Skip to content

Blog16 May 20268 min read

Identity has a new floor

Federation answered "who". The next primitive answers "what was true."

A thesis on why federation — the floor Auth0 built and every enterprise stack now relies on — needs a new floor under it. Federation answers who is acting; the next primitive answers what was true about what they did. Why 2026 is the right moment to build it, and where it lands cleanly across ten regulated verticals.

When Auth0 launched, identity was a mess of bespoke implementations. Every product team rebuilt the same login flow, the same password-hashing logic, the same federation glue against SAML and OIDC. The thesis Auth0 paid out on was simple and correct: identity should be programmable. Federated authentication shouldn't be something you build; it should be something you call.

A decade later, that thesis is so completed it has become invisible. Identity is programmable. SSO is solved. OIDC and OAuth are running in every meaningful enterprise stack on earth. Login, as a product category, is done.

This is the right moment to ask the question that doesn't have an answer yet:

What about everything that happens after the user logs in?

The shift

In 2014, a typical enterprise transaction looked like: a human logs in, navigates a UI, makes a decision, the system records it. The audit trail was a log of who clicked what when. Federation was the right primitive because the trust question was about the door — who can come in, with what credentials, into which scope.

In 2026, a typical enterprise transaction increasingly looks like: an AI agent receives a prompt, queries data, calls tools, writes a record, sends an email, signs a transaction. The human is the supervisor, not the operator. The audit trail is — and this is the part that should worry every CISO — the same log it was in 2014. Who clicked what when, except now "who" is an agent and "clicked" is "decided".

The trust question has shifted. It is no longer can this principal come in. It is was this artefact really produced the way it claims to have been produced.

Federation does not answer that. Federation was never built to answer that.

Two different trust questions

It is worth being precise, because most of the noise in this space comes from confusing two adjacent things.

Federation answers: which principal is acting? It is a primitive about identity at the door. Inputs: credentials, claims, attribute providers. Output: an authenticated session in which downstream code can trust that the actor is who they say they are.

Attestation answers: what was true about this action when it happened? It is a primitive about integrity at the artefact. Inputs: the actor's state, the data state, the action taken, the output produced. Output: a cryptographic seal that lets a third party — an auditor, a regulator, a counterparty, a court — independently verify that the seal-bearing artefact is structurally identical to what was produced, at the moment it was produced, by the entity that produced it.

You can have federation without attestation. Most enterprises do today. The audit trail is whatever the application happened to log, signed by whatever the application happened to sign it with, retained for as long as the application happened to retain it. We can claim what happened. We cannot prove it.

You cannot have attestation without federation — you have to know who the actor was — but federation alone gives you only half the trust surface.

Why this is a new floor, not a new room

This is the architectural claim, and it is the one I think matters most.

In every modern enterprise stack, federation sits near the top of the trust layer. It is invoked at the user's entry point — once per session, once per token grant. The data plane below the federation layer (the records, the transactions, the agent artefacts) is governed by application logic, not by a cryptographic primitive.

Attestation is not a peer of federation. It is one floor down. It sits in the data plane, sealing artefacts at the moment they are produced, in a way that survives the application, the database, the company, and the auditor.

The metaphor that lands for engineers is this: federation is the lock on the front door of the building. Attestation is the cryptographic seal on every document produced inside it. You need both, and you need them in the right places. You cannot replace one with the other.

The reason I think Auth0 made the right call in 2014 — and the reason their thesis is more relevant in 2026 than ever — is that the floor they built (federation) is exactly the floor on which a new primitive (attestation) now has to land. Programmable identity was the prerequisite. The next call is for provable integrity.

Identity has a new floor Three stacked layers. Top band: Federation — who is acting — with examples Auth0, Okta, Azure AD, ForgeRock, OIDC, SAML. Middle band, drawn thicker, marked "the new floor": Attestation — what was true — structural seal at the moment of the artefact. Bottom band: the data plane — records, transactions, agent decisions, artefacts. FEDERATION who is acting? Auth0 · Okta · Azure AD · ForgeRock · OIDC · SAML ATTESTATION what was true? structural seal at the moment of the artefact ↓ THE NEW FLOOR DATA PLANE records · transactions · agent decisions · artefacts
Federation sits at the top of the trust layer and answers who. Attestation is a new floor below it — at the data plane — answering what was true.

Why now

There are three forces that make this a 2026 question, not a 2030 question.

One. Agentic systems are producing artefacts at industrial scale. Salesforce's Agentic Enterprise Architecture — published this spring — places "Agentforce Customer & Employee Agents" as the system of agency above Customer 360 and Data 360, with a "Trust Layer" at the bottom that today lists model vendors. The trust layer in that architecture is doing important work, but it is naming who provides the model, not what was true about what the agent did. Every Agentforce customer in production will, sooner or later, be asked to prove what their agent decided. Today, that proof reconstructs from logs. It is organisational, not cryptographic.

Two. Regulatory frameworks are codifying the requirement. NIS2 (October 2024) is making structural traceability a critical-infrastructure baseline. The EU AI Act is requiring auditable provenance for high-risk systems. eIDAS-2 is opening the trust-service category to cryptographic primitives beyond signatures-on-PDFs. DORA is requiring transaction-level provability in financial services. GxP audits in pharma have required structural audit trails for decades; the difference is that until now they were process-based, not cryptographically-provable. The organisational version of compliance is increasingly insufficient. The cryptographic version is increasingly mandated.

Three. Federation does not extend. You cannot retrofit OIDC to answer the integrity question without effectively building a new protocol next to it. The cleanest path is a new primitive — small, composable, with its own trust model — that coexists with federation rather than replacing it. A floor below the floor.

What this looks like as a primitive

Without saying too much about a patent application that is still in its priority window: the structural attestation primitive needs to be stateless (no central authority is consulted at the time the seal is verified), deterministic (two independent parties can arrive at the same seal from the same inputs), post-quantum-aware (the seal must survive the transition to NIST FIPS 203 / 204 / 205), and structural (the seal binds to the shape and content of the artefact, not just to a hash of its bytes).

It needs to be cheap on the hot path. A federated authentication might happen once per session; attestations have to happen once per artefact, and an artefact can be as small as an agent decision or as large as a transaction batch. The arithmetic argues for nanosecond-class verification. (We benchmarked this part publicly last week — 8.5 ns on a laptop, 25 ms over the public internet, 100% accept rate at 10 000 consecutive requests.)

And it needs to be horizontal. Federation is horizontal — OIDC works the same in healthcare, in banking, in defence, in postal logistics. Attestation has to be horizontal too. The vertical-specific compliance regimes (GxP for pharma, MDR for medical devices, DORA for finance, NIS2 for critical infrastructure, the EU AI Act for high-risk AI) all have their own audit semantics, but they share an underlying structural-evidence requirement that a horizontal primitive can answer with vertical adapters.

A short, deliberately incomplete inventory of where the primitive lands cleanly:

  • AI agents and Agentforce-class platforms — proof of agent-produced records, decisions, transactions
  • GxP and FDA-regulated pharma — cryptographically defensible audit trails on top of existing systems like viewLinc
  • MDR-regulated medical devices — post-market surveillance evidence
  • NIS2-regulated critical infrastructure — post-incident forensics, not just real-time detection
  • DORA-regulated financial services — transaction-level settlement and audit primitives
  • eIDAS-2 trust services — qualified structural evidence that is not a PDF signature
  • Sovereign carriers and PubSec — chain-of-custody for parcels, decisions, communications, and dual-use exports
  • OEM automotive and V2X — event reconstruction for liability shift, OTA-update provability
  • Aviation and aerospace — accident-investigation-grade provenance for ADS-B, ATM, and satellite operations

Ten regulated verticals, one primitive. Different audit semantics, the same structural shape.

What I am not saying

I am not saying federation is over. Federation is the prerequisite floor.

I am not saying logging is wrong. Logs remain operationally essential. The point is that logs and attestations answer different questions, and the audit world has been trying to make logs answer the attestation question because there was no attestation primitive available.

I am not saying everything in 2014's identity stack needs to be replaced. The opposite — the cleanest path forward is one in which existing federation infrastructure (Auth0, Okta, Azure AD, ForgeRock, every enterprise IDP) stays exactly where it is, and the new attestation primitive sits one floor below it, sealing what happens after the principal is authenticated.

I am not saying this is novel. The pieces — Merkle structures, post-quantum key agreement, audit trails — have been around. The novel part is the paradigm: a stateless, deterministic, decentralised structural seal usable as a horizontal primitive across the entire data plane.

What I am building

We are building this primitive at EdSSA. We filed the European patent application on 1 May 2026; the Paris Convention priority window runs until 1 May 2027. We are scoping a programme of further filings during that window — broad provisional applications first, narrowed prosecution second. We are running live calibration conversations with a handful of named European industrials and platform partners about pilot architectures.

We are not raising yet. The work this year is to validate the thesis with the people who have seen identity longest, file the IP fortress before the original application publishes, and produce one or two anchor customer pilots that prove the primitive in production. If you've spent two decades thinking about identity and you find the floor-below-federation argument credible — or, more usefully, you find it wrong in a specific way — that is the conversation we are looking for. Thirty minutes. Your read, not our pitch.

The contact is tw@edssa.io. Helsinki time zone, Finnish-direct, no slides.


Pair-read with the Phase 0–1 benchmark post (14 May 2026) for the hot-path verification numbers that sit underneath this thesis.

Found this useful?

Talk to us about how EdSSA fits your operating envelope.

Talk to us →