Certification becoming trust signal for procurement and market positioning

One consequence of the explosion of synthetic media and AI-generated identities is that trusted identity infrastructure has become strategically valuable again. As regulated industries demand stronger evidence of compliance, certification is increasingly becoming both a procurement requirement and market differentiator.

Compliance, long treated as a back-office exercise, is increasingly emerging as a visible trust and sales signal. What’s concrete is cool again.

A workshop from the conformity assessment body (CAB) Kantara Initiative looks at how a trust mark can put you ahead of competitors, as organizations demand more than compliance-as-optics and qualifications that are little more than marketing.

Renee Hunter, the treasurer for Kantara’s board and CLO of Proof, says certification as a market signal is not just a check box. “It’s not just an audit for an audit’s sake. It’s really important that we all think through why compliance is important.”

There is a shift happening, as senior executives face more pressure to make sure services are genuinely compliant. Andi Hindle, who is on the Kantara Initiative advisory board and is the chair of Identiverse, says there is “much more awareness of downstream risks of providing poor-quality, potentially breachable, less reliable services to customers.”

A key question is emerging: “Do you understand why we do the due diligence to get a certified vendor?”

‘Self-assertion is breaking down’

As is the case with online age assurance, self-declaration is losing legitimacy as a way to prove compliance. “You can trust us, we’re compliant” no longer works, and referencing standards or security levels like NIST IAL2 in the U.S. and UK DIATF high confidence does not change that there has been no external certification. Critically, claims of certification also don’t prove that the auditor themselves are certified. The result is a chain of untrustworthiness.

“Who guards the guardians?” asks Lisle. “You want to know that an audit has been done well. You want to know your product is being assessed properly and fairly.”

This is how the Kantara Initiative occupies a central role. Kantara ensures third-party verification of auditors, measured against an independent standard in ISO/IEC 17065. Certification is fully auditable, and regularly monitored through surveillance audits.

“17065 essentially is that reassurance for you,” Lisle says. “You know that when someone comes in and audits the product, that that process has been done the right way.”

NIST, DIATF, new OpenID program shows expanding scope for Kantara

Kantara certifies against the NIST SP 800-63 Identity Assurance Framework in U.S., DIATF in the UK via Kantara Ltd., and the OpenID Foundation Conformance Program globally. Speaking on the evolution of the NIST framework, Hunter notes that the recent Revision 4 testing regimen is  “unique because it really componentizes identity for the first time, which is helpful, since that is the nature of the identity marketplace.”

For the DIATF, Kantara accredits across five roles: Identity Service Provider (ISP), Attribute Service Provider (ASP), Orchestration Service Provider (OSP), Holder Service Provider (HSP, wallet provider) and Component Provider. The Kantara Trust Mark is recognized by the UK government, and Kantara is the only UKAS-accredited conformity assessment body (CAB) in the UK.

The new OpenID Conformance Program marks Kantara’s expansion to global assessment, and is the first to not be tied to a government. As an Authorized Auditor for the OpenID Foundation’s newly independent conformance testing program, Kantara assesses those who want to become Approved Testing Service Providers.

Strong, specific signal, not a panacea

Hunter underlines the importance of scope – both in what assessment is and isn’t, and in terms of how broadly it should be applied. She says certification tells you that an auditor was qualified and independently verified. It is a strong signal “covering a specific, defined service scope” – not the whole company. A Kantara Trust Stamp applies only to what has been assessed. Asking for a “whole business” assessment without understanding the details could lead to major scope creep – and could get very expensive.

Certification also can’t make companies comply, and can’t guarantee that a vendor is immune to fraud, breach or failure. It’s not, in other words, a substitute for vendor due diligence: “you still need to know what your vendors are doing.”

What Kantara can do is revoke licenses if conformance lapses. Both Hunter and Lisle note that certification is not a one-time event. Reliable information means consistency, and yearly surveillance audits are intended to ensure that there is no compliance falloff. Both also repeat that Kanatar can, and will, remove Trust Marks as needed.

If you’ve got a trust mark, flaunt it

Hunter explains how her experience with Proof has taught her about the deeper value of certification. A Trust Mark is “visible, auditable, differentiation” – and, most importantly in a procurement context, “terminates a particular objection in the sales process.”

Proof started leading with compliance and referencing certifications early on, putting it on its marketing materials, but also building conformance into the culture of the organization. The assessment process forces organizations to document and defend their controls, and institutionalizes rigor – which makes the job easier going forward.

Kantara highlighted several considerations organizations should understand before undergoing assessment. Defining scope is key. Gap analysis will find things. Auditors should not be easy. “An audit by a rigorous auditor is worth more to relying parties than a light-touch audit.”

Surveillance audits are real and should be approached as such. And, finally, the Kantara Trust Mark is only valuable if it is visible.

“Tell people you have it. Lead with the Trust Mark,” Hunter says.

Lisle points out that, in certain scenarios, it now sells itself, because it’s a requirement to get past the RFP stage. “That’s an active change in the market.”

The next frontier for Kantara is the world of wallets, for which it is helping to build privacy and assurance standards. The HSP certification certifies wallets that hold credentials on behalf of users, assessing how a wallet stores, protects and manages the credentials.

But certification is not something to put off. Hunter and Lisle call for stakeholders to hold identity providers accountable with certification, urge ID providers to get certified, and suggest that governments build certification requirements into procurement frameworks.

The old song-and-dance, in other words, is no longer going to measure up. The chain of trust must be proven.

“Vendors need to step up and get certified.”

Article Topics

biometric testing  |  biometrics  |  certification  |  identity assurance  |  Kantara  |  procurement  |  standards