Compliance built in,
not bolted on
IDProva's three primitives — identity, delegation, and receipts — map directly to security controls across major frameworks.
NIST SP 800-207 — Zero Trust Architecture
| ZTA Tenet | IDProva Control | Implementation |
|---|---|---|
| All resources are distinct identities | AIDs | Every agent gets a W3C DID with Ed25519 keys |
| All communication secured | DAT verification | All actions require valid, signed DAT |
| Per-session access | Short-lived DATs | Expiry, rate limits, depth limits, geofencing |
| Dynamic policy | Constraint engine | Runtime evaluation of IP, trust level, action count |
| Continuous monitoring | Receipt log | Hash-chained, independently verifiable audit trail |
| Dynamic auth | Real-time verification | Revocation + constraint checks on every request |
| Asset information | AID registry | Full inventory: identities, delegations, audit trails |
Australian ISM
| ISM Control | Description | IDProva Mapping |
|---|---|---|
| ISM-0432 | Validate before granting access | DAT verification: signature → timing → scope → constraints |
| ISM-1503 | No privileged access to standard users | Scoped DATs — agents only get explicitly granted permissions |
| ISM-1507 | Limit privileged access | 4-part scope grammar enforces least privilege |
| ISM-0580 | Log all user actions | Receipt log: signed, timestamped receipt per action |
| ISM-0585 | Immediate access removal | DAT revocation is immediate; checked before crypto |
| ISM-0457 | Approved crypto algorithms | Ed25519 only; hard-reject non-EdDSA tokens |
SOC 2
| Control | Description | IDProva Component |
|---|---|---|
| CC6.1 | Logical access security | DAT-based access control with cryptographic verification |
| CC6.3 | Role-based access | Scoped delegation tokens with constraint engine |
| CC7.2 | System monitoring | Hash-chained receipt log with tamper detection |
NIST SP 800-53
IDProva maps to the following 800-53 control families:
AU-2, AU-3, AU-8, AU-9, AU-10, AU-12
Audit and accountability — receipt log with hash-chain integrity
IA-2, IA-5, IA-8
Identification and authentication — AID with Ed25519 cryptographic binding
AC-2, AC-3, AC-6
Access control — scoped DATs with least-privilege enforcement
SC-8, SC-12, SC-13
System and communications protection — Ed25519/BLAKE3 cryptography
Need compliance documentation for your assessment?
Enterprise and Government tiers include automated compliance reports. Or book a consulting session for hands-on assessment support.