Wiz Integration Strategy Analysis — SecurityV0 Competitive Intelligence
Date: 2026-04-03 Source material: Wiz Cloud Demo video (166 frames), Wiz public documentation, web research, SV0 internal architecture docs, RSAC 2026 competitor analysis, AWS competitive analysis
Executive Summary
Wiz has built the most comprehensive cloud security platform in the market, with 240+ integrations, agentless scanning across all major clouds, and an expanding footprint into code scanning, AI security, and runtime detection. Their NHI capabilities are real but shallow — a dashboard that discovers cloud-native service accounts and maps them into attack paths, but not a purpose-built NHI governance platform.
SecurityV0's opportunity is not to out-Wiz Wiz on breadth. It is to own the NHI problem with a depth and cross-system intelligence that Wiz's current architecture does not prioritize, then expand outward from that position. The key strategic question — whether to pursue code access — has a nuanced answer: yes, but not for SAST. SV0 should scan code for NHI-relevant artifacts (hardcoded secrets, service account references, automation configurations) rather than general vulnerability detection.
1. Wiz's Integration Architecture
1.1 Agentless Scanning — How It Actually Works
Wiz's core architecture has two data collection mechanisms:
Read-Only API Scanning (Configuration Layer) Wiz connects to cloud provider control planes via standard APIs. For each cloud:
- AWS: Cross-account IAM role with
SecurityAuditmanaged policy + custom read-only extensions. Deployed via CloudFormation StackSets targeting root OU. Optional "Outpost" mode places scanning infrastructure in a customer-designated account for regulated environments. - Azure: Service principal with Reader role at management group level.
- GCP: Service account with viewer permissions at organization level.
This API-based scanning inventories all resources, analyzes configurations, network settings, IAM policies, and identity assignments. No agents touch customer workloads.
Snapshot Analysis (Deep Workload Scanning)
For vulnerability and malware detection, Wiz creates temporary encrypted snapshots of virtual machine storage volumes (EBS in AWS, managed disks in Azure, persistent disks in GCP). These snapshots are analyzed in an isolated environment — either Wiz's own SaaS infrastructure or a customer-designated scanner account. After analysis, snapshots are deleted. This requires additional write permissions: ec2:CreateSnapshot, ec2:CreateVolume, kms:Decrypt (scoped).
Runtime Sensors (Wiz Defend) In 2025-2026, Wiz added an optional lightweight eBPF-based runtime sensor that captures process execution, network connections, and file activity. This represents a strategic pivot — Wiz was purely agentless but recognized that runtime behavioral detection requires on-host telemetry. The sensor correlates with the Security Graph's static posture data.
Agentless Workload Detection Additionally, Wiz ingests local machine logs into their "Signals" data lake, correlating suspicious workload activity with cloud control plane events without requiring the runtime sensor.
1.2 The Configuration Layer (from Demo Frame 0035)
Wiz's data ingestion is organized into four pillars shown in their architecture diagram:
- CSP APIs — Cloud service provider control planes (AWS, Azure, GCP, OCI, Alibaba, etc.)
- Kubernetes APIs — K8s cluster metadata and workload configurations
- Container Registries — Image scanning for vulnerabilities and secrets
- Code Repositories — Source code scanning via VCS integrations (GitHub, GitLab, Azure Repos)
This four-pillar model feeds the Security Graph, which is the single data model underpinning all Wiz capabilities.
1.3 The Security Graph
The Security Graph (demo frames 0020, 0070) is Wiz's core differentiator — a unified graph database correlating identities, workloads, data, network configurations, vulnerabilities, and attack paths. Every Wiz feature is a query or visualization on this graph.
Key graph node types observed in the demo:
- Kubernetes Service Accounts (purple)
- AWS IAM Roles (orange/gold)
- AWS S3 Buckets (green)
- Amazon ECR Images
- GitHub Repository Branches / Repositories
- Kubernetes Pods
- Findings/Alerts (red)
Edge labels show API action types ("1 x Get", "2 x List", "1 x Create") — this is observed execution evidence from CloudTrail/audit logs, not just static permission analysis.
1.4 Technology Detection
Wiz auto-discovers technologies running in the environment (demo frame 0050 shows 631 technologies detected). Categories include:
- Code (39 technologies)
- Compute Platforms (5)
- Applications (36)
- Security (8)
- Cloud Entitlements (10)
- Data Assets (14)
- AI & Machine Learning (13)
- Networking (12)
Each technology has an approval workflow (Approved / Unreviewed) — essentially a shadow IT discovery and governance feature.
2. Wiz's Connector Breadth
2.1 Full Integration Catalog (as of early 2026)
Total: 240+ integrations across the Wiz Integration Network (WIN).
Native Cloud Connectors (from demo frame 0030):
| Provider | Status | Notes |
|---|---|---|
| Amazon Web Services (AWS) | GA | Most mature. StackSets, Outpost mode, Organizations integration |
| Microsoft Azure | GA | Service principal, management group scoping |
| Google Cloud Platform (GCP) | GA | Service account, org-level |
| Oracle Cloud Infrastructure (OCI) | GA | IAM added to identity graph (2025) |
| Alibaba Cloud | Preview | China market coverage |
| VMware vSphere | GA | On-premises/hybrid |
| Linode | GA | Akamai cloud |
| Cloudflare | Preview | Edge/CDN security |
Data & AI:
| Provider | Status |
|---|---|
| OpenAI Platform | GA |
| Snowflake | Preview |
Security & Identity:
| Provider | Status |
|---|---|
| CrowdStrike | Preview |
| Okta | GA |
Integration Categories by Count:
| Category | Count | Key Vendors |
|---|---|---|
| Cloud Service Providers | 8+ | AWS, Azure, GCP, OCI, Alibaba, VMware, Linode, Cloudflare |
| Kubernetes Clusters | 32 (in demo) | EKS, AKS, GKE, self-managed |
| Container Registries | 4+ | ECR, ACR, GCR, Docker Hub |
| Version Control | 5 | GitHub, GitLab, Azure Repos, Bitbucket, others |
| CI/CD Platforms | 19 | Jenkins, GitHub Actions, GitLab CI, Azure Pipelines, Terraform, others |
| SIEM | 14 | Splunk, Sentinel, QRadar, Google SecOps, Sumo Logic |
| SOAR & Automation | 15+ | Torq, PagerDuty, Tines, others |
| Vulnerability Management | 22 | Qualys VMDR, Tenable VM, Rapid7 |
| Compliance Management | 16 | RegScale, Brinqa, JupiterOne |
| Identity & Security | 10 | Okta, CyberArk, CrowdStrike, Saviynt |
| Ticketing & Messaging | 6+ | Jira, ServiceNow ITSM, Slack, Teams, Zendesk, Azure DevOps |
| IDEs & Git Hooks | — | VS Code extension, CLI scanner |
| Runtime Sensors | — | eBPF-based Wiz Defend sensor |
| Outposts | — | Customer-hosted scanning infrastructure |
2.2 What the Breadth Means Competitively
Wiz's 240+ integrations serve multiple strategic purposes:
- Sales tool — the sheer logo count on the Connect page creates enterprise confidence
- Platform lock-in — once data flows from 8+ tools into Wiz's Security Graph, switching costs are enormous
- Data enrichment — each integration adds nodes/edges to the graph, making attack path analysis richer
- Partner ecosystem — the WIN program turns ISVs into co-sellers
For SV0, the lesson is clear: integration breadth is a necessary condition for enterprise sales, but SV0 should not try to match Wiz's 240+ integrations across all security categories. Instead, SV0 should aim for depth in the NHI-relevant integration space (identity providers, SaaS platforms with automation capabilities, cloud IAM).
3. Code Access Analysis
3.1 What Wiz Scans in Code Repos
Wiz Code performs four types of code scanning:
- SCA (Software Composition Analysis) — third-party library vulnerabilities in dependency manifests
- IaC scanning — 1,400+ rules for Terraform, CloudFormation, Kubernetes manifests, Dockerfiles misconfigurations
- Secrets detection — 150+ rules for API tokens, database credentials, private keys in source code
- SAST (Static Application Security Testing) — static analysis of application source code for security vulnerabilities (announced 2025)
The key innovation is code-to-cloud tracing (demo frame 0025): Wiz maps source code commit -> CI/CD build -> container registry -> cloud deployment -> runtime workload.
Gap 1: Cloud-only NHI visibility Wiz discovers service accounts in AWS, Azure, GCP, OCI, and Kubernetes. It does NOT discover NHIs in:
- SaaS automation platforms: ServiceNow Business Rules, Flows, Scheduled Jobs; Power Automate flows; Zapier zaps; MuleSoft integrations
- Identity providers beyond cloud IAM: Entra ID app registrations and service principals that are NOT cloud-deployed (e.g., an Entra SP used by an on-prem application to call an external API)
- SaaS-to-SaaS OAuth connections: The OAuth app that connects Jira to Salesforce, the GitHub App that posts to Slack, the ServiceNow integration user that calls Azure APIs
- AI agent identities in non-cloud contexts: Custom GPTs, MCP servers, RAG pipelines running outside major cloud providers
This appears to be a structural limitation of Wiz's current data collection model (CSP APIs, K8s APIs, container registries, code repos), which does not extend to NHIs in SaaS platform configuration layers. This could change if Wiz builds or acquires SaaS connectors.
Gap 2: No cross-system execution chain tracing Wiz can show: "This K8s Service Account -> assumes this IAM Role -> accesses this S3 Bucket" (from demo frame 0020). This is powerful but cloud-contained.
We found no evidence that Wiz currently shows: "This ServiceNow Business Rule -> executes under this Integration User -> calls this REST endpoint -> authenticates as this Entra SP -> which has this role assignment -> reaching this Azure resource -> containing this sensitive data."
This cross-system, cross-boundary execution chain is SV0's core innovation. Wiz would need to build SaaS platform connectors to replicate it — possible but a significant investment outside their current focus.
Gap 3: No ownership lifecycle governance Wiz identifies that a service account exists and whether it has risky permissions. It does NOT track:
- Who created this NHI and when?
- Is the creator still at the company?
- Has ownership been formally transferred?
- When was the last ownership review?
- Is there an approval chain for the permissions this NHI holds?
Wiz partners with Saviynt to fill this gap — which validates it as a real market need but also means Wiz's NHI story requires a separate product purchase.
Gap 4: No SaaS automation surface analysis We found no evidence of Wiz visibility into:
- ServiceNow: Business Rules, Script Includes, Flows, Scheduled Jobs, REST Messages, OAuth configurations
- Power Platform: Power Automate flows, custom connectors, Power Apps connections
- Salesforce: Apex triggers, Process Builder flows, named credentials, connected apps
- Atlassian: Jira automation rules, Confluence app connections, Forge apps
These platforms have massive autonomous execution surfaces with NHIs that no cloud-focused security tool can see.
Gap 5: No deterministic evidence model Wiz uses probabilistic scoring and ML-based risk prioritization. SV0's deterministic, evidence-backed approach (every finding has a walkable proof chain) is a differentiator for compliance-driven buyers who need auditable findings. Note: Wiz also performs deterministic graph correlation — their ML usage is primarily in risk prioritization, not finding generation.
Gap 6: Limited temporal drift analysis Wiz shows current state. SV0's temporal model shows how NHI configurations have changed over time — when a service account gained new permissions, when ownership decayed, when an execution pattern changed.
4.3 Wiz's NHI Strategy
Wiz is clearly aware of the NHI gap and is pursuing a partnership strategy rather than building NHI-native capabilities:
- Saviynt partnership: NHI governance and lifecycle management
- Entro partnership: NHI secret discovery and DSPM
- Token Security integration: Token lists Wiz as an integration partner
This tells us: Wiz views NHI as an adjacent market that enhances their graph but is not their core focus. They will provide cloud-level NHI discovery and partner for the rest. SV0's opportunity is to be the definitive NHI platform that either replaces or complements Wiz in this specific domain.
5. SV0 Integration Roadmap Recommendations
5.1 Prioritized Integration List
Tier 1 — NHI-Native Integrations (Build First) These are unique to SV0's NHI focus and have no Wiz equivalent:
| Priority | Integration | Rationale | Effort |
|---|---|---|---|
| 1 | Entra ID (identity plane) | Already built. Foundation for all cross-system tracing | Done |
| 2 | ServiceNow | Already in progress. Massive SaaS automation surface. W1 wedge | In progress |
| 3 | Azure Foundry | Already in progress. Agentic AI execution surface | In progress |
| 4 | AWS IAM + workload identity | Planned (Phase 0-1). Largest cloud market. Multi-account NHI | Planned |
| 5 | GitHub/GitLab (NHI-scoped) | OAuth apps, GitHub Apps, deploy keys, service accounts, automation bots. NOT general code scanning | Medium |
| 6 | Power Platform | Power Automate flows, custom connectors, Power Apps connections. Massive shadow automation surface | Medium |
| 7 | Okta / Auth0 | OAuth app registrations, service account tokens, API integrations. Identity provider NHI surface | Medium |
| 8 | Salesforce | Connected apps, named credentials, Apex automation, integration users | Medium-High |
| 9 | Jira/Confluence | Automation rules, app connections, Forge apps, OAuth app permissions | Medium |
Tier 2 — Cloud Provider Depth (Strategic Overlap with Wiz)
| Priority | Integration | Rationale | Decision |
|---|---|---|---|
| 10 | AWS Bedrock / AI services | Agentic AI identity chains. Differentiated use case | Build — NHI-focused, not CSPM |
| 11 | GCP IAM + workload identity | Third cloud provider. Wiz covers this broadly; SV0 covers NHI depth | Build — Phase 2+ |
| 12 | Kubernetes (workload identity) | K8s service accounts, pod identities, RBAC. Wiz is strong here | Build — NHI-specific view only |
Tier 3 — Ecosystem Integrations (Partner or Buy)
| Priority | Integration | Rationale | Decision |
|---|---|---|---|
| 13 | Slack / Teams (outbound) | Finding notifications, workflow integrations | Partner / lightweight build |
| 14 | HashiCorp Vault / CyberArk | Secrets management NHI correlation | Partner integration |
| 15 | SIEM (Splunk, Sentinel) | Export findings for SOC teams | Lightweight export integration |
| 16 | Jira (outbound ticketing) | Issue creation from findings | Lightweight build |
Tier 4 — Defer
| Integration | Why Defer |
|---|---|
| General SAST/SCA code scanning | Crowded market, not NHI-specific, massive investment |
| Container registry scanning | Wiz's strength, not NHI-relevant |
| Vulnerability management tools | Not SV0's value proposition |
| Network security tools | Not NHI-relevant |
| MDR/EDR integrations | Not NHI-relevant |
5.2 Build vs. Buy vs. Partner Framework
| Approach | When to Use | Examples |
|---|---|---|
| Build | Core NHI connectors where the data model and extraction logic ARE the product | Entra ID, ServiceNow, AWS IAM, Power Platform, Salesforce |
| Partner | Ecosystem integrations where SV0 consumes or exports data in standard formats | SIEM export, ticketing, secrets management correlation |
| Buy/Embed | Capabilities where open-source engines exist and building from scratch adds no value | IaC scanning engine (Checkov/tfsec), secrets detection (GitLeaks/TruffleHog) |
5.3 The Code Access Question — Specific Recommendation
Phase 1 (now): IaC scanning for NHI origin tracing
- Scan Terraform, CloudFormation, Bicep, and Kubernetes manifests for service account definitions, role bindings, trust policies
- Use open-source engines (Checkov, tfsec) for the scanning runtime
- Map IaC-defined identities to the SV0 graph: "This IAM role was defined in
infra/terraform/iam.tf, committed byjdoe@company.comon 2025-11-15" - Requires: GitHub App with
contents: readon infrastructure repositories only (not all repos) - Position: "NHI origin tracing" — know where your machine identities were born
Phase 2 (6-12 months): Secrets scanning in infrastructure repos
- Extend scanning to detect hardcoded credentials, API keys, service account passwords
- Use open-source engines (GitLeaks, TruffleHog) embedded in SV0
- Cross-reference discovered secrets with SV0's credential entity graph
- Position: "Credential exposure surface" — find secrets that map to known NHIs
Phase 3 (12-18 months): Evaluate full code access
- Based on Phase 1-2 adoption data, evaluate whether scanning application code (not just IaC) adds sufficient NHI-relevant value
- Likely finding: application code contains service account references, API endpoint URLs, and authentication patterns that enrich the NHI graph
- If pursued, offer on-premises scanning option for regulated customers
6. How to Beat Wiz
6.1 Where Wiz Is Structurally Weak on NHI
Wiz's strengths — cloud breadth, agentless scanning, infrastructure security graph — are the wrong tool for NHI governance. Here is where SV0 can be categorically better:
1. Cross-system execution chain visibility Wiz sees NHIs within cloud boundaries. SV0 sees NHIs across system boundaries. The enterprise NHI problem is not "what IAM roles exist in AWS" — it is "what autonomous systems are operating across our entire technology stack, under what identities, accessing what data, and who is accountable."
A CISO's nightmare is not an overprivileged IAM role. It is a ServiceNow automation that calls an Azure API using a service principal created by an employee who left 2 years ago, with permissions that have drifted to include access to production customer data. Wiz's current architecture does not surface this. SV0's cross-system graph can.
2. SaaS automation surface coverage Based on our research, Wiz does not currently offer visibility into ServiceNow, Power Platform, Salesforce, or Jira automation. These platforms have thousands of NHIs per enterprise — automation rules, flows, scheduled jobs, integration users, OAuth apps — all operating with standing authority that nobody reviews. SV0 appears well-positioned to lead here.
3. Deterministic, auditable findings Wiz uses ML-based risk prioritization. Every SV0 finding has a walkable, deterministic proof chain — auditors can verify every step. For compliance-driven buyers (financial services, healthcare, government), this is not a nice-to-have. It is a requirement.
4. Ownership lifecycle tracking Wiz shows what exists now. SV0 tracks the full ownership lifecycle — creation, transfers, reviews, orphaning, decay. The finding is not "this service account has admin access" but "this service account has admin access, was created by Jane Smith who left the company 18 months ago, ownership was never transferred, and no review has occurred."
5. Temporal drift detection SV0 detects when configurations change — when a service account gains new permissions, when an automation's egress boundary expands, when an identity's execution pattern shifts. Wiz provides snapshot-based analysis; SV0 provides longitudinal change detection.
6.2 The Positioning Play
Do not position SV0 as a Wiz competitor. Position SV0 as the platform that answers the questions Wiz does not currently address:
| Wiz answers | SV0 answers |
|---|---|
| "What cloud resources are misconfigured?" | "What autonomous systems are operating across your stack?" |
| "What IAM roles have excessive permissions?" | "What execution chains cross system boundaries under orphaned identities?" |
| "What vulnerabilities are exploitable?" | "What NHIs have drifted from their approved configuration?" |
| "What attack paths exist to sensitive data?" | "Who owns this automation, and is that ownership still valid?" |
Complementary positioning for deals where Wiz is already installed: "Wiz secures your cloud infrastructure. SV0 secures the identities that operate it — especially in ServiceNow, Power Platform, and cross-system automation chains."
Head-to-head positioning for NHI-focused deals: "Wiz's NHI dashboard shows you cloud service accounts. SV0 shows you every non-human identity across your entire technology stack — cloud, SaaS, and on-premises — with deterministic evidence, ownership tracking, and cross-system execution chain visibility."
6.3 What Would Make a CISO Choose SV0
Scenario 1: Alongside Wiz A CISO already has Wiz for cloud security. They need SV0 because:
- Their auditors are asking about ServiceNow automation governance
- An incident involved a forgotten integration user with access to production data
- They are deploying AI agents (Bedrock, Foundry) and need execution-chain visibility
- Board is asking "how many machine identities do we have and who owns them" — Wiz can answer for cloud, SV0 answers for everything
Scenario 2: Instead of Wiz (NHI budget) A CISO has budget specifically for NHI/machine identity security. They are evaluating Token Security, Astrix, Oasis, and SV0. SV0 wins because:
- Cross-system execution chains (Token and Astrix do per-system identity graphs but not cross-system execution tracing at SV0's granularity)
- Deterministic evidence model (competitors use ML — SV0's proof chains are auditable)
- Evidence packs with SHA256 integrity hashing (we found no comparable offering in competitor products reviewed)
- Read-only connector model (zero blast radius vs. Token's automated remediation)
Scenario 3: Regulatory-driven NHI audit A financial services firm has a regulatory requirement to inventory and govern all non-human identities. Wiz shows them cloud NHIs. Token/Astrix show them per-platform NHIs. SV0 shows them the full picture with deterministic, auditable evidence packs that satisfy regulatory requirements.
6.4 Strategic Moves to Accelerate
1. Integration velocity The single biggest competitive gap vs. Token Security (50+ integrations) is connector count. SV0 must ship connectors aggressively. The Connector SDK approach (Extract -> Transform -> Diff -> Load with NormalizedGraph) enables parallel development. Target: 10+ production connectors within 12 months.
2. NHI-scoped GitHub/GitLab integration Do not build a code scanner. Build an "NHI origin tracer" — scan IaC repos for service account definitions, OAuth app configurations, and trust policies. Map these to the SV0 identity graph. This gives SV0 a code-to-identity story without competing with Wiz Code on AppSec.
3. Wiz integration (inbound) Build a Wiz integration that ingests Wiz's cloud NHI data into SV0's graph. This turns Wiz from competitor to data source — SV0 enriches Wiz findings with cross-system context, ownership tracking, and temporal drift. From a sales perspective, this makes SV0 complementary rather than competitive.
4. Open-source NHI discovery tool Ship a free, open-source tool that discovers NHIs across common platforms (Entra, AWS, GitHub). Token Security's free tools (AI Privilege Guardian, GCI) are effective lead-generation assets. SV0 needs equivalent developer community presence.
5. MCP Server for NHI queries Token Security built an MCP server that lets CISOs query their NHI environment via Claude, ChatGPT, or Cursor. SV0 should build the same — "show me all orphaned execution paths with external egress" as a natural language query. This is a low-effort, high-visibility feature.
6. Named customer logos and evidence Wiz has BMW, Snowflake, Morgan Stanley. Token has HPE, Elastic, Udemy. SV0 needs design partner logos on the website, even if they are smaller companies. Social proof is table stakes for enterprise sales.
6.5 The 10x Question: Where Can SV0 Be 10x Better?
-
Cross-system NHI chain visibility: No competitor traces ServiceNow -> Azure -> AWS execution chains with deterministic evidence. This is genuinely unique.
-
Temporal NHI drift detection: Showing exactly when and how NHI configurations changed, with evidence pack history. Nobody else does this.
-
SaaS automation surface: We found no evidence of deep visibility into ServiceNow Business Rules, Power Automate flows, or Salesforce automation as NHI surfaces in reviewed competitors (Wiz, Token, Astrix, Oasis). Potential first-mover advantage.
-
Evidence pack auditability: SHA256-hashed, version-chained, timestamped evidence bundles. Auditors can independently verify findings. No competitor offers this level of forensic rigor.
-
Authority path model: Full Workload -> Identity -> Credential -> Role -> Permission -> Resource -> Data Domain chains with execution evidence and temporal trends. Wiz has attack paths focused on infrastructure vulnerabilities. SV0 has authority paths focused on NHI execution.
Sources
Wiz Documentation and Blog Posts
- Wiz Integrations Catalog
- Wiz Non-Human Identities Dashboard
- Wiz Code: Security Across GitHub, GitLab, and Azure Repos
- Wiz Code ASPM with Code-to-Cloud Context
- Introducing Wiz SAST
- The Wiz Approach to Agentless Scanning
- Wiz Defend: Agentless Workload Detection
- Wiz Defend Platform
- Wiz CIEM
- Wiz Runtime Sensor
- WIN 2026: Building the AI Security Ecosystem
- Wiz GitHub Security Posture Management
Market Research
- Wiz Statistics 2026 — ElectroIQ
- Oasis Security $120M Raise — SiliconANGLE
- NHI Access Management Market — Meticulous Research
- Top 10 NHI Security Tools 2026 — GitGuardian
- CSA State of Non-Human Identity Security
- 2026 NHI Reality Report — Cyber Strategy Institute
Partner Announcements
SV0 Internal Documents Referenced
sv0-documentation/docs/architecture/05-connectors.md— Connector framework interface contractsv0-documentation/docs/integrations/azure/index.md— Azure identity-plane integration specsv0-documentation/docs/integrations/servicenow/index.md— ServiceNow integration for W1sv0-documentation/docs/product/market-research/2026-03-31-aws-integration-competitive-analysis.md— AWS competitive analysis (Veza, Wiz, CrowdStrike, Prisma, Orca, SailPoint, Saviynt)sv0-documentation/docs/product/market-research/2026-03-19-rsac-2026-competitor-analysis.md— RSAC 2026 competitor analysis (Token Security, Geordie AI, Realm Labs, Fig Security)sv0-documentation/docs/architecture/research/2026-03-30-aws-integration-strategy.md— AWS integration strategysv0-documentation/docs/architecture/research/2026-03-30-aws-nhi-workload-identity-surface.md— AWS NHI entity catalog