Policy-as-code, not a black-box score
Every Black Cat finding traces to a specific, human-readable OPA/Rego rule that checks one concrete setting — for example, whether an Okta admin has MFA enabled, or whether a GCP bucket allows public access. The evaluation is deterministic: the same configuration always produces the same result, and you can see exactly which rule fired and why.
Why it matters
- Auditable: show an auditor the exact rule behind a control, not a confidence percentage.
- No hallucinations: rules are explicit logic, not a model guess.
- Transparent under the EU AI Act: Article 50 transparency obligations (from 2 Aug 2026) make “explainable vs black-box” a procurement filter.
See the full set of checks in the Policy Catalog and how they map to compliance frameworks.