ISO/IEC 27001
ISO/IEC 27001:2022 is the international standard for an information security management system (ISMS), including access-control requirements.
Why it matters for AI identity: Non-human identities hold standing access that often escapes ISMS access reviews.
How AIRM helps: AIRM inventories every non-human identity, its permissions and owner, evidence for access-control and review clauses.
DORA
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) sets ICT risk and resilience rules for EU financial entities, applying from 17 January 2025.
Why it matters for AI identity: DORA expects control over ICT assets and third-party/identity risk, including the service principals and AI tools connected to your systems.
How AIRM helps: AIRM surfaces non-human and third-party AI access and its blast radius, supporting ICT-risk visibility.
NIS2
The NIS2 Directive (EU) 2022/2555 raises baseline cybersecurity and incident-reporting duties across essential and important entities, and was due to be transposed into national law by October 2024.
Why it matters for AI identity: Identity is a primary attack surface the NIS2 risk-management measures are expected to cover.
How AIRM helps: AIRM gives continuous visibility of the AI and non-human identity attack surface, and of changes to it.
UK CAF
The NCSC Cyber Assessment Framework (CAF) is the UK's outcome-based framework for assessing the cyber resilience of essential functions.
Why it matters for AI identity: Several CAF objectives concern identity, access management and asset visibility.
How AIRM helps: AIRM provides the identity inventory and monitoring that evidence those objectives.
Cyber Essentials
Cyber Essentials is the UK government-backed, NCSC-run baseline certification built on five technical controls, including user access control.
Why it matters for AI identity: Service-principal and AI-agent access is rarely covered by basic user access controls.
How AIRM helps: AIRM extends access hygiene to non-human identities, flagging excessive or dormant access.
Essential Eight
The Australian Signals Directorate's Essential Eight (delivered via the ACSC) are eight prioritised mitigation strategies, including restricting administrative privileges, with a three-level maturity model.
Why it matters for AI identity: Privileged non-human identities are an under-managed slice of admin privilege.
How AIRM helps: AIRM identifies privileged and high-blast-radius non-human identities so you can restrict them.
MAS TRM
The Monetary Authority of Singapore's Technology Risk Management Guidelines set expectations for technology and cyber risk in financial institutions.
Why it matters for AI identity: Identity and access management is a core TRM expectation, increasingly extending to AI.
How AIRM helps: AIRM provides identity-risk evidence and monitoring aligned to TRM access-management expectations.
CERT-In
India's CERT-In 2022 directions set cyber-security expectations for entities operating in India, including reporting incidents within six hours and retaining logs for 180 days.
Why it matters for AI identity: Logging and monitoring obligations extend to the identities acting in your environment.
How AIRM helps: AIRM contributes continuous identity monitoring and change history toward those obligations.
AIRM supports these frameworks with visibility, evidence and continuous monitoring. It does not by itself constitute certification, audit or legal compliance, framework mapping is indicative, and scope should be confirmed with your assessor.