Immuta Reveal Policies: Precision Access for Modern Data Governance

Data provisioning, securely delivering the right data to the right people or systems at the right time, has always required balancing protection and access. In data governance, that tension is a constant. Organizations need to secure sensitive data broadly, masking all personally identifiable information (PII), for example, but they also need to enable specific users, roles, or systems to see that masked data in the clear when appropriate. Traditionally, doing both has been a painful experience. Managing thousands of masking policies and exception groups to handle every permutation of access simply doesn’t scale.
Immuta Reveal Policies change that. This new capability separates the act of restricting data from the act of revealing data making governed, precise data access finally practical at scale.

The problem: When protection and access collide

Most data platforms and governance tools handle masking through a single, monolithic policy:

“Mask all columns tagged PII for everyone except members of group Central IT.”

This approach tightly couples blocking and revealing. To open access to more specific PII, such as an address, for someone new, the only options are to:

• Add them to Central IT: This is not feasible if they aren’t Central IT.
• Create a new group, add them to it, and edit the policy to add that group as an exception: This means they are getting access to all PII, not just addresses.
• Create a new masking policy that targets address with this as an exception: Creates masking policy explosion and you need to ensure this policy does not overlap with your PII policy.

For large enterprises, relying on the built-in access control capabilities that come with their data platforms quickly becomes a scalability problem. One customer, for instance, had to maintain 14,000 masking policies just to account for all the different ways users might need certain masked data revealed. This not only slows down access requests but also makes governance brittle, as small changes can ripple across thousands of policy definitions.

The solution: Decoupling masking from revealing

Reveal Policies fix this by introducing a clean separation between the two actions:

1. Masking policies define what’s protected, broadly and globally.
2. Reveal policies define who can have more specific data revealed, and under what conditions.

This separation allows organizations to define a simple rule like:

“Mask all PII for everyone,”

and then add precise, lightweight exceptions such as:

“Reveal address for users in group ‘Finance’ and ‘Marketing’”
“Reveal address for users in group ‘Engineering’”

Would resolve to a column tagged PII and address with:

“Mask PII for everyone except users in group (‘Finance’ and ‘Marketing’) or group ‘Engineering’”
Instead of managing thousands of overlapping masking rules, teams can apply one global policy and then surgically open access through targeted reveal policies. These exceptions merge automatically with existing masking policies, creating a single unified view of what each user is allowed to see — no duplication, no conflict.

How it works: Simplifying masking and exceptions

Technically, a reveal policy works by merging with the masking policy’s exception logic. For every masked column, Immuta evaluates:

• The masking policy’s existing exceptions (if any), and
• Any reveal policies that apply to the same column.

If both apply, Immuta merges them into a single effective exception list. Grant exceptions can be defined in several flexible ways:

• By group: Reveal columns tagged fruit.banana for members of group banana.
• By attribute: Reveal columns tagged PII for users with attribute SecurityLevel=High.
• By tag matching: Reveal columns for everyone whose group matches the column tags.

This model can scale down to a single policy that handles thousands of unique access scenarios, even across regions, teams, or data domains. It also allows federation of policy ownership, sometimes termed federated governance because different users can author surgical Reveal Policies in their domain from those that wrote the broad global masking policies.

Why It’s Better: Delivering technical and business impact

Reveal Policies deliver both immediate operational benefits and long-term governance value:

• Scalability: Replace thousands of masking policy permutations with a handful of reusable, composable policies.
• Flexibility: Empower domains or data product owners to reveal masked columns safely without touching global governance rules.
• Federation: Allows exceptions to policies to be managed by users that can’t edit the original masking policies.
• Speed: Automate and accelerate access provisioning — what once took days of manual review can now be granted instantly and safely.

In Immuta’s Data Access Request Workflow, this capability means users can request and receive masking exceptions without administrators having to prebuild every possible combination of masking and exception rules. It turns governed data access into an efficient, scalable workflow rather than a bureaucratic bottleneck.

The future of data provisioning

Reveal Policies represent a fundamental shift in how data governance scales. By decoupling restriction from access, they pave the way for truly dynamic, federated governance — where global teams can protect everything by default but still grant precise, compliant access exactly where it’s needed.

This is what it means to be The Data Provisioning Company. Immuta’s goal is to make governed access effortless, across domains, across clouds, and eventually, across AI systems that will one day act as data consumers themselves.

With Reveal Policies, governed access becomes not just possible, but practical — delivering security, speed, and trust at enterprise and AI scale.