The five hardest questions a CISO will ask

Five questions. If your vendor can't answer all five with specifics, send them home. We answer ours below.

1. What happens if the vendor disappears?

Identity is a 30-year decision. Vendors are not. The honest answer for any HATI vendor: the human's identity, work attestations, and Trust Score must remain cryptographically valid even if the vendor's hosted services go dark. For Manav, the protocol is open-source, the credentials are stored on the user's wallet, and federated relying parties verify directly without depending on Manav's infrastructure. If we go away, your identity does not.

2. What is the median revocation latency under load?

"Click revoke" to "every relying party stops accepting" — the number that matters when an agent is loose at 3 a.m. Most vendors won't quote a number. Demand one. Manav targets sub-200ms p50 across the federated MCP server pool, with a webhook fanout pattern verified at 10,000 RPS in our reference benchmark. Ask for a load test report. If they don't have one, the latency is not measured because no one looked.

3. How specifically does the product satisfy Article 14's two-natural-person rule?

The hardest question because it is the most specific. Article 14 demands that for certain critical systems, identifications be confirmed by at least two natural persons with the necessary competence, training, and authority. The vendor must show: (a) cryptographic binding to two distinct verified humans; (b) competence and authority claims as part of the identity record; (c) the audit log artifact a regulator will inspect. Vague answers like "we support multi-approval workflows" are insufficient.

4. What's your selective-disclosure model?

Privacy is not a feature; it is the architecture. The CISO question: can a relying party verify the claim it needs (e.g. "this human is over 18," "this human led project X") without seeing the supporting data (birthday, employer name)? If the vendor's answer is "we encrypt the data," that is not selective disclosure. Selective disclosure means the proof itself is selective — typically using BBS+ signatures or ZK predicates. Ask for the specific cryptographic scheme.

5. How does your audit log survive an adversarial auditor?

An adversarial auditor — internal red team, external regulator, plaintiff's expert — will try to discredit the audit log. The vendor must answer: tamper-evidence (Merkle-tree, hash-chained), independent verifiability (the auditor doesn't need vendor cooperation to verify), completeness (no gaps where actions could have been silently dropped), and replay resistance (no token-replay forging actions after the fact). Vendors who say "our logs are signed" are answering one of four.

The bonus question

If you only have time for one, ask: "Show me the audit-log artifact a regulator will read after a real incident, and walk me through the four anchors — identity, authority, action, audit." Watch the demo. Three things will become clear: whether the vendor has actually built this; whether the auditor will be able to read it; and whether the artifact survives the kinds of questions a litigator asks.

Common objections

Two objections come up across every conversation. Will the platform vendors ship this themselves? Some will, inside their boundary; none can ship the cross-platform shape, by their own architectural choice. Is the category too narrow to matter? It's the layer beneath every agent action — narrow looks broad once the wire bends.

Frequently asked questions

Why does this category not already exist? Because the failure mode it addresses is recent. The pre-agent enterprise could pretend the service account was the human; the agentic enterprise cannot. The category becomes named when the failure becomes regulator-visible, which is now.

Where does this end up in the standards stack? As a layer above OAuth and below the application. OAuth carried scoped delegation between services; this layer carries scoped delegation from a verified human to an agent. The IETF and W3C working groups are converging on the shape; the protocol that ships first sets the verbs.

What does adoption look like in practice? Quietly. The integrations are middleware, not platforms. Each vertical sees its specific compliance pain solved — healthcare gets Article 14, finance gets SOC 2 evidence, hiring gets continuous identity — and treats the underlying primitive as plumbing once it ships.

Where to start

Read ai act article 14 playbook next for the deeper architecture. Then best agent identity 2026 for the closest practical anchor. The mental model that holds those two together holds the rest of the site as well.

The sixth question, off-record

In off-record CISO conversations, a sixth question recurs that does not appear on the slide deck. The question is some variation of: "if I deploy this, what is the first thing that breaks." The honest answer matters more than any of the on-record answers. The first thing that breaks is internal political alignment. The security team supports the integration; the line of business sees a velocity tax; the legal team sees a new liability surface. The integration ships fastest in organizations where the CISO secured pre-emptive air-cover from the CEO or general counsel, and slowest in organizations where the integration was framed as a security project rather than a regulatory readiness project. The technical integration is straightforward. The political integration is the hard part. CISOs who sequence the political work first ship the technical work in a quarter. CISOs who reverse the order discover the technical work was always the easy half.

The questions that cost the most to answer are the ones whose answers compound for the longest.