Skip to content

Home / Learn

How Black Cat scoring works: policy-as-code, not a black-box AI score

By Black Cat Security Team · Published May 29, 2026

Policy-as-code, not a black-box score

Every Black Cat finding traces to a specific, human-readable OPA/Rego rule that checks one concrete setting — for example, whether an Okta admin has MFA enabled, or whether a GCP bucket allows public access. The evaluation is deterministic: the same configuration always produces the same result, and you can see exactly which rule fired and why.

Why it matters

  • Auditable: show an auditor the exact rule behind a control, not a confidence percentage.
  • No hallucinations: rules are explicit logic, not a model guess.
  • Transparent under the EU AI Act: Article 50 transparency obligations (from 2 Aug 2026) make “explainable vs black-box” a procurement filter.

See the full set of checks in the Policy Catalog and how they map to compliance frameworks.

Ready to secure your SaaS stack?

Start your free trial. No credit card required. First scan in 5 minutes.

Start Free Trial