All customer stories

Cambia Health Solutions brings “secure every install” to life with Koi

Within two weeks of deploying Koi, Cambia's security team had complete visibility into 220,000+ software installations across 14 marketplaces and registries - with continuous risk scoring and governance from day one.

“Koi frees our developers to use the tools they want, with confidence that what they install has been inspected.”

Steve Hawkins
Director of Security Architecture and Engineering, Cambia Health Solutions
PLAY
14
Software Marketplaces Governed

Browser extensions, IDE plugins, and package registries under continuous enforcement.

220k
Software Installations Discovered

Mapped with risk scoring and ownership across every endpoint.

2
Weeks from Deploy to Full Visibility

From first deployment to full discovery, scoring, and active policy enforcement.

COMPLETE VISIBILITY ACROSS EVERY INSTALL SOURCE

From browser extensions to AI coding tools, Koi brought every developer-installed application under continuous monitoring and policy enforcement.

INDUSTRY
Health Insurance
REGION
United States

PRIMARY USE CASES

Discovery and inventory for installed software across endpoints (binary and non-binary)

Proactive risk analysis and scoring for extensions and packages (Wings™)

Policy management to allow, block, or require approval for installs

Fast approvals and clear end user messaging so governance does not slow teams down

Agentic activity governance for AI coding tools and MCP-connected workflows

KOI CAPABILITIES USED

Discovery and inventory

Proactive risk analysis and scoring for by Wings™

Preventive policies (auto approve what’s safe, block what isn’t)

Approval workflows (closed loop)

Agentic activity (AI tool visibility and policy enforcement)

Summary

Cambia Health Solutions adopted Koi to gain full visibility into 220,000+ software installations across 14 marketplaces and registries, apply continuous risk scoring to every item in their developer tooling environment, and enforce governance policies without disrupting developer workflows.


Cambia adopted Koi to make every install visible and actionable, using continuous inventory, risk scoring, and enforceable policy that fits developer workflows.

Challenge

Cambia Health Solutions' developers rely on extensions, code packages, and OS packages to move fast, with emerging AI tooling becoming an increasing part of the workflow. Much of this software is adopted directly by teams - often before security has visibility into what's been installed, where it's running, or what risk it carries. Across 14 marketplaces and registries, the volume of developer-installed software had grown well beyond what traditional intake and review processes were designed to handle.
Cambia's security team needed a way to close that gap without slowing developers down.

Cambia needed to:

  • Continuously identify what is installed and where
  • Add risk context security teams can act on
  • Apply governance without turning every request into a slow bottleneck

Solution

Koi helped Cambia Health Solutions shift from after the fact discovery to proactive governance.

1. Unified visibility across install sources

  • Koi surfaced the extension and tooling footprint across Cambia’s environment so security could answer, “What is installed, where is it running, and who is using it?”
  • Koi also integrated with Cambia’s Artifactory so policies could be enforced on third-party packages before they reached developer environments or build pipelines.

2. Risk context mapped to what matters

Cambia Health Solutions focused on categories that consistently create exposure:

  • Extensions with low adoption and limited scrutiny
  • Items removed upstream that remain installed internally
  • Publisher trust signals that inform install decisions
  • Developer tools with broad system-level permissions
  • High sensitivity categories like password managers, especially when multiple tools proliferate

3. Governance that keeps developers moving

Cambia Health Solutions wanted a closed loop flow where requests do not disappear into a queue. Koi supports approval workflows where decisions update policy and developers get clear feedback on the reason, not silent failures.

4. Ready for AI era software intake

As AI-assisted development expands, Cambia Health Solutions adopted Koi's Agentic Activity capabilities to govern how AI coding tools and agent-driven workflows interact with internal systems. Role-based policies ensure different teams get the AI access they need, while MCP servers, AI plugins, and agent-driven workflows remain visible and controlled - preventing AI tooling from becoming the next shadow IT blind spot.

{{quote-target-2}}

Outcomes

1. Immediate risk reduction

Within the first scan, Koi surfaced risk patterns across Cambia's environment that traditional endpoint and procurement tools had no visibility into - spanning developer dependencies, browser extensions, and AI tooling.

Supply-chain dependency monitoring

Known risks in widely-used open source dependencies, continuously tracked across active endpoints.

Developer tool permission analysis

Tools with broad system-level access identified and assessed against security policy.

Marketplace removal detection

Items removed from their source for policy violations, flagged when still running internally.

Publisher trust assessment

Extensions from publishers exhibiting risk indicators, surfaced for security review.

Sensitive category consolidation

Multiple overlapping tools in regulated categories surfaced for consolidation.

Low-scrutiny software detection

Niche tools with minimal install bases and limited community review, flagged for closer inspection.

2. Complete software supply chain visibility

Koi mapped 220,000+ software installations across 14 marketplaces and registries - from browser extensions and IDE plugins to open source packages and AI tooling. For the first time, Cambia Health Solutions' security team could answer: "What is installed, where is it running, and who is using it?"

3. Governance without friction

Cambia Health Solutions deployed automated guardrails - including malware protection, scan-first policies for unreviewed items, version update cooldowns, and automatic remediation of delisted software. Role-based governance profiles ensure policies fit how each team works, rather than applying a single restrictive policy across the organization.

4. Developer velocity preserved

With continuous inspection in place, Cambia Health Solutions was able to replace broad network-level restrictions with targeted, policy-driven controls. Developers can install and update tools through normal workflows, with Koi providing real-time risk visibility rather than blanket blocks.

{{quote-target}}

About Koi

Koi is the pioneer of Agentic Endpoint Security. As AI agents and developer tools gain deep access to sensitive data and systems, Koi provides complete visibility into non-binary software - code packages, browser extensions, IDE plugins, AI agents, MCP servers, and more - that traditional endpoint security wasn't built to see. Koi continuously discovers, risk-scores, and enforces policy across every install, making the agentic endpoint visible and governable for the first time.

“Within one week, we had complete control over all our developer tools.”

Steve Hawkins
Director of Security Architecture and Engineering, Cambia Health Solutions

“It quickly became one of those ‘how did we live without it?’ tools. The visibility changed how we manage this risk.”

Steve Hawkins
Director of Security Architecture and Engineering, Cambia Health Solutions

Ready to give your software wings?

GET A DEMO