AWS Verified Permissions Lacks Cross-Cloud Governance Substrate

Vendor and Product Reality

AWS Verified Permissions launched in 2023 as a fully managed authorization service that uses the Cedar policy language to express permissions for customer-built applications. Cedar itself is an open-source domain-specific language designed by AWS for authorization, supporting role-based, attribute-based, and relationship-based access control patterns within a single policy syntax. Customer adoption clusters around B2B SaaS multi-tenant platforms, identity-aware API gateways, and applications migrating off home-grown authorization sprawl into a centralized, auditable policy store.

Architecturally, Verified Permissions exposes a low-latency IsAuthorized API that takes a principal, action, resource, and context, then evaluates Cedar policies stored in a per-tenant policy store. It integrates natively with Amazon Cognito for identity assertions and with API Gateway and AppSync for enforcement at the request boundary. Policies can be schema-validated, version-controlled, and tested against synthetic principals before deployment, which materially reduces the failure modes that historically afflicted hand-rolled IAM checks scattered across microservices.

Real customers — including SaaS vendors building tenant-isolated B2B platforms, healthcare ISVs, and federal-adjacent contractors — adopt Verified Permissions to satisfy SOC 2 and FedRAMP authorization-control objectives without standing up a custom OPA cluster. The service handles policy storage, evaluation, and decision logging within the AWS trust boundary, surfacing CloudTrail events for each decision. Its operational center of gravity, however, remains the AWS account: Verified Permissions does not natively reach across to Azure, GCP, on-premises Kubernetes, or partner SaaS estates as a single governing authority.

The Architectural Gap

The structural property Verified Permissions does not provide is a governance substrate that admits authority claims from heterogeneous credentialing domains and binds those admissions to a tamper-evident lineage record. Cedar evaluates a static policy against an asserted principal; it does not interrogate the chain of custody by which that principal's attributes were observed, weighted, and admitted into the decision context. When a request originates from a partner tenant whose identity provider sits outside Cognito, or when an attribute was synthesized by an upstream ML service whose provenance is opaque, the IsAuthorized call has no architectural slot in which to record evidential weight or to refuse on admissibility grounds.

This becomes acute in cross-cloud deployments. A regulated workload spanning AWS, Azure, and a private datacenter must reconcile authorization decisions made under three distinct credentialing regimes, each with its own logging substrate and its own definition of an authoritative attestor. Verified Permissions can be invoked from any of those domains via API, but it cannot itself act as the authority-credentialed observation layer for events that occurred outside AWS — and it does not natively bind the actuation that follows a permit decision to a lineage record that downstream regulators or counterparties can independently verify. The gap is not the policy engine; it is the absence of a governance chain wrapping it.

What The AQ Governance-Chain Primitive Provides

The Adaptive Query governance-chain primitive is a five-property composition that converts an isolated authorization decision into a governed event admissible across trust boundaries. The first property, authority-credentialed observation, requires that every input attribute carry a cryptographically bound assertion identifying the credentialed observer that produced it, with the credential itself anchored to a recognized issuing authority. The second, evidential weighting, attaches a structured weight to each observation reflecting freshness, observer reputation, and corroboration depth, so that the policy engine consumes not raw attributes but weighted evidence.

The third property, composite admissibility, defines a deterministic rule by which a bundle of weighted observations either clears the admissibility threshold for a given action class or is refused before policy evaluation occurs. This is distinct from the Cedar permit/deny decision: admissibility governs whether the request is even eligible to be evaluated, and it is computed from the evidence package rather than from the policy. The fourth property, governed actuation, binds the downstream effect of a permit decision — the API call, the database mutation, the message emission — to a signed actuation record that names the admitted evidence bundle and the policy version under which it was authorized.

The fifth property, lineage-recorded provenance, persists the entire chain — observations, weights, admissibility verdict, policy decision, actuation record — into an append-only, externally verifiable lineage store. The lineage record is the artifact that makes the decision portable across clouds and across regulatory jurisdictions, because it carries with it the proof of every preceding step. Together these five properties constitute the governance chain: a structural wrapper that any policy engine, including Cedar via Verified Permissions, can be composed into without losing its native semantics.

Composition Pathway

Integration with AWS Verified Permissions proceeds by interposing a governance-chain shim between the calling application and the IsAuthorized endpoint. The shim accepts the application's request, resolves each principal and resource attribute through the authority-credentialed observation layer, attaches evidential weights drawn from the credential metadata and from corroborating observations in the lineage store, and computes the composite admissibility verdict. Only admissible bundles are forwarded to Verified Permissions; inadmissible bundles are refused at the substrate layer with a structured rationale that names the failing property.

When Verified Permissions returns a permit decision, the shim binds the decision to a governed-actuation record before the application is allowed to perform the underlying side effect. The actuation record references the Cedar policy version, the evidence bundle hash, and the admissibility verdict, and it is countersigned by the substrate before being written to the lineage store. Cross-cloud deployments share a single lineage namespace, so an actuation authorized in AWS can be independently verified by a counterparty operating in Azure or on-premises without replaying the original decision.

The shim is implementable as a sidecar proxy in front of API Gateway, as a Lambda authorizer wrapper, or as an SDK middleware in the calling service. None of these approaches require modification to Cedar policies themselves: the governance chain operates above the policy layer, and the policy author continues to write Cedar in its native form. This is the property that makes the composition commercially tractable for existing Verified Permissions deployments.

Commercial and Licensing Implication

The freedom-to-operate consequence is that any deployment of AWS Verified Permissions that needs to span trust boundaries — multi-cloud, partner-tenant, regulated cross-jurisdiction — and that wraps its IsAuthorized calls with authority-credentialed observation, evidential weighting, composite admissibility, governed actuation, and lineage-recorded provenance is operating within the claim scope of the Adaptive Query governance-chain primitive. The Cedar engine itself is not encumbered; the governance substrate that lifts it into a cross-cloud authorization fabric is.

Adaptive Query offers a field-of-use license keyed to the governance-chain primitive, structured to permit Verified Permissions integrators to deploy the five-property wrapper as a documented architectural pattern. Licensing terms scale with the breadth of trust boundaries crossed and the regulated-event volume passing through the substrate, with carve-outs for single-tenant, single-cloud deployments that do not require cross-domain admissibility. AWS-resident integrators retain full Cedar tooling and AWS service-level guarantees while gaining a governance layer that their counterparties and regulators can independently verify.