For CISOs, Architects, and Assessors

CISO Tools

Three Vendor-Neutral, AI-Scored Evaluations for Any Identity Provider

Affirmed Identity — July 2026

Every identity provider claims to be secure, Zero Trust, and compliance-ready. Marketing pages are not evidence. Below are three published, vendor-neutral rule sets, one for agentic AI session security, one for Zero Trust Architecture under NIST SP 800-207, and one for CMMC Level 2 and Level 3, each paired with a ready-to-use AI prompt. Point either at any identity provider, including ours, and get a scored, evidence-based answer back in minutes rather than a sales deck.

Tool One

The Eleven Commandments of Agentic AI Security

Purpose. Agentic AI processes now act on behalf of human users with little or no step-by-step supervision, opening a session-security surface most identity providers were never designed to handle. This tool evaluates whether a given identity provider correctly establishes, bounds, and supervises both human and agentic sessions against eleven specific commandments covering founding-human identity, inherited and bounded authorization, session lifecycle linkage, and action-level auditability.

Output. A commandment-by-commandment scorecard, Achieved, Partial, or Unachieved, for the identity provider under review, with the AI's reasoning and, where a gap exists, what would need to change to close it. A second prompt produces the same scorecard side by side against Pulse CA + Sentinel for direct comparison.

How it achieves an unbiased review. The commandments are published in full, are vendor-neutral, and were written to describe a property any architecture should exhibit rather than a specific product's feature list. The prompt asks the AI to research the named provider independently and score it against that fixed, public text, evidence and observed behavior, not the vendor's own marketing claims. The same eleven commandments are used whether the subject is a competitor or Pulse CA itself.

Start Now →

Tool Two

Using the Articles of Zero Trust

Purpose. NIST SP 800-207 defines Zero Trust Architecture through seven tenets spanning an entire enterprise. This tool restates those tenets as ten general Rules focused on the slice an identity provider actually owns, per-session access evaluation, dynamic policy, continuous device and identity monitoring, and dynamic authentication and authorization enforcement, so a CISO can evaluate any IdP's real conformance rather than its network team's.

Output. A Rule-by-Rule scorecard, Achieved, Partial, or Unachieved, tagged by whether each Rule is a Core IdP Responsibility or an Enterprise-Wide obligation the IdP only contributes to. A built-in scope filter lets you narrow both the on-page checklist and the copied prompt to the identity-only subset, so an AI evaluator has nothing else to score and nothing else to report back.

How it achieves an unbiased review. The Rules are derived directly from a published federal standard, not proprietary criteria, and every Evaluation Question asks for observable evidence, session lifetimes, enforcement latency, monitoring cadence, rather than a vendor's self-description. Any two identity providers are measured against the identical published text.

Start Now →

Tool Three

Using the Articles of CMMC Compliance

Purpose. CMMC Level 3 spans all 110 NIST SP 800-171 practices plus a subset of NIST SP 800-172 enhanced practices, far more than any single product touches. This tool isolates the eleven Rules most frequently implicated by identity, access, audit, and configuration failures, phishing-resistant MFA, replay resistance, identity-based access control, individually traceable and protected audit logs, and genuinely continuous monitoring, so a CISO can pressure-test an identity provider's contribution to CMMC Level 2 and Level 3 readiness specifically.

Output. A Rule-by-Rule scorecard citing the underlying CMMC practice identifier (for example, IA.L2-3.5.3), tagged Core IdP Responsibility or Enterprise-Wide so you can see at a glance which gaps are the identity provider's to close and which belong elsewhere in the architecture. The same identity-only scope filter is available here as well.

How it achieves an unbiased review. Every Rule traces to a specific, citable NIST SP 800-171 or SP 800-172 practice rather than an internal checklist, and every Evaluation Question demands evidence, logs, configuration, penetration-test results, over assertion. The standard states plainly that satisfying it addresses only the identity and audit layer of CMMC, not the full practice set, so the AI's answer stays honest about what it did and did not evaluate.

Start Now →
← Back to Home

Pulse CA™ — AffirmedID at affirmedid.com — Copyright © June 2026