The five axes
- Observation — what fraction of tool calls flow through Inviolet’s intent extractor
- Identity — how rich is the user/role context attached to each intent
- Policy — how much of your access policy is declared vs. inferred from history
- Enforcement — how many denials translate to actual blocks vs. shadow-mode warnings
- Credential standing — how many database credentials are short-lived (intent-bound) vs. long-lived (standing)
The five levels
| Level | Theme | What changes |
|---|---|---|
| L1 — Observe | ”What’s happening?” | Gateway installed; query patterns learned |
| L2 — Test | ”Would the policy hold up?” | Shadow-mode policy evaluations |
| L3 — Enforce | ”Live denials” | Policy decisions block real queries |
| L4 — Surround | ”Tokens + credentials follow purpose” | Vault binding, Okta hooks, DB proxy |
| L5 — Scale | ”It just works” | Multi-org, automation, anomaly response |
Composite scoring
The dashboard shows your floor across all five axes, plus per-axis detail. Climbing one axis without the others moves your composite zero. For example: if you’ve reached L4 on Observation but L1 on Credential Standing, your composite is L1. The lesson: most orgs benefit more from moving the floor up one level than from over-investing in one axis.Where to start
Most teams enter at L1 across all five axes (gateway installed, no policy, no Vault, no DB proxy). The right next step is usually:- Connect your IdP — moves Identity from L1 → L2
- Declare your first purpose — moves Policy from L1 → L2
- Run shadow mode for two weeks — proves the policy holds without breaking anything
- Flip enforcement on for that one purpose — moves Enforcement L1 → L3
- Repeat for the next purpose
Read next
- Generalize from observation — the workflow for graduating purposes from L1 to L3
- Tier comparison — which Inviolet tier unlocks which axis