June 26, 2026

Shieldly vs PMapper: AI Policy Review and Fixes vs Account IAM Graphs

PMapper (Principal Mapper) is an open-source tool that pulls the IAM data from an AWS account, builds a directed graph of every principal, and computes which identities can reach administrator access through privilege-escalation edges. It answers a question other tools rarely do: across the whole account, who can become admin and by what chain. Shieldly approaches escalation from the other direction — it is an AI-Powered analyzer that reads a single IAM policy or CloudFormation template, explains the risky pattern in plain English, and returns the tightened version, free and with no account access. These two are the closest in intent of any tools on this list, and they work well together.

What PMapper Is Great At

Account-wide reachability analysis. Because PMapper builds a graph of every principal and their permissions, it can show that user A can assume role B, which can modify policy C, which leads to admin — a multi-hop path that spans separate identities. That cross-principal view is its real strength, and it is the right tool when you want to understand escalation across an entire deployed account.

Where Shieldly Fits

PMapper analyzes what is already in the account; it needs IAM read access and the full set of principals to build its graph. Shieldly analyzes a policy as text, before it is deployed. If an engineer is writing or reviewing a single policy in a pull request, Shieldly explains the escalation risk in that document and hands back a corrected version — without pulling account data or building a graph.

It is also lower-friction for the authoring loop: paste a policy into the web app for AI-Powered findings in around ten seconds, or run the @shieldly/cli, the VS Code extension, the GitHub Action, or the @shieldly/cdk-guard construct. No credentials, no graph build.

Side by Side

PMapper

Shieldly

Type

OSS account IAM graph analyzer

AI-Powered policy/template analyzer

Unit of analysis

The whole account graph

A single policy / template

Strength

Cross-principal escalation paths

Per-policy reasoning + the fix

When it runs

Against a live account

At authoring / review time

Output

Escalation paths / graph queries

Plain-English why + the fixed policy

Credentials

IAM read access required

None — works on the policy text

Setup to first value

Pull account data + build graph

Paste a policy, no signup

In CI

Possible, account-oriented

Yes (GitHub Action, posts fix on PR)

Use Both

PMapper and Shieldly cover the same threat — privilege escalation — at two different scopes. PMapper sees the account graph; Shieldly catches the risky policy before it becomes a node in that graph.

Use PMapper periodically to map account-wide escalation paths across all principals.
Use Shieldly at PR time so a policy that would add a new escalation edge is explained and fixed before it ships.
When PMapper flags a principal as risky, drop the offending policy into Shieldly to get the plain-English reason and a tightened version.

For a breakdown of individual escalation techniques, see the AWS IAM privilege escalation reference.

AWS is a trademark of Amazon.com, Inc. PMapper / Principal Mapper is a trademark of its respective owner. Shieldly is not affiliated with or endorsed by any of them. Comparisons reflect public information as of 2026 and general product categories.

Try Shieldly free on a policy

Paste an IAM policy or CloudFormation template and get AI-Powered analysis in seconds — free, no credit card.

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.