Identity Control Plane: The Unifying Layer for Zero Trust Infrastructure

• URL: http://arxiv.org/abs/2504.17759v1
• Date: Thu, 24 Apr 2025 17:21:00 GMT
• Title: Identity Control Plane: The Unifying Layer for Zero Trust Infrastructure
• Authors: Surya Teja Avirneni,
• Abstract summary: Identity Control Plane (ICP) is an architectural framework for enforcing identity-aware Zero Trust access.<n>ICP model unifies SPIFFE-based workload identity, OIDC/SAML user identity, and scoped automation credentials via broker-issued transaction tokens.
• Score: 0.0
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: This paper introduces the Identity Control Plane (ICP), an architectural framework for enforcing identity-aware Zero Trust access across human users, workloads, and automation systems. The ICP model unifies SPIFFE-based workload identity, OIDC/SAML user identity, and scoped automation credentials via broker-issued transaction tokens. We propose a composable enforcement layer using ABAC policy engines (e.g., OPA, Cedar), aligned with IETF WIMSE drafts and OAuth transaction tokens. The paper includes architectural components, integration patterns, use cases, a comparative analysis with current models, and theorized performance metrics. A FedRAMP and SLSA compliance mapping is also presented. This is a theoretical infrastructure architecture paper intended for security researchers and platform architects. No prior version of this work has been published.

Related papers

• A Survey of AI Agent Registry Solutions [10.500986125166454]
  As autonomous AI agents scale across cloud, enterprise, and decentralized environments, the need for standardized registry systems has become essential.<n>This paper surveys three prominent registry approaches each defined by a unique verifiable metadata model: MCP's mcp., A2A's Agent Card, and NANDA's AgentFacts.<n>The paper concludes with suggestions and recommendations to guide future design and adoption of registry systems for the Internet of AI Agents.
  arXiv  Detail & Related papers  (2025-08-05T05:17:18Z)
• RouteMark: A Fingerprint for Intellectual Property Attribution in Routing-based Model Merging [69.2230254959204]
  We propose RouteMark, a framework for IP protection in merged MoE models.<n>Our key insight is that task-specific experts exhibit stable and distinctive routing behaviors under probing inputs.<n>For attribution and tampering detection, we introduce a similarity-based matching algorithm.
  arXiv  Detail & Related papers  (2025-08-03T14:51:58Z)
• ProxAnn: Use-Oriented Evaluations of Topic Models and Document Clustering [52.19512723549318]
  We design a scalable human evaluation protocol that reflects practitioners' real-world usage of models.<n>We use this protocol to collect extensive crowdworker annotations of outputs from a diverse set of topic models.<n>We then use these annotations to validate automated proxies, finding that the best LLM proxies are statistically indistinguishable from a human annotator.
  arXiv  Detail & Related papers  (2025-07-01T15:00:55Z)
• A Novel Zero-Trust Identity Framework for Agentic AI: Decentralized Authentication and Fine-Grained Access Control [7.228060525494563]
  This paper posits the imperative for a novel Agentic AI IAM framework.<n>We propose a comprehensive framework built upon rich, verifiable Agent Identities (IDs)<n>We also explore how Zero-Knowledge Proofs (ZKPs) enable privacy-preserving attribute disclosure and verifiable policy compliance.
  arXiv  Detail & Related papers  (2025-05-25T20:21:55Z)
• Decoupling Identity from Access: Credential Broker Patterns for Secure CI/CD [0.0]
  Credential brokers offer a way to separate identity from access in CI/CD systems.<n>This paper shows how verifiable identities issued at runtime, such as those from SPE, can be used with brokers to enable short-lived, policy-driven credentials for pipelines and workloads.
  arXiv  Detail & Related papers  (2025-04-20T23:08:17Z)
• Establishing Workload Identity for Zero Trust CI/CD: From Secrets to SPIFFE-Based Authentication [0.0]
  CI/CD systems have become privileged automation agents in modern infrastructure, but their identity is still based on secrets or temporary credentials passed between systems.<n>This paper describes the shift from static credentials to OpenID Connect (OIDC) federation, and introduces SPIFFE as a platform-neutral identity model for non-human actors.
  arXiv  Detail & Related papers  (2025-04-20T23:06:03Z)
• Trusted Identities for AI Agents: Leveraging Telco-Hosted eSIM Infrastructure [0.0]
  We propose a conceptual architecture that leverages telecom-grade eSIM infrastructure.<n>Rather than embedding SIM credentials in hardware devices, we envision a model where telcos host secure, certified hardware modules.<n>This paper is intended as a conceptual framework to open discussion around standardization, security architecture, and the role of telecom infrastructure in the evolving agent economy.
  arXiv  Detail & Related papers  (2025-04-17T15:36:26Z)
• DocMIA: Document-Level Membership Inference Attacks against DocVQA Models [52.13818827581981]
  We introduce two novel membership inference attacks tailored specifically to DocVQA models.<n>Our methods outperform existing state-of-the-art membership inference attacks across a variety of DocVQA models and datasets.
  arXiv  Detail & Related papers  (2025-02-06T00:58:21Z)
• HDT: Hierarchical Document Transformer [70.2271469410557]
  HDT exploits document structure by introducing auxiliary anchor tokens and redesigning the attention mechanism into a sparse multi-level hierarchy. We develop a novel sparse attention kernel that considers the hierarchical structure of documents.
  arXiv  Detail & Related papers  (2024-07-11T09:28:04Z)
• Towards Responsible Generative AI: A Reference Architecture for Designing Foundation Model based Agents [28.406492378232695]
  Foundation model based agents derive their autonomy from the capabilities of foundation models. This paper presents a pattern-oriented reference architecture that serves as guidance when designing foundation model based agents.
  arXiv  Detail & Related papers  (2023-11-22T04:21:47Z)
• Combining Decentralized IDentifiers with Proof of Membership to Enable Trust in IoT Networks [44.99833362998488]
  The paper proposes and discusses an alternative (mutual) authentication process for IoT nodes under the same administration domain. The main idea is to combine the Decentralized IDentifier (DID)-based verification of private key ownership with the verification of a proof that the DID belongs to an evolving trusted set.
  arXiv  Detail & Related papers  (2023-10-12T09:33:50Z)
• Enhancing Architecture Frameworks by Including Modern Stakeholders and their Views/Viewpoints [48.87872564630711]
  The stakeholders with data science and Machine Learning related concerns, such as data scientists and data engineers, are yet to be included in existing architecture frameworks.<n>We surveyed 61 subject matter experts from over 25 organizations in 10 countries.
  arXiv  Detail & Related papers  (2023-08-09T21:54:34Z)
• Camera-Incremental Object Re-Identification with Identity Knowledge Evolution [82.64836424135886]
  Object Re-identification (ReID) aims to retrieve the probe object from many gallery images by associating and collecting the identities across all camera views. When deploying the ReID algorithm in real-world scenarios, the aspect of storage, privacy constraints, and dynamic changes of cameras would degrade its generalizability and applicability. Treating each camera's data independently, we introduce a novel ReID task named Camera-Incremental Object Re-identification (CIOR) by continually optimizing the ReID mode from the incoming stream of the camera dataset.
  arXiv  Detail & Related papers  (2023-05-25T10:15:29Z)
• FedSOV: Federated Model Secure Ownership Verification with Unforgeable Signature [60.99054146321459]
  Federated learning allows multiple parties to collaborate in learning a global model without revealing private data. We propose a cryptographic signature-based federated learning model ownership verification scheme named FedSOV.
  arXiv  Detail & Related papers  (2023-05-10T12:10:02Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.