Organizational policies are a key part of every organization’s cloud IAM strategy. They supplement least-privilege best practices by establishing guardrails that protect the organization from unknown threats, and limit the extent of damage that can potentially be caused by compromised identities, workloads or credentials. At this session, we will explore how to build, test, and deploy effective organizational policies. We will do so by being mindful of the real threats and TTPs we’re trying to protect ourselves from, along with the crown jewels we need to protect, the vulnerable points in our environment, and the data perimeter. We will also dive into the implementation of organizational IAM policies in each cloud provider’s authorization engine, their different behaviors in edge cases, and how we should adjust our strategy to accommodate these differences. Lastly, we will discuss strategies for building, testing, and deploying organizational policies, and recommend a process for creating and evaluating them (including how to build detection mechanisms in case of violations).