By NHI Mgmt Group Editorial TeamPublished 2026-06-16Domain: Governance & RiskSource: Soffid

TL;DR: Common Criteria and ENS Alto are presented as certification gates for IAM platforms, with the article arguing that third-party validation helps organisations satisfy audits while reducing exposure to security failures, according to Soffid. The real issue is not branding but whether identity platforms can prove control effectiveness under regulated scrutiny.


At a glance

What this is: This is an IAM-focused commentary on how Common Criteria and ENS Alto certifications provide third-party validation of platform security, auditability, and operational assurance.

Why it matters: It matters because IAM teams increasingly have to prove that identity controls are validated, not merely claimed, especially where regulated suppliers, audit pressure, and resilience expectations converge.

By the numbers:

👉 Read Soffid's article on Common Criteria and high ENS in IAM


Context

Common Criteria and ENS Alto matter in IAM because identity platforms are often trusted on vendor claims alone until audit season or an incident forces proof. Certifications change that equation by making security, development, and operational claims subject to external validation rather than internal assertion.

For practitioners, the real question is whether the IAM control plane can demonstrate evidence of secure design, auditable operation, and resilience under regulated conditions. That is especially relevant when supplier risk is rising and organisations need identity controls that stand up to both compliance review and adversarial pressure.


Key questions

Q: How should IAM teams use certifications like Common Criteria and ENS Alto?

A: Use them as assurance evidence, not as proof that the IAM environment is fully secure. Certifications can help validate product design, development discipline, and audit readiness, but teams still need operational controls for access reviews, privileged access, logging, and supplier oversight. The certification is the starting point for trust, not the end of governance.

Q: Why do certifications matter when evaluating IAM platforms?

A: They matter because they give buyers an external basis for trusting security claims instead of relying only on vendor statements. In regulated environments, that can shorten audit friction and improve procurement confidence, but only if the certified scope matches the real deployment and the organisation continues to govern access lifecycle and privilege change.

Q: What should organisations verify beyond a certified IAM product?

A: They should verify how the product is configured, who administers it, how secrets and privileged access are handled, and whether audit logs are retained and reviewable. A secure certificate does not prevent operational drift. The strongest programmes combine certification evidence with ongoing access governance and supplier risk monitoring.

Q: Who is accountable when a certified IAM platform is misused or misconfigured?

A: The buying organisation remains accountable for how the platform is deployed, governed, and monitored. Certification may support due diligence, but it does not transfer operational responsibility. Teams should assign clear ownership for configuration, privileged access, audit evidence, and third-party risk so that certification does not become a false substitute for control.


Technical breakdown

What Common Criteria validates in an IAM platform

Common Criteria is an evaluation framework for IT security products, not a product feature. In IAM, it checks whether the platform’s security claims are backed by defined requirements, independent testing, and evidence that the architecture behaves as intended. That matters because identity tooling sits in the control path for authentication, authorisation, and administrative change. A certified platform gives buyers a structured basis for comparing assurance, but it does not remove the need to understand deployment scope, configuration, and operating model.

Practical implication: assess whether the certification scope matches the exact IAM functions and deployment model you plan to use.

Why ENS Alto changes procurement for regulated identity systems

ENS Alto is a Spanish security framework used in public administration and by suppliers to those environments. In practice, it turns procurement into an evidence exercise, where the IAM platform must show validated security measures rather than depend on marketing claims. For identity teams, this is less about labels and more about whether the control set is auditable, defensible, and fit for regulated environments where sovereignty and resilience are explicit concerns.

Practical implication: verify that supplier assurance evidence maps to the regulatory environment you must satisfy, not just the product brochure.

How certification affects auditability and supplier risk

Certification can reduce the time and uncertainty involved in audits because it shifts part of the burden from internal verification to recognised third-party assessment. That is useful in IAM, where access governance failures often surface only when controls are tested during review or after an incident. But certification is not a substitute for runtime governance, because operational drift, misconfiguration, and supplier dependency can still erode the assurance gained at procurement time.

Practical implication: treat certification as assurance input, then continue verifying live access, configuration, and supplier lifecycle controls.


Threat narrative

Attacker objective: The objective is to exploit weak assurance discipline so that unvalidated identity controls are accepted as compliant and secure.

  1. Entry begins when organisations rely on unverified IAM claims and outsource trust to supplier branding instead of external assurance. Escalation follows when the platform is deployed into regulated identity workflows without matching the certification scope to the actual control environment. Impact arrives when audit findings, compliance gaps, or supplier exposure reveal that assurance was assumed rather than demonstrated.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Certification is an assurance layer, not an identity control. Common Criteria and ENS Alto matter because they reduce ambiguity in procurement and audit, but they do not govern runtime privilege, session behaviour, or access lifecycle. IAM teams should treat certification as one input into trust decisions, not as evidence that operational identity governance is complete.

Validated identity platforms are becoming a procurement baseline in regulated environments. The article reflects a market where compliance pressure and third-party incident exposure are converging, and that shifts buyer expectations from feature claims to proof. For practitioners, the implication is that platform selection now has to include assurance evidence, not just functional fit.

Supplier risk management is now part of identity governance. When 61% of organisations report exposure to third-party incidents, the question is no longer whether the vendor has security language, but whether the identity control plane is defensible under external scrutiny. That means procurement, audit, and IAM operations have to be aligned as one governance process.

Common Criteria and ENS Alto do not reduce the need for lifecycle governance. A platform can be certified and still fail if privileged accounts, integration secrets, or delegated access are not continuously reviewed. The practitioner conclusion is straightforward: certified software still needs certified processes around it.

From our research:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • A separate finding shows that only 1.5 out of 10 organisations are highly confident in securing NHIs, which helps explain why assurance signals matter so much in procurement.
  • For a broader governance lens, see Ultimate Guide to NHIs , Key Challenges and Risks for the visibility and over-privilege problems that certifications do not solve.

What this signals

Identity certification will become a stronger buying filter, but only where teams can separate assurance from operations. The procurement conversation is moving toward external evidence, yet the control failures that matter most still happen after deployment, inside lifecycle, privilege, and logging processes.

Certification pressure will not reduce the need for lifecycle discipline. If anything, it raises the expectation that teams can prove who can do what, where, and for how long. The governance gap is in assuming that validated product security is equivalent to validated identity operations.


For practitioners

  • Map certification scope to actual IAM use cases Check whether the certified boundary covers the identity functions you intend to rely on, including administration, federation, and audit logging. A certification that does not include your deployment model should not be treated as blanket assurance.
  • Use supplier assurance as a procurement gate Require independent evidence for security claims before signing or renewing contracts, especially where the IAM platform supports regulated access workflows or public-sector obligations.
  • Separate platform assurance from operational governance Keep access reviews, privilege monitoring, and secret lifecycle controls active even when the platform is certified. Certification reduces uncertainty, but it does not monitor live privilege drift or misconfiguration.
  • Align audit evidence with identity operations Prepare evidence for configuration, logging, and control ownership before the audit request arrives. The faster a team can show who controls what, the less likely a certified platform is to become an audit exception.

Key takeaways

  • Common Criteria and ENS Alto strengthen assurance, but they do not replace live IAM governance.
  • Third-party incident exposure is already high enough that suppliers must be evaluated with evidence, not slogans.
  • Identity teams should treat certification as one control input and continue monitoring privilege, configuration, and lifecycle risk.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while ISO/IEC 27001:2022 and DORA define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4The article focuses on identity access governance and assurance in regulated environments.
NIST SP 800-53 Rev 5AC-6Least-privilege access is central to the audit and resilience claims discussed here.
ISO/IEC 27001:2022A.5.15Access control policy is directly relevant to IAM platform assurance and procurement.
DORARegulated-sector resilience and supplier assurance are part of the article's context.

Map certified IAM capabilities to access-control enforcement and keep reviewing live privilege assignments.


Key terms

  • Common Criteria: Common Criteria is an international framework for evaluating the security properties of IT products. In IAM, it matters because it tests whether a platform’s security claims are supported by defined requirements, independent assessment, and evidence rather than marketing language alone.
  • ENS Alto: ENS Alto is the highest security level of Spain’s National Security Scheme for systems and suppliers serving public administration. In identity programmes, it signals that the platform must support strong, auditable security measures suitable for regulated and sovereignty-sensitive environments.
  • Supplier assurance: Supplier assurance is the practice of verifying that a third party can support the security and compliance claims it makes. For identity systems, that means checking certification scope, control evidence, and operational responsibility before trusting the platform in production.

What's in the full article

Soffid's full article covers the operational detail this post intentionally leaves for the source:

  • The certification distinctions between Common Criteria and ENS Alto in more implementation detail
  • The article's explanation of how regulated organisations can use certification evidence in procurement and audit discussions
  • The specific claims Soffid makes about its own IAM platform certification status
  • The sector framing for public administration and regulated supplier environments

👉 The full Soffid article expands on certification scope, auditability, and regulated-sector implications.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org