$2,000,000
An August 2025 consent order carried this penalty. A path that skipped MFA was among the cited violations.
NYDFS. Universal MFA enforceable November 2025.
Evidence by
construction.
You produce proof that controls other teams run. Identity is where that proof goes thin: a policy PDF that says a human approved, a checkbox that says MFA's on, a screenshot that says the access was right. ScrambleID makes identity controls that emit their own evidence. Every authentication, approval, and revocation lands as a signed, tamper-evident record you can hand an auditor.
Your audit scope is adding agents.
Oversight regimes are converging on one demand: a human stays accountable for what an AI agent does. The EU AI Act wants human oversight under Article 14, with the records to back it under Article 12. ISO 42001 and the NIST AI RMF want it governed. CoSAI is writing it for agentic identity. A policy PDF and a training log speak to intent. The auditor's question is narrower: who was in the loop for this specific action?
ScrambleID answers it with a signature. Every high-impact agentic action carries signed, action-bound human consent. The highest-impact ones carry two, under dual-control. And a delegation-tracing audit chain shows which human stood behind which agent, action by action. When the auditor says show me the oversight, you have a record, not a narrative.
See the per-action product story on Actions, and the control mapping on the coverage map.
The evidence exists because the control ran.
The eight controls don't wait for someone to remember to capture proof. They emit it. Every authentication, every approval, every revocation lands as a customer-signed, tamper-evident record. The chain is yours, and it exports to your SIEM by construction. You're not reconstructing what happened from logs after the fact. The control and its evidence are the same event.
Customer-signed chains
Every record is signed with a key you hold. Tamper-evident by construction, verifiable without taking our word for it.
Verifiable records
Authentication, approval, revocation. Each one is a record an auditor can check, not a log line you have to vouch for.
SIEM export
Evidence flows to your SIEM as it's created. Your retention, your queries, your control.
The full control-to-framework map lives on the coverage map. Our own attestations live in the Trust center.
What auditors fail you on is what the rail makes structural.
Access controls are where audits break. Not because teams don't try, because the control depends on people doing the right thing every time and proving it later. The rail removes the human step that fails and the proof step that gets skipped. The control holds because it's cryptographic, and the evidence exists because the control ran.
The numbers say the same thing. In PCI DSS, identity is the second-most-compensated requirement in the standard, and 27.9% of organizations sustained full compliance between audits (Verizon Payment Security Report). In SOX programs, 63% of audit and finance executives name IT access controls as the area with the most deficiencies (Protiviti, 2024). The rail is built for the control these numbers keep failing.
Your attestations are underwriting documents now.
A questionnaire answer, a certification in progress, an MFA checkbox. Regulators fine against them. Insurers void coverage against them. The gap that matters has shifted: from attested versus unattested, to claimed versus provable.
What you attest
What you can prove
MFA is enabled.
A hardware-bound signature on every authentication.
A human approves high-risk actions.
A signed consent record bound to the action.
Access was revoked.
A timestamped revocation record in your SIEM.
Controls are in place.
A tamper-evident chain you can replay.
Void from inception
A cyber insurer obtained rescission of a policy when the insured's MFA attestations didn't survive the claim.
U.S. federal court, 2022. Travelers v. ICS.
The frameworks an auditor will name.
Each one maps to named controls on the coverage map. These are the deep links a compliance officer scans for.
NIST SP 800-63-4
AAL3
EU DORA
Article 9 ICT risk
EU NIS2
Article 21(2)(j)
EU PSD2 SCA
Dynamic linking
DEA EPCS
Controlled-substance e-prescribing
ISO 42001
AI management systems
See all eight families and forty-five rows on the coverage map.
Made for the day-to-day, not the audit scramble.
Evidence on request
Ask for the chain behind any authentication, approval, or revocation. It's signed and verifiable without taking our word for it.
SIEM export
Records flow to your SIEM as they're created. Your retention, your queries.
Procurement package
Vendor risk, legal, and privacy reviews pull from one package. See the procurement package.
Our own posture
The attestations and evidence behind ScrambleID itself live in the Trust center. Visit the Trust center.
Bring your hardest control. We'll show you the evidence it emits.
A working session on your actual obligations. Bring the requirement an auditor keeps flagging, and we'll walk the signed record the rail produces for it.