Loading...
Our comprehensive identity governance methodology aligns with industry standards including NIST CSF 2.0, ISO 27001:2022, SOC 2 Type II, COBIT 2019, and Zero Trust Architecture — with control-level mapping you can hand straight to your auditors.
Our framework is built on five core pillars that cover the complete identity lifecycle
Continuous assessment of identity hygiene, credential strength, and account lifecycle
Least privilege enforcement, access reviews, and privilege management
AI-powered anomaly detection and risk scoring for identities and access patterns
Automated compliance mapping and audit-ready reporting for regulatory frameworks
Peer group analysis, trend identification, and predictive insights
Joiner/Mover/Leaver workflows and automated provisioning/deprovisioning
Multi-dimensional risk assessment combining technical controls, behavioral patterns, and business context
Risk scores are recalculated in real-time as conditions change:
Precise capability-to-control mapping across the three frameworks your auditors ask about most
AICPA Trust Services Criteria — Common Criteria
| Control | Category | IdentityFirst Capability |
|---|---|---|
| CC6.1 | Logical Access | Identity Assessment — maps all access to canonical identities across every connected system |
| CC6.2 | Access Provisioning | Drift Detection — flags accounts that deviate from provisioning policy in real time |
| CC6.3 | Access Removal | Stale account detection + deprovisioning alerts with evidence-grade audit trail |
| CC7.1 | System Monitoring | Continuous assessment scheduling — configurable cadence down to 5-minute intervals |
| CC7.2 | Anomaly Detection | AnomalyDetection engine — behavioural baseline per identity with ML-calibrated thresholds |
| CC9.2 | Vendor Risk | Connector tier transparency — each integration carries a validated reliability weight visible in reports |
Annex A — Information Security Controls
| Control | Description | IdentityFirst Capability |
|---|---|---|
| A.5.15 | Access Control | Identity graph maps all access relationships across cloud, SaaS, PAM, and directory sources |
| A.5.16 | Identity Management | Canonical identity + temporal graph — single source of truth across joiner/mover/leaver lifecycle |
| A.5.18 | Access Rights | Entitlement Valuation — quantifies the business value and risk of every entitlement held |
| A.8.2 | Privileged Access | Tier-0/1 identity classification + JIT elevation with zero-standing-privilege enforcement |
| A.8.5 | Secure Authentication | MFA coverage gap detection — surfaces every identity missing strong authentication |
Cybersecurity Framework — Five Core Functions
| Function | Category | IdentityFirst Capability |
|---|---|---|
| Identify | Asset Management | Identity Coverage Ratio — composite score weighting discovery, monitoring, governance, and protection |
| Protect | IAM | Access review campaigns + SoD policy engine with 5 built-in conflict rules and custom rule support |
| Detect | Anomalies | Drift findings + anomaly detection engine — continuous delta against known-good snapshots |
| Respond | Incidents | FortifyX containment + blast radius analysis — scopes the impact of any compromised identity instantly |
| Recover | Recovery | Rollback service + write journal — full reversibility of every automated remediation action |
IdentityFirst maps to all major security and governance frameworks
Request our compliance evidence pack — pre-filled questionnaire responses, architecture diagram, and a sample assessment report, ready for your auditors.
Request Evidence Packcompliance@identityfirst.net — typically fulfilled within one business day
Experience comprehensive identity governance aligned with industry best practices