AI Usage in Sonrai CPF
© 2026 Sonrai Security. All rights reserved.
Overview
Sonrai Security uses Artificial Intelligence to help customers understand, manage, and reduce cloud permission risk more efficiently. This page explains where AI is used within the Sonrai platform, how it benefits customers, and how we enforce strict data privacy and security standards.
Features & Usage
We use Generative AI primarily to power WALLy, Sonrai’s Cloud Permissions and Privileged Access Management (PAM) AI agent. WALLy helps customers analyze complex identity and access data, surface risk, and propose remediation actions.
Secondarily, AI is used to summarize and interpret complex activity and permissions data, helping security teams move faster without losing context or control.
Read vs. Write Access
While AI within Sonrai CPF is capable of both read and write actions, write access is always customer-controlled and strictly gated through multiple safeguards:
Approval Workflow
Sonrai uses an internal Model Context Protocol (MCP) server as a safety and control layer. The AI is restricted to tools that can only propose cloud control changes by placing them into Sonrai Pending Changes.
No changes are ever executed automatically—each action requires explicit human review and approval before it can be applied.
Least Privilege Enforcement
The AI operates under the principle of least privilege. Its effective permissions are limited to the intersection of:
- the MCP user’s permissions (configurable per tenant), and
- the permissions of the human user invoking the AI
This ensures the AI can never take actions beyond what the user themselves is authorized to do.
Data Privacy & Security
Sonrai is committed to protecting customer data and minimizing AI data exposure.
Secure Model Hosting
We use AWS Bedrock to host our AI models, enabling strong data isolation and enterprise-grade security controls.
No Training on Customer Data
Customer data is never used to train, retrain, or improve AI models. Data is processed solely to generate responses for the requesting customer and is not retained for model learning.
Stateless Processing
AI interactions are logically isolated and session-based. Customer data is treated as contextual input for a single request only. The model does not retain memory of past sessions and does not use one customer’s data to inform responses for another.
Our Commitment
At Sonrai, we use AI to help customers better understand and secure their cloud environments—not to collect, reuse, or monetize their data. AI processes your data for your benefit, under your control, and with a focus on security.