Positioning

The two disciplines are adjacent and complementary. They are not interchangeable.

Every Permafrost signal answers a permission-posture question: who can do what they should not be able to do. A SIEM tells you what already happened. A CIEM tells you what could happen if a credential were abused. Permafrost does not try to do the SIEM job, and a SIEM does not do the CIEM job well.

A multi-cloud CIEM has to settle for a lowest-common-denominator model that fits AWS IAM, GCP IAM, and Azure RBAC at the same time. The trade-off is real. Azure-specific signals get discarded because they do not translate to the other clouds.

A single-cloud Azure CIEM has no such constraint. The seven capabilities below are signals a single-cloud tool models end-to-end without flattening.

• PIM-aware analysis. Eligible-versus-active assignments treated as separate signals, not collapsed into one.
• Entra directory role coverage. Directory-side admin roles modelled with the same rigor as ARM RBAC, not as a footnote.
• Administrative unit scoping. Scope-aware queries respect AU boundaries so findings match the customer's delegation model.
• Conditional Access context. Risk signals folded into the per-identity picture, not hidden behind a separate console.
• ARM activity-log integration. Every permission-gap finding can point to a control-plane log row that proves an assignment is unused.
• Agent identity discovery. AI agents and copilot identities discovered alongside users and service principals — modern Azure tenants have both.
• Custom role generation. Least-privilege custom Azure roles exported as ARM, Bicep, or Terraform, ready for change-managed deployment.

Honest scoping is part of the product. None of the items below are future-roadmap promises.

• Not a SIEM. For event detection, log retention, and incident-investigation log analytics, use a dedicated SIEM platform.
• Not a CSPM. For resource-configuration drift, network exposure, and compliance benchmarks against the resource plane, use a dedicated CSPM platform.
• Not an IGA. For joiner-mover-leaver lifecycle, attestation campaigns, and HR-system integration, use a dedicated identity-governance platform.
• Not a PAM. For session brokering, credential vaulting, and just-in-time elevation gates, use a dedicated privileged-access management platform.
• Not multi-cloud. Permafrost covers Microsoft Cloud only. AWS, GCP, and on-prem are out of scope. This is a deliberate focus, not a roadmap gap.

Positioning is not a comparison scorecard. It is the set of things Permafrost does because it is built for Microsoft Cloud and nothing else.

• Microsoft-Cloud-deep. Azure RBAC, Entra directory roles, and the Microsoft 365 control planes modelled with their real semantics, not flattened into a lowest-common-denominator multi-cloud schema.
• Evidence-first. Every permission-gap finding points to the ARM activity-log row that proves an assignment is unused, or to the measured absence of one. A finding a security team can defend to a change board.
• PIM-aware. Eligible and active assignments treated as separate signals, so a just-in-time elevation is not mistaken for standing access.
• NHI-inclusive. Service principals, managed identities, and the agent-identity class discovered and classified by origin alongside users.
• Zero standing write. Permafrost holds no write-capable token to any customer tenant. Remediation runs through one of three customer-chosen modes, never a persisted credential.