Enforce what policy says in every downstream system.

Enforcement

Grants and revokes happen in real systems.

Zoth does not stop at policy decisions. Connectors execute grants and revokes in downstream platforms, read state back, and surface drift when observed access diverges from expected state.

  • Native integrations for GitHub, Azure, Notion, and more
  • Grant and revoke execution in downstream platforms
  • Drift detection from expected vs actual access state
  • Alerting via email, webhooks, and in-app notifications
  • Audit records for grants, revokes, drift events, and decisions
94%state match rate
<5mdrift detection
6native connectors
Connectors

Native integrations for the systems you use.

Each connector speaks the native API of its target system. GitHub team memberships, Azure role assignments, Notion workspace permissions—real operations, not generic SCIM.

GitHub
Azure
Notion
AWS
Okta
Google Cloud
DRIFT EVENTS
GitHuborg/prod-adminno_accessmember
Azuresubscription/readermembermember
Notionworkspace/editormemberadmin
Last sync: 2 minutes ago
1 critical
1 warning
Capabilities

The enforcement loop closes automatically.

Execute, verify, detect, remediate. Each step happens without manual intervention. Policy-aligned access stays clean; drift surfaces before it becomes standing privilege.

Downstream Execution

Grants and revokes execute in real systems. Not a recommendation—actual role assignments, group memberships, and permission changes.

State Readback

Connectors read access state from downstream systems. The control plane compares expected grants against actual assignments continuously.

Drift Detection

When observed access diverges from expected state, drift events surface immediately. Standing privilege doesn't have time to settle.

Remediation Actions

Drift triggers remediation workflows. Auto-revoke, alert owner, or escalate to security—policy decides the response.

Reconciliation

Compare expected state against observed state.

The reconciliation service runs continuously. It compares what the control plane expects against what connectors observe in downstream systems. Mismatches become drift events with full context for remediation.

Expected State

Control plane records active grants and their expiry

Connector Readback

Connectors query downstream systems for current state

State Comparison

Reconciler compares expected vs observed for each resource

Drift Event

Mismatch triggers drift event with severity and context

Remediation

Auto-revoke, alert, or escalate based on policy response

FIG. 3.1 / Connector Actionsgrant, readback, revoke

Enforcement is shown as three concrete connector operations, not a generic dashboard: Azure review settings, GitHub provisioning, and Notion workspace access.

Access review
User groups
Role assignments
Subscriptions
Review
View more
Azure

Enforce directory roles, group access, and subscription-level approvals.

$ zoth provision-user

Adding user to org/engineering
Team access: write permissions
GitHub

Apply repository access, team memberships, and org permissions.

+ Request workspace access...
New user
Pending review
Approved
View all
Notion

Provision workspace access and page-level permission changes.