The platform

The governance runtime, not a governance suite.

A runtime for composing the exact access flows your business runs on. Every flow travels one pipeline — automated, manual, or hybrid.

Intent-based. Versioned. Audit-ready by default.

The building blocks

Six primitives. One runtime.

These are the pieces your governance is made of. Every primitive is first-class in the model; Functions are version-managed. The cards below show each one with a concrete peek — a real schema fragment, a real Function signature, a real Form preview.

Resources

Anything your business grants access to.

any system, not just appscustom formsper-resource policy

Functions

Sandboxed TypeScript as an approval step, a fulfillment path, an admin action, an endpoint, a provisioning hook, a reviewer resolver, and more.

many modesper-version secretsallowlisted outbound

Forms

Custom request intake per Resource.

any shapeper-resourcevalidated

Hooks

Pre and post steps on connector-fulfilled provisioning operations, conditional and Function-backed.

conditionalfunction-backedpre + post

Expressions (OEL)

A lightweight DSL for value transforms across attributes, policies, and mappings.

DSLzero-configsafe evaluation

Custom Actions

Admin quick-action buttons on identity and request screens, defined by you.

identity + requestfunction-backeddefined by you

Every primitive has its own deeper dive in Extensibility.

Request to reality

One pipeline. Every flow.

Every access change — an approved request, a direct assignment, a timed-access extension, a revocation — travels the same pipeline. Operations are intent-based and versioned: you describe the desired state, and Owlie generates a plan to get there. Retries are idempotent. Overlapping changes converge by version, not by timing luck. Connector automation, manual ticket fulfillment, and custom Function logic all land through the same contract, with the same audit trail.

Intent-based.
You describe desired state; Owlie plans and executes.
Versioned.
desired_version and applied_version per assignment; concurrent changes converge instead of racing.
Unified.
Connector automation, manual work, and Functions all travel the same lane.

Verification

Sync doesn't just watch. It checks.

Owlie watches the systems you've connected and compares observed state against intended state. Configurable policies decide what to do when they differ — adopt the remote change, flag it for review, preserve intent and reconcile, or quietly ignore. When a provisioned account stops being observed (source feed hiccup, sync run filtered), Owlie marks it stale rather than blindly deleting it. Drift becomes a signal, not a surprise.

Policy-driven drift handling.
Adopt, flag, preserve, or ignore — per source.
Stale-not-delete.
Provisioned records survive sync gaps.

Proof

Evidence runs with the work.

Every operation carries a target version. Every reconciliation attempt writes a step-by-step journal with status, timing, and structured error capture. Every successful apply persists the observed state in the same transaction that advances the version counter — so "what we think we applied" cannot drift from "what we recorded as applied." Audit answers come from the system itself, not from screenshots and Slack threads reconstructed at audit time.

Per-step execution journal.
Every step recorded: status, timing, error context.
Actual-state snapshots.
Persisted alongside the applied version.
Atomic apply and projection.
Evidence is the commit, not a side effect.

Connectivity

Connectors where you can. Builder where you can't.

Owlie ships native connectors across identity, HR, ticketing, and collaboration. The identity core — Google Workspace, Microsoft Entra ID, Auth0, Okta, and Active Directory — gets full provisioning: create, update, disable, revoke, and entitlement grants. Systems of record like BambooHR and Workday are read as sources of truth, not written to. For everything else, an in-app connector builder covers the long tail — configuration-driven, with AI assistance where useful, and Functions filling in whatever the built-in primitives can't express. Your internal systems don't need a six-figure integration project.

Google Workspace · Microsoft Entra ID · Auth0 · Okta · Active Directory

See all integrations →

Built for security-sensitive access work.

  • Tenant-scoped encryption for every secret.

    Bound to declared usage context; cross-tenant replay fails closed.

  • Tenant-scoped sessions, one auth surface to audit.

    Every internal service authenticates through the same place.

  • Trust Center and SOC 2 program in progress.

    Formal review materials at trust.owlie.com.

Compose the governance your business actually runs on.

Early access is open. Start with your real access flows, not a vendor's template.