Symmetry Systems DataGuard is the only DSPM platform built around an identity-first rather than data-first architecture. Where most DSPM platforms start with a data inventory and add access context as enrichment, DataGuard starts with the identity layer and builds a graph of what each identity can access, at what level of permission, on which data objects. The result is a different kind of risk picture: not "this data store contains PII" but "these 47 identities can access this PII store, 31 of them have not accessed it in 90 days, and 4 of them have permissions inconsistent with their role." For Zero Trust programs and data sovereignty requirements, this framing is more operationally useful.

Architecture

DataGuard connects to cloud environments via API to build a graph database that maps the relationship between identities (human users, service accounts, roles) and data objects (S3 objects, database tables, storage blobs). The graph is built at the object level, not the bucket or table level, which means the permission and access visibility is more granular than most DSPM platforms provide.

The graph model allows DataGuard to answer queries that flat-table inventory systems cannot: which identities have access to data classified as PHI across all cloud environments, which of those accesses are legitimate based on job function, and what the blast radius would be if a specific identity were compromised. These queries run against a continuously updated graph rather than requiring a new scan.

Classification is integrated but secondary to the identity mapping. DataGuard classifies data to provide context to the identity graph, not as a primary workflow. Organizations that need deep classification accuracy as a standalone output will find DataGuard less purpose-built for that use case than Cyera or Concentric AI.

Key capabilities

Object-level identity-to-data graph. The core architecture. A continuously maintained graph of which identities can access which data objects, at what permission level, and what operations they can perform. This is the most granular identity-data mapping available in the DSPM market.

Blast radius analysis. Given a specific identity or set of credentials, DataGuard can compute what data would be exposed in a compromise scenario. This is a direct input to incident response planning and Zero Trust architecture reviews.

Least-privilege gap analysis. Identifies where identities have permissions they are not using relative to the data they actually need to access. Produces actionable recommendations for scope reduction that are grounded in observed behavior rather than policy assumptions.

Data sovereignty and residency mapping. Tracks where specific data objects reside across cloud regions and which identities in which locations have access. For organizations subject to data residency requirements (GDPR Article 46, APRA, and similar), this is the most direct tool for demonstrating compliance.

Zero Trust alignment. DataGuard's output maps directly onto Zero Trust architecture principles: verify explicitly (know exactly who has access), use least privilege (find and close access gaps), assume breach (compute blast radius before incidents happen). Organizations actively implementing Zero Trust data access controls find DataGuard's framing more useful than classification-centric alternatives.