Operations · Drift

Every change is a decision.
Detect the ones nobody decided.

Environments drift — vendors patch, engineers tweak, exceptions accumulate. Panaptico reconciles the live state against the implementation graph every minute and surfaces the changes that matter, attributed to who or what made them.

DRIFT-FEED · RECONCILING
Finance implementation · scope 418last 1h · 142 driftsvs intent · 1,427 anchorsreconcile cadence · 48s
14s ago

sp · finance-etl-prod

Azure

ContributorOwner
human · unattributed
critical
41s ago

sensor policy · EMEA-finance

CrowdStrike

block-highmonitor-only
console · k.ito@
critical
1m 28s ago

group · fin-admins

Okta

12 members14 members
scim · bamboohr sync
notable
2m 04s ago

warehouse · REPORTING_WH

Snowflake

size=Msize=L
terraform · run #2841
notable
3m 17s ago

kms key rotation · 14 CMKs

AWS

pendingrotated
scheduled · CHG-00591
expected
4m 52s ago

monitor · auth-latency-p99

Datadog

threshold=400msthreshold=800ms
human · j.tran@ · no CHG
notable
6m 03s ago

policy · pki-intermediate

Vault

v14v15
vendor patch · 1.16.3
expected
7m 49s ago

integration system user

Workday

1 account3 accounts
unknown · no source matched
critical

3 critical · 3 notable · 2 expected · every row linked back to intent and attribution

DRIFT-FEED-0491 · live

Why existing monitoring misses it

Monitors fire on symptoms.
Drift happens in silence.

01

Alerts without intent.

Datadog tells you latency jumped. Nobody tells you the warehouse was resized to L an hour ago, and nobody approved it. The alert and the cause live in two different tools.

02

Nobody can triage raw events.

The cloud trail logs 40,000 changes a day. Nine out of ten are routine. The one that matters is buried in noise. Humans give up; the tenth one becomes an incident.

03

Attribution is a dead end.

Who changed the CrowdStrike policy to monitor-only? The console shows a service-principal name that wasn't tied to a human. Two weeks later, nobody admits to it.

Continuous reconciliation

Intent on one side. Reality on the other. A diff every minute.

The implementation graph is the anchor. Every connector syncs the live state on a loop and Panaptico computes the delta — per object, per field, with the reason-of-record when there is one.

14 connectors · finance scope
1,427 anchored objects · 92,418 fields
Reconcile loop · every 48s
RECON · finance scopepass 2,491 · 00:00:41

Intent · graph anchor

finance.sp-etl-prod · roleContributor
cs.sensor-emea · modeblock-high
okta.fin-admins · members12
snowflake.reporting_wh · sizeM
workday.isu · count1

Live · observed

finance.sp-etl-prod · roleOwner
cs.sensor-emea · modemonitor-only
okta.fin-admins · members14
snowflake.reporting_wh · sizeL
workday.isu · count3

Fields checked

92,418

Drifted

217

Attributed

203

Unknown source

14

Smart classification

Not every diff is a drift. Not every drift is a problem.

Raw state transitions get classified against the implementation graph — scoped, explained, and routed by impact. You see the 14 that matter, not the 18,417 that don't.

CLASSIFIER · last 24h · scope 418
Raw state transitions observed18,417
Expected · matches intent or routine8,902
Non-scope · outside implementation9,112
Drift candidates403
Notable · bounded deviation389
Critical · breaks intent contract14

The funnel turns 18k events into a queue of 14 — each one with context, not a ticket template

criticalDRIFT-7741 · finance scopeopened 14s ago

Object

azure · finance-etl-prod · service principal

Change

role = Contributorrole = Owner

Why it's critical

  • Principal is bound to DR-2025-0714 · least-privilege contract
  • Owner role grants write on 4 finance-scope subscriptions
  • No CHG record · no approval · source: portal, unattributed

Change attribution

Who, what, and when — correlated to the change.

Each drift gets correlated against the graph's source streams — CHG tickets, Terraform runs, vendor patch feeds, SCIM syncs, human console activity. "Unknown source" is a category, not a shrug.

ATTRIBUTION · DRIFT-7713snowflake.reporting_wh · size M → Lcorrelated · 0.3s

Terraform Cloud · workspace finance-prod

run #2841 · plan applied 14:21:08Z

match98%

Snowflake activity log · user

session held by svc-dbt-prod · no interactive user

no match

CHG ticket queue

no ticket matched object · window ±60min

no match

Vendor patch feed

no Snowflake release event in window

no match

Attributed to Terraform run #2841 · commit a4f2…e991 · author j.tran@ · auto-linked to CHG-00604

Automated response

Detection is the easy part. Routing is the product.

Every classified drift gets routed automatically — re-baselined, turned into work, sent back through approval, or escalated. Humans approve policies, not individual alerts.

ROUTING · finance scope · 4 rules activelast change · 2026-04-18
01

When

drift is expected · matches vendor patch feed or scheduled change

Action

auto-rebaseline · write to graph · no human in the loop

Volume

8,902 in last 24h

02

When

drift is notable · bounded deviation inside policy envelope

Action

generate TASK · assign owner · require CHG within 7 days

Volume

389 in last 24h

03

When

drift touches a signed decision record · must re-approve

Action

open approval · attach DR · route to original approver

Volume

11 in last 24h

04

When

drift breaks an intent contract or has no attributable source

Action

freeze object · page oncall · capture forensic bundle

Volume

3 in last 24h

Rules are reviewed quarterly · every auto-action is written back into the graph as an attributed event

ROUTING-POLICY-v14

Drift, attributed. Response, automatic.

The environment is always changing. Panaptico keeps the graph honest — every change classified, every cause linked, every response written back.

Try Panaptico freeBook a demo