Identity Control Plane: The Unifying Layer for Zero Trust Infrastructure
Abstract
This paper introduces the Identity Control Plane (ICP), an architectural framework for enforcing identity-aware Zero Trust access across human users, workloads, and automation systems. The ICP model unifies SPIFFE-based workload identity, OIDC/SAML user identity, and scoped automation credentials via broker-issued transaction tokens. We propose a composable enforcement layer using ABAC policy engines (e.g., OPA, Cedar), aligned with IETF WIMSE drafts and OAuth transaction tokens. The paper includes architectural components, integration patterns, use cases, a comparative analysis with current models, and theorized performance metrics. A FedRAMP and SLSA compliance mapping is also presented. This is a theoretical infrastructure architecture paper intended for security researchers and platform architects. No prior version of this work has been published.
Cite
@article{arxiv.2504.17759,
title = {Identity Control Plane: The Unifying Layer for Zero Trust Infrastructure},
author = {Surya Teja Avirneni},
journal= {arXiv preprint arXiv:2504.17759},
year = {2025}
}
Comments
Part of the Zero Trust Identity Foundations series. Authored Jan 2025. Introduces the Identity Control Plane (ICP) as a unifying layer for SPIFFE, brokered automation, and ABAC policy. 10 pages, 1 figure, 1 table. IEEE format. Keywords: Zero Trust, SPIFFE, WIMSE, Identity Control Plane, ABAC, CI/CD Security