03Best practices
Axiom works the day you connect it. It works well the week you tune it. These nine practices are how teams running Axiom in production avoid the mistakes the early adopters made — without paying for that experience themselves.
When to read this
Axiom supports three autonomy tiers: Scan-only, Recommend, and Execute-with-approval. For the first week, stay on Scan-only. You're learning what Axiom catches and how its priorities map to your actual operational pain.
Recommendation: Stay on Scan-only for 7 days. Move to Recommend in week 2. Only enable Execute-with-approval once you've reviewed ~10 recommendations and trust the agent's judgment.
Blast radius caps how many resources a single approved plan can touch. The default is 5, which works for most teams. For high-stakes accounts (production payment APIs, etc.), set it to 1 or 2.
Recommendation: Production accounts: blast radius ≤ 2. Staging: ≤ 5. Dev: unlimited. Override per environment in your charter config.
The External ID is the second factor that authorizes Axiom to assume your read-only role. Rotating it every 90 days limits the window any leaked role ARN could be exploited (in the unlikely event the ARN leaks; we never log it).
Recommendation: Set a calendar reminder. Rotate in your AWS console + paste the new External ID into Axiom. Old ID auto-expires.
By default, any workspace admin can approve any plan. For regulated environments, configure two-step approval: one engineer drafts, one (different) approves. Both must be in the org's RBAC role allowlist.
Recommendation: SOC 2 / compliance environments: enable two-step approval for plans tagged 'high-risk'. Configure in /dashboard/approvals.
Axiom emits alerts via Slack, PagerDuty, Opsgenie, and webhooks. When a finding crosses your severity threshold, you want it in the same surface your team already monitors — not an Axiom inbox they have to remember to check.
Recommendation: Connect at least one alert sink before the first scan. /dashboard/notifications.
Ad-hoc scans are fine for exploring. Scheduled daily scans are what catch drift before it becomes a Friday-evening incident. Pick a time outside your peak load.
Recommendation: Schedule: 02:00 UTC daily. Coverage: all regions. Run takes <2 min for typical accounts.
Every approval, execution, and rollback writes a sha-256-signed audit row. Default retention is 1 year. Don't lower this — incident postmortems often need to look back 6 months.
Recommendation: Retention: 365 days (default). Export to your SIEM weekly if you have one.
Some finding categories are unambiguously safe — orphaned EBS volumes, unused Elastic IPs, expired access keys. As trust builds, mark those categories as auto-approvable so Axiom handles them while you focus on the harder ones.
Recommendation: Start with orphaned-resource cleanup. Never auto-approve IAM changes or anything touching production routing.
Even with daily scans, take 30 min once a month to flip through the trend graphs in /dashboard/analytics. Look for: which categories keep recurring (process gap), which fixes get rejected (Axiom's reasoning has a blind spot), which accounts produce 80% of the findings (concentration risk).
Recommendation: Recurring calendar invite. Platform lead + one ops engineer. 30 min max.
Don't
Security model
What's stored, what's not.
Audit logs
Retention + export.
Troubleshooting
When things go sideways.
Need a human?
Most flows are documented — but we'll help if anything is unclear.