Cambia Health Solutions brings “secure every install” to life with Koi

Summary

Cambia Health Solutions’ developers rely on extensions, code packages, and OS packages to move fast, with emerging AI tooling becoming an increasing part of the workflow. Much of this software is self provisioned, bypassing traditional intake and review. The result is a persistent blind spot: security often sees risk only after software is already in use.


Cambia adopted Koi to make every install visible and actionable, using continuous inventory, risk scoring, and enforceable policy that fits developer workflows.

Challenge

Developer tooling changes constantly and is often adopted directly by teams, outside standard procurement and review. That introduces real risk, especially when extensions and packages can connect to external services, pull in vulnerable dependencies, or remain installed even after being removed upstream.
Cambia needed to:

• Continuously identify what is installed and where
• Add risk context security teams can act on
• Apply governance without turning every request into a slow bottleneck
  

Solution

Koi helped Cambia shift from after the fact discovery to proactive governance.

1. Unified visibility across install sources

• Koi surfaced the extension and tooling footprint across Cambia’s environment so security could answer, “What is installed, where is it running, and who is using it?”
• Koi also integrated with Cambia’s Artifactory so policies could be enforced on third-party packages before they reached developer environments or build pipelines.

2. Risk context mapped to what matters

Cambia focused on categories that consistently create exposure:

• Extensions with low adoption and limited scrutiny
• Items removed upstream that remain installed internally
• Signals linked to compromised publishers
• Remote code execution exposure in developer tooling
• High sensitivity categories like password managers, especially when multiple tools proliferate

3. Governance that keeps developers moving

Cambia wanted a closed loop flow where requests do not disappear into a queue. Koi supports approval workflows where decisions update policy and developers get clear feedback on the reason, not silent failures.

4. Ready for AI era software intake

As AI-assisted development expands, Cambia emphasized governance for AI-related tooling and policies, including managing which AI vendors and services are permitted.

Outcomes

With Koi, Cambia gained faster visibility into developer installed software and a practical governance model that reduces risk without disrupting productivity.

{{quote-target}}

About Koi

Koi secures anything with an install button. It provides continuous discovery, risk analysis by Wings™, and enforceable policy controls for both binary and non-binary software, making install risk visible and actionable before it reaches endpoints.