Controls & Evidence
Controls mapped to audit objectives, with evidence and current status.
| Audit objective | Control | Where | Evidence | Status |
|---|---|---|---|---|
| Identity propagation | OAuth 2.1 + RFC 8693 Token Exchange | IdP / Auth Studio | Short‑lived token + TE assertion | Implemented |
| Pre‑execution validation | MCP Gateway plan & schema pins | Gateway | Blocked call (402) + policy hash | Demo available |
| Runtime guardrails | Budgets, params, egress filters | ARIA Shield | Budget event + route config | In testing |
| Decision consistency | OpenID AuthZEN PDP | PDP | Decision log (constraints/obligations/TTL) | Implemented |
| Proof / non‑repudiation | Hash‑chained receipts | Receipt Vault | Receipt (production format, test data) | Prototype |
No scare stories—just controls and evidence. Want to see this with your API? We can do it live.
Downloadable artifacts
Production-format examples (test data) you can share with Security, Audit, and FinOps.
Label: Test Environment — Production Format