CASE 08 · BEACON · 2026
Guardrails that stop drift before HIPAA notices.
A digital health company expanded from one clinical product to three, ran into HIPAA audit findings on configuration drift, and asked for guardrails strict enough to stop drift but loose enough to ship. We built a tiered Service Control Policy framework, tested it against three months of historical CloudTrail, and rolled it to ninety accounts.
Digital health
LANDING ZONE
2026
RESULTS
What changed, by the numbers.
HIPAA FINDINGS
−100%
SCPS DEPLOYED
34
BLAST-RADIUS TESTS
184
DEV VELOCITY
0%
HOW IT WENT
The first conversation was about the SCP graveyard the team had buried. Two years earlier, someone had tried to lock everything down with a single deny-all SCP and got rolled back inside a day. The institutional memory was: SCPs are a bad idea.
We staged it differently. Every proposed SCP was replayed against three months of CloudTrail in a shadow account to identify what would have failed. Engineers got a list of the API calls each SCP would block before it shipped. We rolled the strictest tier (production-clinical) first, then loosened progressively for sandbox tiers. CFN Guard validated infrastructure before deploy.
The next HIPAA audit closed with zero configuration findings, the first time in three years. Engineering velocity (measured in PR-to-deploy cycle time) was unchanged. Two engineers can now spin up a new HIPAA-eligible account in ninety minutes.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.