Trust and compliance

Eight controls.
Every framework you answer to.

Compliance is structural, not paperwork. The same eight cryptographic controls that stop credential attacks are the controls your auditors keep asking you to evidence. This page maps them, framework by framework: what we hold, what we align with, and where we support your obligations.

Status taxonomy

HELD
A credential we hold today. Evidence available on request.
ALIGNED
Our architecture meets the standard's technical requirements by construction.
SUPPORTS
The regulation binds you. We give you controls that implement named requirements.
IN PROCESS
Authorization underway.

Control reference

C1
Hardware-bound keys. Generated in the secure enclave, never exported.
C2
Origin-bound signatures. Phishing-resistant by construction.
C3
One rail, eight surfaces. Voice, web, people, frontline, agent, machine, bot, workload.
C4
Per-action consent. Signed human approval for high-impact agentic actions.
C5
Customer-signed audit chains. Tamper-evident, verifiable, yours.
C6
Instant revocation. Kill any credential, agent, or workload identity rail-wide.
C7
Help-desk verification. Cryptographic proofing where social engineering actually wins.
C8
No shared secrets. Machine, bot, and workload credentials are asymmetric keys, with nothing to rotate or leak.

And the part that isn't a control: the rail layers on the IdP you already run. Okta, Entra, Ping, ForgeRock, anything OIDC or SAML. Nothing to rip out.

Financial services and payments

These bind you, not us. Our controls implement the requirements your auditors name.

PCI DSS 4.xRequirements 8 and 10
SUPPORTSC1 · C2 · C5 · C6 · C8

Phishing-resistant authentication into the CDE, system accounts on keys instead of shared secrets, and the trail Requirement 10 expects.

SOXSection 404 ITGC
SUPPORTSC1 · C5 · C6 · C8

Access to financial systems under IT general controls, service and system accounts included, with a signed, tamper-evident trail.

GLBASafeguards Rule
SUPPORTSC1 · C2 · C7

MFA for any individual accessing any information system. 16 CFR 314.4(c)(5), implemented in hardware.

FFIECAuthentication guidance
SUPPORTSC1 · C2 · C7

Phishing-resistant, layered authentication for the institutions the guidance covers.

NYDFS23 NYCRR 500.12
SUPPORTSC1 · C2 · C6 · C7

MFA everywhere Part 500 now demands it: every user, every system, including the help-desk reset path attackers actually use.

DORAArticle 9 ICT risk controls
SUPPORTSC1 · C2 · C5 · C6 · C7 · C8

Strong authentication, named in the regulation and live since January 2025. The rail is how financial entities evidence it.

PSD2 SCARTS dynamic linking
SUPPORTSC1 · C2 · C4

Every payment authenticated against its amount and payee. Dynamic linking is per-action consent under another name.

SWIFT CSPCSCF Control 4.2
SUPPORTSC1 · C2 · C6

Mandatory MFA, attested every year, with a floor that keeps rising. The rail clears it by construction.

RBI Directions 2025Authentication mechanisms
SUPPORTSC1 · C2 · C4

A transaction-unique factor on every digital payment, with issuer liability when it's missing.

US government and defense

FedRAMPAuthorization
IN PROCESS

Authorization in process.

CMMCIA.L2-3.5.3
SUPPORTSC1 · C2

Multifactor for privileged and network access, derived from NIST SP 800-171.

NIST SP 800-171 r303.05.03
SUPPORTSC1 · C2 · C8

MFA for controlled unclassified information, binding every federal contractor through DFARS, not just the CMMC-assessed.

OMB M-22-09Federal Zero Trust strategy
SUPPORTSC1 · C2

The memo that defined phishing-resistant for the whole market. WebAuthn is in; codes are out.

CISA ZTMM v2Identity pillar, Optimal
ALIGNEDC1 · C2 · C3 · C6

Optimal-stage identity: phishing-resistant MFA with continuous validation. The rubric's top box, by construction.

CJIS v6.0Identification and authentication
SUPPORTSC1 · C2 · C3 · C7

MFA on every touch of criminal justice information, auditable since late 2024. Frontline-ready for the shared terminals police actually use.

IRS Pub 1075IA controls for FTI
SUPPORTSC1 · C2

MFA for every account that can reach federal tax information.

Healthcare and life sciences

HIPAASecurity Rule technical safeguards
SUPPORTSC1 · C2 · C5 · C7

Implements the access-control, authentication, and audit-control technical safeguards your covered entity has to evidence.

DEA EPCS21 CFR 1311
SUPPORTSC1 · C2 · C4

Two-factor and a signing ceremony on every controlled-substance prescription. Per-action signing is the named requirement, not an inference.

FDA 21 CFR Part 11Electronic records and signatures
SUPPORTSC4 · C5

Signatures linked to records, audit trails that hold up. Part 11's ask is the ledger's design.

HITRUST CSF v11Access control category
SUPPORTSC1 · C2 · C3 · C5

The assurance vehicle healthcare buys with. Identity controls map straight into its access-control category.

Critical infrastructure and national baselines

NERC CIPCIP-005 interactive remote access
SUPPORTSC1 · C2 · C8

MFA on every interactive remote path into the bulk electric system.

NIS2Article 21(2)(j)
SUPPORTSC1 · C2 · C3 · C6

MFA, written into EU law and live in most member states, arriving in the rest.

Essential EightPhishing-resistant MFA, ML2 and ML3
SUPPORTSC1 · C2 · C7

Phishing-resistant MFA at the maturity levels Canberra audits against.

Cyber EssentialsUser access control
SUPPORTSC1 · C2

MFA on every internet-facing service, with passkeys formally in. Without it, certification is a hard fail.

CERT-In DirectionsLogging mandate
SUPPORTSC5

180 days of ICT logs, producible on demand. Customer-held chains answer it without a scramble.

Privacy and digital identity

Our own posture as a processor lives in the Trust center. These cells are about your obligations.

GDPRArticle 32
SUPPORTSC1 · C5 · C7

Security of processing: state-of-the-art authentication and tamper-evident logs.

CCPAReasonable security
SUPPORTSC1 · C7

Reasonable security procedures, the kind the private right of action tests.

LGPDArticles 46 to 49
SUPPORTSC1 · C3

Security measures from conception. Brazil's Article 32.

PIPEDAPrinciple 7 safeguards
SUPPORTSC1 · C3

Safeguards proportional to sensitivity, with the technology named.

DPDP Rules 2025Rule 6 safeguards
SUPPORTSC1 · C5 · C6

Named minimums: access control and logs that can catch an intruder. Penalties that reach Rs 250 crore.

ISO 27701:2025Privacy information management
SUPPORTSC1 · C5

Standalone certifiable since 2025. Identity controls feed the privacy management system.

eIDAS 2.0EUDI Wallet readiness
SUPPORTSC2 · C3

Wallet acceptance is coming for regulated relying parties. The rail speaks the same primitives.

The hard part

The controls the market fails
are the eight we build in.

Every figure here is a control somebody couldn't hold, paid to compensate around, or got fined for missing. Each ties back to one of the eight.

27.9%

That's how many organizations sustain full PCI compliance between audits. Requirement 8, authentication, is the second-most-compensated control in the standard: the assessor's term for one you couldn't meet on your own.

C1 · C2 · C8Verizon Payment Security Report, 2020 and 2022
63%

Of audit and finance executives, that many name IT access controls as the control area with the most deficiencies. The ledger's weakest link is who can reach it.

C5 · C6 · C8Protiviti SOX Compliance Survey, 2024
AAL2 ceiling

Synced passkeys cap at AAL2. AAL3 wants a hardware-bound, non-exportable, phishing-resistant key, so the mass-market passkey form stops one tier short. The rail's floor is what AAL3 asks for.

C1 · C2NIST SP 800-63B Supplement 1, 2024
Intent, by design

NIST wrote authentication intent into AAL3 to stop software from using your authenticator without you. Agents are that problem at scale. Per-action signed consent is intent, industrialized.

C4NIST SP 800-63B-4, Section 3.2.8
$2,000,000

Universal MFA became enforceable in November 2025. A consent order that August carried a $2,000,000 penalty against a firm whose cited violations included a path with no MFA. Posture is a named enforcement priority now.

C1 · C2 · C7NYDFS, 2025
82 to 1

Machine identities outnumber humans 82 to 1, and half of organizations report an incident tied to a compromised machine identity. The fastest-growing identity population is the one still holding shared secrets.

C8CyberArk, 2025
$100M

CISA documents the technique plainly: phone the service desk, talk your way to a reset, own the account. One hospitality operator disclosed roughly $100 million in quarterly losses after exactly that. The help desk is the control everyone has and few can prove.

C7CISA AA23-320a, 2023

Framework by framework

What each one requires.
What the rail delivers.

NIST · SP 800-63-4

AAL3 cryptographic authenticator

Requires

Hardware-bound multi-factor cryptographic authenticator with a non-exportable private key and phishing resistance. Syncable passkeys excluded.

Delivers

Private keys are generated in the secure enclave and never leave it. Origin-bound signatures are phishing-resistant by construction, not by user training. Intent is an AAL3 requirement: proof the human meant to authenticate, not just that their authenticator was reachable. The rail meets it at every ceremony. Actions extends it to the transaction: the approval is signed and bound to what was approved.

FIDO ALLIANCE · FIDO2

WebAuthn and CTAP conformance

Requires

Origin-bound public-key credentials with user presence and verification, attestable authenticators, no shared secrets on the wire.

Delivers

The rail's authenticators implement FIDO2 and WebAuthn ceremonies on every surface that supports them, with the same key custody on the surfaces that don't. ScrambleID is a FIDO Alliance member.

OPENID FOUNDATION · FAPI 2.0

Financial-grade API security profile

Requires

Sender-constrained tokens. Every access token bound to the client that requested it via DPoP or mTLS. Bearer tokens are out.

Delivers

Tokens are key-bound, not bearer. The same proof-of-possession discipline the rail applies to humans applies to every API credential.

NIST · FIPS 140-3

Cryptographic module validation

Requires

Cryptographic operations inside CMVP-validated modules.

Delivers

Server-side key operations run in AWS KMS, in HSMs validated to FIPS 140-3 Security Level 3. Device-side keys are generated in the platform secure enclave and never leave it.

NIST · SP 800-207

Zero Trust architecture

Requires

Verify explicitly. Per-request authentication for every resource access.

Delivers

Cryptographic verification on every request. The rail is Zero Trust's verification layer at the identity tier.

NIST · CSF 2.0

Identify and Protect functions

Requires

Asset and identity inventory; access control; data security; protective technology.

Delivers

Identity inventory at the rail layer. Cryptographic access control. Protective controls are structural, not detective.

ISO · 27001:2022

Information security controls

Requires

Organizational controls (A.5) and technological controls (A.8). Risk-based information security management.

Delivers

SOC 2 Type II controls cover most of the overlap. Identity controls map directly to A.5 and A.8.

COSAI · WORKSTREAM 4

Agentic Identity and Access Management

Requires

Agents as first-class identities. Delegation chains with revocation. Human-in-the-loop or step-up controls for high-impact or irreversible actions.

Delivers

Every agent carries its own cryptographic identity. High-impact actions execute only against signed, action-bound human consent. Dual-control approval (Lockstep) gates the highest-impact actions behind two humans. The audit chain is customer-signed and traces the delegation lineage.

NIST · AI RMF

Govern and Manage functions

Requires

Govern and manage AI risk: accountable access for AI systems, controls on autonomous behavior, traceability of outcomes.

Delivers

Agent identity plus per-action authority is the govern substrate. The signed audit chain is the traceability feed.

ISO · 42001

AI management systems

Requires

An AI management system with human oversight controls and event logging for AI system traceability.

Delivers

Human-in-the-loop consent is enforced cryptographically, not procedurally. The audit chain gives the management system its evidence layer.

EU · DORA

Article 9 ICT risk controls

Requires

Strong authentication for access to ICT systems, with the regulatory technical standards extending it to privileged and remote access.

Delivers

Phishing-resistant, hardware-bound authentication across every access path, customer-held audit chains, and rail-wide revocation. In force since January 2025; the rail is how a financial entity evidences it.

EU · NIS2

Article 21(2)(j)

Requires

MFA or continuous authentication as a named risk-management measure for essential and important entities.

Delivers

Phishing-resistant MFA on one rail across web, voice, and machine access, live in the member states that have transposed and ready for the rest.

EU · PSD2 SCA

RTS dynamic linking

Requires

An authentication code dynamically linked to the specific amount and the specific payee of each payment (RTS Articles 4 and 5).

Delivers

Per-action signed consent binds the approval to what was approved. Dynamic linking is the same primitive the rail already runs for high-impact actions.

DEA · EPCS

Controlled-substance e-prescribing

Requires

Two-factor authentication for the prescriber (21 CFR 1311.115) and a signing function applied to every controlled-substance prescription.

Delivers

Two-factor by construction, and a per-action signing ceremony bound to the specific order, captured in a tamper-evident record. The EPCS-grade signing prescribers already use.

Next step

Bring your framework list.
We'll bring the map.

A 30-minute technical review against your specific control set. Your auditors' language, our architecture, no slideware.

Book a Technical ReviewSee the architecture