy becomes manageable but only because parts have been carved out. What you don't sync, you can't grant or govern precisely. Either way, the result is overpermissioned access and visibility gaps.
Now add AI agents. An agent that needs read access to one storage account in one resource group shouldn't end up with Contributor on the entire subscription. But when your governance tool can't represent the hierarchy, broad grants become the path of least resistance for agents and humans alike. And the blast radius of a compromised AI agent identity depends entirely on how precisely its permissions were scoped.
Reviews are another cost. Picture a quarterly access review at an enterprise with one subscription, 80 resource groups, around 3,500 resources, and a dozen role bindings spanning the hierarchy. Flattened, that's roughly 42,000 line items. No reviewer evaluates 42,000 items. They bulk-approve to get through it.
The third cost is sync. Pre-materializing millions of role-and-scope combinations is slow, and at the top end can fail outright. Filtered approaches avoid this by ingesting less data, but that circles back to the first cost: you've traded sync performance for blind spots.
Store the hierarchy. Compute access on demand.#
The fix is to stop pretending cloud access is flat.
C1 stores access as a binding: a principal, human or agent, tied to a role at a scope, with inheritance and conditions intact. Instead of enumerating every combination upfront, C1 keeps the resource hierarchy (management groups, subscriptions, resource groups, resources) and the roles available at each level, then computes effective access on demand. The entitlement is constructed when it's actually requested or granted, not pre-built and stored millions of times over.
This mirrors how cloud infrastructure grants access natively, so the model in your governance platform matches the model in the console your engineers already administer. Understanding what a grant at a parent scope means three levels down is no longer a puzzle. It's a model precise enough to scope an agent's access to exactly the resources it needs rather than the subscription its owner happens to have. This eliminates the blind spots without sacrificing precision.
The work becomes manageable even as requests grow#
Requesters ask for the right thing. Instead of scrolling a flat list of identical-looking entitlements, end users navigate the resource tree, pick a scope, and pick a role, with breadcrumbs showing the way. An AI agent's access is scoped to a specific resource group with a specific role via C1 MCP, with permissions that can be tighter than the human running it.
Just-in-time access is scoped precisely. A developer requests JIT access to a production resource group for a four-hour deploy window. An agent gets read access to a single Key Vault for the duration of a pipeline run. Both go through the same approval workflow, the same policy engine and audit trail, and expire automatically.
Reviewers make real decisions. That quarterly review with 42,000 flattened rows becomes a manageable handful of bindings, each showing its scope and what it grants downstream. A meaningful review that covers both human and agent access finishes in under an hour.
Lifecycle automation follows the tree. When someone joins, changes roles, or leaves, their cloud access provisions, updates, or revokes across the hierarchy based on policy. When an agent is redeployed to a different scope or decommissioned, the same automation applies.
All of it runs on one platform: cloud IaaS and SaaS, humans and agents, same requests, same reviews, same lifecycle rules.
Building infrastructure for the future#
Every company navigating the AI transition is also a company where cloud entitlement governance is foundational infrastructure. Agents reach into cloud resources, and every resource they touch is a permission that needs to be precisely scoped, time-bound, and revocable. The companies that get this right will deploy AI faster, with less risk, because access isn't the bottleneck or the liability. The companies that don't will either slow down AI adoption to stay safe, or speed it up and accumulate risk they can't see.
A data model that stores the hierarchy and computes access on demand is what makes it possible to govern both sides of this transition. This means human access at enterprise scale and agent access at the precision that least privilege actually demands.
Want to learn more? Book a demo to see it in action.
