Identity inventory
Human, local, service, machine, and privileged-role inventories must be visible before access-management claims can change.
ICAM, Privileged Access, MFA, and Non-Claims
Identity, credential, and access management
Latticra records identity and access-management requirements before hosted services, remote access, privileged operator access, SSO/federation, MFA, or identity-security claims can promote. It does not implement an identity provider, credential store, account database, remote login, or authorization enforcement.
Current Rule
Identity metadata is not access authority.
The baseline records ICAM vocabulary and required evidence for human, service, and machine identities. It keeps all hosted administration, remote access, privileged session, SSO, MFA, and identity-security language blocked until inventories, role mappings, lifecycle rules, credential handling, logging, monitoring, and exception ownership exist.
Privileged MFA
Privileged and remote access need phishing-resistant MFA planning, exception records, session lifetime, and reauthentication rules.
Credential lifecycle
Account lifecycle, credential storage, rotation, recovery, reuse prevention, default-credential denial, and help-desk verification must be recorded.
Logging and exceptions
Identity event logging, privileged behavior review, authorization trust relationships, exception owners, and expiration dates are required.
Current Snapshot
The baseline is present, but identity authority is still zero.
These fields are requirements and non-claims. They do not indicate a live identity provider, remote login path, privileged session, hosted administration surface, or credential store.
Promotion Gate
No hosted or privileged access wording can promote without the ICAM gate.
Identity and access claims touch high-risk account, credential, and authority boundaries. Future work must show who the identities are, what they can do, how they authenticate, how credentials are handled, and how exceptions expire before access wording can change.
Present now
Baseline record, status record, guard script, high-assurance allocation, zero-trust context, supply-chain context, security policy alignment, and metadata-only Latticra identity/access posture.
Required before promotion
Operator identity source, human/local/service/machine identity inventory, privileged role inventory, role-to-effect mapping, least-privilege review, phishing-resistant MFA path, MFA exceptions, break-glass account and monitoring, session lifetime and reauth, credential storage and rotation, credential recovery, help-desk verification, joiner/mover/leaver process, identity event logging, privileged behavior review, trust-relationship review, exception owner, exception expiration, and operator-visible non-claims.
Denied now
Production identity provider, remote access, privileged operator access, service-account runtime authority, hosted admin console, password-only privileged access, default credentials, shared admin accounts, production credential storage, identity-security claims, SSO claims, MFA claims, and hosted service claims.
Latticra Boundary
Current identity and access records are metadata-only.
Latticra can name future identity and access requirements, but the current system does not authenticate users, authorize effects, store credentials, create accounts, or open remote sessions.
Operator identity
Operator identity source and context can be recorded as requirements, not as login or proofing behavior.
Access policy
Access policy and role-to-effect mapping remain planning records without enforcement authority.
Authorization enforcement
No account database, credential store, authorization engine, SSO provider, or MFA provider is added.
Remote or privileged sessions
No remote login, hosted administration surface, privileged session, or identity runtime authority is granted.
Local Commands
Validate the ICAM records without enabling access behavior.
These guards check records and public alignment. They do not provision accounts, store credentials, authenticate users, federate SSO, grant privileged access, or enable hosted services.
ICAM baseline
sh scripts/test-identity-credential-access-management-baseline.shHigh-assurance rollup
sh scripts/test-high-assurance-security-baseline.shAuthority context
sh scripts/test-zero-trust-runtime-authority-baseline.sh
sh scripts/test-supply-chain-security-baseline.shSource Records
Use exact records before repeating identity or access wording.
Identity, credential, and access management baselinePrivileged access, phishing-resistant MFA planning, account lifecycle, service identity, logging, and hosted-access non-claims.
ICAM statusStatus fields and expected guard output for the identity, credential, and access-management baseline.
High-assurance baselineSource-tracked security posture and future ICAM control allocation.
Zero-trust runtime authority baselineCaller identity, workload identity, resource visibility, and per-request authority context.
Network exposure and remote accessRemote-access inventory, MFA/device posture, RMM allowlisting, and no hosted remote-access claims.
Data classification and protectionCredential/secret storage review, data classification, PII review, and no customer-data handling claims.
Supply-chain baselineWorkflow permissions, dependency review, checkout credentials, and release authority blockers.
Security logging and monitoringIdentity/access events, privileged action logging, retention, redaction, and no monitoring-service claims.
Security overviewSafe testing, effect gates, runtime boundary, and security non-claims.
Supply-chain gatesCI, dependency, SBOM, updater, runtime-authority, release, and production security non-claims.
Runtime boundaryDefault-deny runtime classification, policy matrix, and no-effect report surfaces.
Evidence modelPromotion levels, public claim boundaries, and exact source records.
Non-claimsUnsupported security, hosted service, access-management, and production-readiness claims.
Status indexDetailed status records and current public status navigation.
Security policyPrivate reporting expectations, safe testing, scope, and project security non-claims.