Every framework. One mapping.
Regulators are starting to ask exactly which non-human identity controls you have in place. This page maps the controls auditors cite — DORA, NIS2, ISO 27001:2022, SEC, NIST, PCI, EU AI Act — to the specific Arkion capability that satisfies each one.
This page is informational. For audit-grade attestation language, contact compliance@arkion.ai.
Frameworks in scope.
DORA
EU · Financial entities · Live since 2025Continuous identity oversight of all ICT systems, including third-party and machine-to-machine connections.
Continuous discovery + cryptographically attested audit trail. Every non-human identity in scope is enumerated, owned, and logged in real time.
NIS2
EU member states · In enforcementDocumented access management policies for non-human entities, including service accounts and machine credentials.
Lifecycle authority + ownership mapping. Every machine identity has a named human owner, a rotation policy, and a revocation path.
ISO 27001:2022
Global · Standard referenceEstablishment, maintenance, and removal of identities — explicitly including non-human identities.
Cryptographic identity for every NHI, issued at provision time, governed across the full lifecycle, archived on revocation.
SEC Cyber-Disclosure
US · Public companies · ActiveMaterial cybersecurity incident reporting within four business days, including identity-related breaches.
Real-time event logging. Every lifecycle event is signed, timestamped, and queryable — incident scope answerable on demand, not after a forensic pass.
NIST CSF 2.0
US federal alignment · Voluntary globalIdentities and credentials are issued, managed, verified, revoked, and audited for authorized devices, services, and software.
End-to-end NHI lifecycle: issue, manage, verify, revoke, audit. The five Arkion stages map directly to PR.AA-1 through PR.AA-5.
PCI DSS 4.0
Global · Card-handling environmentsApplication and system account passwords are not used as the primary authentication method; service-account credentials are managed under access control.
Certificate-based identity replaces shared service-account secrets. Cryptographic primitives that PCI 8.6 considers compliant by construction.
EU AI Act
EU · Phased enforcement 2025–2027High-risk AI systems must allow human operators to monitor, interpret, and intervene in their behaviour — including identifying which system performed which action.
Every AI agent carries a verifiable cryptographic identity. Every action is attributable. Oversight is enforced at the identity layer, not retrofitted at the audit layer.
The artifact every Arkion estate produces.
At the close of every reporting period, Arkion produces a cryptographically signed attestation that maps the lifecycle evidence in the underlying ledger to the controls in the crosswalk above. Board-presentable. Audit-grade. Accepted by cyber insurance carriers as renewal evidence.
Illustrative · not a customer record
Forwarded to the board, the auditor, and the cyber insurance carrier. One artifact, three audiences, no edits.
- ▸ Every lifecycle event for the period — issued, rotated, revoked, archived
- ▸ Cryptographic signature against the underlying immutable ledger
- ▸ Direct mapping to the framework crosswalk above
- ▸ Estate-level metrics: ownership coverage, rotation cadence, exception count
- ▸ Verifiable at arkion.ai/proof/<reference> — no API key needed
Screenshot decks. Quarterly spreadsheet exports. The week-of-audit scramble. The phrase “we’ll have to ask the team that owns it.”
Carriers are asking too.
Cyber insurance carriers increasingly require non-human identity governance for policy renewal — and refuse to cover breaches caused by orphaned credentials. Arkion produces the evidence carriers ask for: ownership for every identity, rotation cadence on every credential, signed event logs for every lifecycle change.
If your renewal questionnaire asks “how do you control machine identity?” — we wrote the answer for you.
Need this in an attestation document?
We provide framework-specific control mappings, evidence packages, and pre-answered questionnaires under NDA for active procurement evaluations.