PolicyDrift — Written-Policy vs Actual-Config Drift Detection
32 seeded controls comparing what the policy says to what the config actually does. CSP headers, IAM trust policies, S3 public-access blocks, GitHub branch protection, KMS key rotation, MFA enforcement, secret-rotation cadence. Drift age in days.
What it is
The shape behind continuous-compliance tooling. For every control, the written policy on one side, the actual production config on the other, and the gap in days since they diverged. The gap is what auditors actually find — and what most companies discover only at audit time.
What it catches
- 32 seeded controls (PD-001 → PD-032) spanning the real surface area:
- Content-Security-Policy missing
frame-ancestors - IAM roles with wildcard trust (
Principal: "*") - S3 buckets without BlockPublicAcls
- GitHub branch protection allowing force-push on
main - KMS keys with rotation disabled
- MFA enforcement gaps (5 admin accounts without MFA)
- Secrets older than the 90-day rotation policy
- RDS instances without encryption at rest
- Lambda functions with overly permissive resource policies
- Untagged production resources
- Content-Security-Policy missing
- Drift age in days — every finding shows how long the gap has existed. The 4-month-old IAM trust drift is the kind of finding that fails audits.
- Severity classes — OK / warn / bad. Composite shows the program-level posture at the top.
- Real policy text vs real config text — copy-pasteable, not stylized.
Why this shape
SOC2 CC8.1 (“change management”) + ISO/IEC 27001 A.5.36 (“compliance with policies”) both require a documented gap between policy and reality. Most companies write the policy once, then never check. Drata, Vanta, and Secureframe charge $20-50k/yr to make this visible. PolicyDrift prototypes the shape directly.
How it ships
Single HTML file, ~26KB. Zero dependencies. 32 controls + status logic + filter pills in 240 lines of vanilla JavaScript.