01
Cryptographic floor for the IAM stack
One substrate beneath IdP, IGA, PAM, and CIAM. Every event signed at the same primitive, not stitched across four log streams.
Cryptographic floor
under your IAM stack.
ScrambleID adds the cryptographic proof your IdP, IGA, PAM, and CIAM can't deliver alone. One substrate. Every event signed. Production-ready in 14 days.
02
Evidence, not narrative
Cryptographic proof per authentication event. Which key signed, when, on which device, against which verifier. Audit becomes math.
03
JIT cryptographic provisioning
Standing privilege becomes scoped, signed, time-bound proof per action. No long-lived API keys. No shared service accounts.
04
Layered on. Not a replacement.
Your IdP, IGA, PAM, and CIAM stay in place. ScrambleID is the cryptographic layer underneath, not another tool above.
Four claims · 01-04
Four IAM components.
One substrate underneath.
Your IAM stack is four functional categories. Each does its job. Each issues authentication events. ScrambleID is the cryptographic layer underneath all four that signs every event with hardware-bound proof. The stack stays intact. The math becomes uniform.
Authentication events
IdP
Identity provider
- Okta
- Microsoft Entra
- Ping Identity
- ForgeRock
Authenticates users to apps. Issues sessions.
IGA
Identity governance
- SailPoint
- Saviynt
- Entra ID Governance
- Oracle IGA
Provisions, certifies, audits access.
PAM
Privileged access
- CyberArk
- BeyondTrust
- Delinea
- HashiCorp Vault
Controls and records privileged sessions.
CIAM
Customer identity
- Auth0
- Okta CIC
- Entra External
- Ping CIAM
Authenticates customers and partners.
ScrambleID
Cryptographic substrate
Hardware-bound private keys. Per-event cryptographic signatures. One primitive every layer above reads from.
Stack stays intact
Okta, SailPoint, CyberArk, Auth0, whatever you run. Unchanged. ScrambleID layers underneath, not on top.
Cryptographic substrate
The new layer. Hardware-bound keys, per-event signatures. One primitive serving every layer above.
Every event signed
Provisioning, login, JIT request, privileged session, attestation, recovery. All cryptographic. All auditable.
Eight dimensions of structural shift.
Each row pairs how IAM operations work today across IdP, IGA, PAM, and CIAM with what they become when cryptographic proof rides underneath. Not features bolted on. Consequences of the foundation changing.
With today's IAM stack
With ScrambleID substrate
01
Provisioning (JML)
Manual workflows. Hours-to-days for new hires. Stale entitlements for movers. Orphan accounts after leavers. SCIM connectors that drift.
Cryptographic key issuance at provisioning. Identity exists when the key is enrolled, gone when the key is revoked. No drift between IdP and downstream apps.
02
Standing privileged access
80%+ of privileged access is standing. JIT is a goal that rarely happens because the friction is too high to gate every request.
JIT cryptographic provisioning. Privileged proof issued per action, scoped, time-bound. Standing privilege stops being the default.
03
Access recertification
Quarterly campaigns. Managers rubber-stamp because the data is stale, the UI is bad, and the consequence of revoking is breakage. Audit accepts because there's no better evidence.
Cryptographic event-based attestation. Every access decision is signed. Recertification reviews cryptographic evidence of usage, not a manager's recollection.
04
Privileged session audit
Session recording plus log scraping. Attribution inferred from caller ID and session ID. Evidence is narrative, subject to dispute.
Cryptographic session signatures. Every privileged action carries a proof of which hardware-bound key authorized it. Audit becomes math.
05
Service account credentials
Rotating shared secrets. API keys in vaults. Service accounts that "cannot be revoked without breaking production." Non-human identity outnumbers human 82-to-1.
Scoped cryptographic identity per agent. No shared secrets. Each service action carries a per-request signature. Revocation is one API call.
06
Third-party identity
Federation plus shared passwords. Vendor accounts that persist beyond engagement. Partner access reviewed annually if at all. Customer SSO that depends on the partner's IdP not getting breached.
Cryptographic proof on every third-party interaction. Vendor access expires with the vendor's cryptographic credential. Partner trust doesn't depend on transitive IdP security.
07
Recovery
Password reset is the weakest path. Account takeover starts with help-desk social engineering. SMS-based recovery is the residual attack surface.
Hardware-backed enrollment, no password fallback. Recovery uses the same cryptographic primitives as primary auth. The weakest path is closed.
08
Cross-IAM audit trail
Stitched logs from IdP plus IGA plus PAM plus CIAM. Reconciliation is manual, slow, and incomplete. SIEM ingests but can't prove integrity.
Cryptographic chain of custody. Every authentication event signed at the substrate. One log stream of cryptographic proofs, queryable across the stack.
Each IAM layer,
with the substrate underneath.
Your IdP, IGA, PAM, and CIAM each do their job. What changes when cryptographic proof rides underneath is specific to each layer. Four panels, four transformations.
IdP layer
Okta · Entra · Ping · ForgeRock
Cryptographic verification on every IdP event
Login, SSO, federation, MFA. Each event carries a hardware-bound signature. Your IdP's session tokens get cryptographic backing. Phishing resistance by construction. Compatible with SAML 2.0, OIDC, SCIM.
- +Hardware-bound key signs every authentication event
- +Per-event proof attaches to SSO, MFA, federation flows
- +Token theft stops being a viable attack path
IGA layer
SailPoint · Saviynt · Entra ID Gov · Oracle
Cryptographic evidence for every governance event
Provisioning, recertification, role assignment, separation-of-duties checks. Each event carries a signature, not a log entry. Audit campaigns review cryptographic evidence of actual usage, not narrative reconstructed from session IDs. Compatible with SailPoint, Saviynt, Entra ID Governance, Oracle IGA.
- +Per-event cryptographic signature on every governance action
- +Recertification reviews cryptographic evidence, not narrative
- +Provisioning issues cryptographic keys, not credentials
PAM layer
CyberArk · BeyondTrust · Delinea · HashiCorp Vault
JIT cryptographic provisioning + session signatures
Standing privilege gives way to per-action signed proof. Every privileged session carries a cryptographic signature: which key, which session, which action, against which verifier. Service accounts get scoped cryptographic identity per agent. Compatible with CyberArk, BeyondTrust, Delinea, HashiCorp Vault.
- +JIT cryptographic proof per privileged action
- +Per-session cryptographic signatures
- +Service accounts get scoped cryptographic identity
CIAM layer
Auth0 · Okta CIC · Entra External · Ping CIAM
Recovery without a fallback path to phish
Customers enroll once with hardware-backed proof. Login is a tap. Account takeover (the largest CIAM fraud vector) loses its entry point because there's no password to steal and no SMS code to intercept. Workforce and customer identity share the same cryptographic primitive. Compatible with Auth0, Okta CIC, Entra External, Ping CIAM.
- +Hardware-backed customer enrollment, no password to phish
- +Recovery uses the same primitive as primary auth
- +Shared substrate across workforce + customer identity
Concrete IAM workflows.
Operational change, end to end.
Six scenarios IAM leaders carry as KPIs. Today's flow plus ScrambleID's flow, side by side.
Scenario 01
Joiner / mover / leaver
Today
Manual provisioning workflow. New hire waits hours-to-days for full access. Movers carry stale entitlements until quarterly review. Leavers leave orphan accounts in 3-5 SaaS apps that nobody catches for weeks.
With ScrambleID
Cryptographic key issuance at hire. Access exists when the key is enrolled, scoped to role. Movers' old keys revoke instantly when role changes. Leaver's keys revoke at termination. Every downstream app stops accepting the key in the same API call.
Scenario 02
Just-in-time privileged access
Today
Standing privilege because JIT friction is too high. Quarterly access reviews catch unused permissions, sometimes. Audit findings about over-provisioning are routine.
With ScrambleID
Request comes in. Cryptographic proof issued for the specific action. Proof expires at action completion. Standing privilege stops being the default because JIT is now seamless. Audit findings about over-provisioning drop because over-provisioning doesn't happen.
Scenario 03
Account recovery (lost device)
Today
User calls helpdesk. Helpdesk asks knowledge-based questions. Attacker who reads LinkedIn plus breach data passes. Account takeover. Average detection lag: weeks.
With ScrambleID
User enrolls new device through verified channel (in-person, cryptographic peer recovery, or hardware-backed escrow). Old device's keys revoke instantly across every system. No password to reset, no KBA to defeat.
Scenario 04
Third-party / partner identity
Today
Federation handshake (SAML/OIDC). Trust the partner's IdP not to be breached. Partner offboarding requires manual coordination, frequently missed.
With ScrambleID
Cryptographic proof on every third-party interaction. Partner credentials carry expiry plus revocation per the substrate. Offboarding the partner revokes their cryptographic identity in one API call.Every downstream system stops accepting their proof.
Scenario 05
Privileged session control
Today
PAM gates the privileged session. Session recording captures activity. Attribution is inferred from session ID plus caller IP. Forensics relies on narrative reconstruction.
With ScrambleID
Each privileged action within the session carries its own cryptographic signature. Attribution is mathematical: which key signed which action at which moment. Forensics reads cryptographic proof, not log fragments.
Scenario 06
Access certification campaign
Today
Quarterly campaign sends manager 50+ access decisions. Manager rubber-stamps because the data is stale and consequences of revoking are unclear. Audit accepts because there's no better evidence.
With ScrambleID
Campaign surfaces cryptographic evidence of actual usage per access. Manager sees what was used vs what was granted. Decisions get evidence-backed, not memory-backed. Audit gets cryptographic proof of the review itself.
Each IAM layer is strong at what it does.
ScrambleID adds the cryptographic floor every layer needs.
ScrambleID isn't a peer to your IdP, IGA, PAM, or CIAM. It's the substrate underneath. The honest side-by-side: what each layer covers today, and what it gains with cryptographic proof riding underneath.
Layer
Today's capability
With ScrambleID substrate
IdP
Okta, Entra, Ping, ForgeRock
SSO. MFA. Federation. Session management.
Cryptographic proof on every authentication event. Token theft stops working. Phishing resistance by construction.
IGA
SailPoint, Saviynt, Entra ID Gov, Oracle
Provisioning workflows. Access certification. Role mining. Separation of duties enforcement.
Cryptographic evidence per governance event. Recertification reviews cryptographic usage, not narrative. Audit becomes math.
PAM
CyberArk, BeyondTrust, Delinea, Vault
Privileged credential vaulting. Session recording. Privileged session control.
JIT cryptographic provisioning. Per-action cryptographic signatures. Service accounts get scoped cryptographic identity.
CIAM
Auth0, Okta CIC, Entra External, Ping CIAM
Customer authentication. Social login. Account recovery. Federated identity.
Hardware-backed customer enrollment. Recovery without fallback to phish. Shared cryptographic primitive with workforce identity.
ScrambleID stays in place. The four IAM tools stay in place. The substrate is additive; no rip-and-replace, no migration of users, policies, or workflows.
Cryptographic evidence makes IAM compliance structural.
Your IGA platform keeps its lane.
Standards-aligned at the cryptographic layer. ScrambleID provides cryptographic proof for every authentication event. IGA controls (separation of duties enforcement, role mining, certification workflows) remain your IGA platform's responsibility.
Cryptographic attestations
0x7a2f9c1d…e8c41b02
SOC 2 Type II
AICPA TSC 2017
Audited by Schellman
2025-07 to 2026-06 . Unqualified
0xb19e4f76…3d8ca47f
ISO 27001:2022
Information Security Management System
Certified by [auditor]
2024-09 . Valid through 2027-09
0x3d8c2a4f…9e6b1f02
FIDO2 / WebAuthn compliant
Hardware-bound authenticator
FIDO Alliance aligned
2024-11 . AAL3 aligned
Hash prefix is the first/last bytes of the SHA-256 over the signed attestation document. Full manifest at /trust/manifest.json
What we align with
NIST · SP 800-63-4
IAL + AAL framework
Requires
Hardware-bound multi-factor cryptographic authenticator with a non-exportable private key and phishing resistance. Identity assurance levels (IAL) for identity proofing; authenticator assurance levels (AAL) for authentication.
Delivers
AAL3 aligned: hardware-bound private keys, origin-bound signatures, phishing-resistant. IAL: identity proofing stays with your IdP.
NIST · 800-53
Access Control family (AC-3, AC-6, AU-2, IA-2)
Requires
Access enforcement, least privilege, audit events, identification and authentication. Federal control framework.
Delivers
Cryptographic enforcement of access policy at the authentication event. Per-event audit signatures. AC and IA controls strengthened by cryptographic primitives.
ISO · 27001:2022
A.5 (policies) + A.8 (asset management)
Requires
Organizational controls (A.5): identity management, access control. Technological controls (A.8): cryptography, authentication mechanisms.
Delivers
SOC 2 Type II controls map directly to A.5 and A.8. Cryptographic authentication primitives satisfy A.8 cryptography requirements.
SOX · Section 404
Separation of duties + privileged access controls
Requires
Internal controls over financial reporting. Privileged access to financial systems requires documented review. Separation of duties enforced.
Delivers
Cryptographic evidence of every privileged access event to financial systems. SoD enforcement remains your IGA's responsibility; we provide the cryptographic audit trail.
Operational commitments
99.95%
Monthly uptime SLA
24h
Breach notification window
24×7
P1 incident response
What IAM leaders actually ask.
How does this work with my existing IGA platform?
ScrambleID is the cryptographic verification layer underneath your IAM stack. Your IGA platform (SailPoint, Saviynt, Microsoft Entra ID Governance) keeps owning provisioning workflows, access certification, role mining, separation-of-duties enforcement. ScrambleID adds cryptographic proof per governance event: every provisioning action, every recertification decision, every role grant carries a signature. Recertification reviews then see cryptographic evidence of actual usage, not narrative reconstructed from session IDs. Audit becomes math.
Does this replace my PAM platform?
No. CyberArk, BeyondTrust, Delinea, HashiCorp Vault: your PAM keeps owning credential vaulting, session recording, privileged session control.ScrambleID is additive, not replacement. What changes: JIT cryptographic provisioning replaces standing privilege as the default. Every privileged action within a session carries a per-action cryptographic signature. Service accounts get scoped, revocable, audited identity per agent. The PAM's existing session-control workflows continue; the substrate strengthens them.
What about CIAM customer journeys? Won't customers reject downloading another app?
They don't have to. The cryptographic ceremony embeds natively in your existing customer-facing mobile app via SDK. Your wordmark, your colors, your typography. They never download anything called "ScrambleID." Fallback path for users without your app: cryptographic verification through a browser flow. The "my customers won't install another app" objection is structural, not real. They already have yours.
How does this fit into joiner/mover/leaver provisioning?
At joiner: cryptographic key enrollment at hire. Access exists when the key is enrolled, scoped to role. At mover: old keys revoke instantly when role changes; new keys issue for the new role. At leaver: cryptographic identity revokes at termination. The revocation is one API call; every downstream app stops accepting the key in the same moment. No orphan accounts. No stale entitlements. No drift between IdP and downstream apps.
What's the audit trail story for governance events?
Every authentication event carries a cryptographic signature: which hardware-bound key signed, when, on which device, against which verifier. Audit becomes evidence, not narrative. The signatures are tamper-evident; a missing or modified record fails cryptographic verification. SIEM ingestion is supported (CEF, JSON streams). For governance-specific events (provisioning, role grants, attestations), the signatures attach at the IGA event boundary too. Your existing IGA logs gain cryptographic backing.
How does recovery work without weakening security?
Recovery is designed in. The user enrolls a new device through a verified channel: in-person, cryptographic peer recovery (trusted contacts), or hardware-backed escrow. The lost device's keys revoke instantly across every system. No password to fall back to, so no fallback attack. Recovery uses the same cryptographic primitives as primary auth, not a weaker shadow path.
How does this handle third-party / partner identity?
Cryptographic proof on every third-party interaction. Partner identities carry expiry plus revocation at the substrate layer. Offboarding the partner revokes their cryptographic identity in one API call. Every downstream system stops accepting their proof in the same moment.Partner trust stops depending on transitive IdP security. If the partner's IdP gets breached, the attacker still can't forge a cryptographic proof your substrate accepts.
AAL3 alignment. What does that mean? What about IAL?
ScrambleID is AAL3 aligned per NIST SP 800-63-4: hardware-bound multi-factor cryptographic authenticator with phishing resistance. Formal AAL3 certification applies to end-to-end systems and depends on your full configuration; the rail gives you the authenticator that clears the bar. On IAL: identity proofing (verifying the person is who they say they are at enrollment) stays with your IdP or proofing provider. ScrambleID adds cryptographic AAL on top of the IAL workflows you already run.
How does this map to SOX separation-of-duties requirements?
ScrambleID provides cryptographic evidence of every privileged access event to systems in SOX scope. SoD enforcement remains your IGA platform's responsibility (the policies, the role definitions, the conflict detection). What ScrambleID adds: cryptographic audit trail for every privileged action; the SoD-relevant evidence (who accessed what, when, with what authorization) is signed at the cryptographic substrate. Auditors get cryptographic proof, not log reconstruction. For SOX-relevant procurement reviews, SOC 2 Type II is the standard third-party evidence; full report in the procurement package.
Customer references in IAM specifically?
Yes. Named customer references with reviewer permission, matched to industry segment and IAM use case, available on request. References are provided after a mutual NDA. Contact procurement@scrambleid.com.
Your stack governs who. The rail proves it and gates what acts: a human in the loop, a supervisory agent on it, an independent agent outside the lineage, one signed chain from intent to execution.
See how the rail gates an actionAI agents are identities your IdP was never built to see.
Give them one that's native, not a service-account hack.
45-minute IAM architecture review. Bring your stack topology (IdP, IGA, PAM, CIAM), your hardest provisioning, privileged-access, or agent-identity scenario, and your audit ask. We'll walk the substrate in your context.