{"id":"https://openalex.org/W7130352412","doi":"https://doi.org/10.1109/access.2026.3665991","title":"Compliance-as-Code for AI-Driven Identity Systems: Clause-to-Control Traceability and Machine-Readable Evidence","display_name":"Compliance-as-Code for AI-Driven Identity Systems: Clause-to-Control Traceability and Machine-Readable Evidence","publication_year":2026,"publication_date":"2026-01-01","ids":{"openalex":"https://openalex.org/W7130352412","doi":"https://doi.org/10.1109/access.2026.3665991"},"language":null,"primary_location":{"id":"doi:10.1109/access.2026.3665991","is_oa":true,"landing_page_url":"https://doi.org/10.1109/access.2026.3665991","pdf_url":null,"source":{"id":"https://openalex.org/S2485537415","display_name":"IEEE Access","issn_l":"2169-3536","issn":["2169-3536"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Access","raw_type":"journal-article"},"type":"article","indexed_in":["crossref","doaj"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://doi.org/10.1109/access.2026.3665991","any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5031313687","display_name":"Livinus Obiora Nweke","orcid":"https://orcid.org/0000-0003-4888-6851"},"institutions":[{"id":"https://openalex.org/I204778367","display_name":"Norwegian University of Science and Technology","ror":"https://ror.org/05xg72x27","country_code":"NO","type":"education","lineage":["https://openalex.org/I204778367"]}],"countries":["NO"],"is_corresponding":false,"raw_author_name":"Livinus Obiora Nweke","raw_affiliation_strings":["Norwegian University of Science and Technology (NTNU), Gj&#x00F8;vik, Norway"],"raw_orcid":"https://orcid.org/0000-0003-4888-6851","affiliations":[{"raw_affiliation_string":"Norwegian University of Science and Technology (NTNU), Gj&#x00F8;vik, Norway","institution_ids":["https://openalex.org/I204778367"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5008690111","display_name":"Prosper Kandabongee Yeng","orcid":"https://orcid.org/0000-0003-2553-5936"},"institutions":[{"id":"https://openalex.org/I117222138","display_name":"Abu Dhabi University","ror":"https://ror.org/01r3kjq03","country_code":"AE","type":"education","lineage":["https://openalex.org/I117222138"]}],"countries":["AE"],"is_corresponding":false,"raw_author_name":"Prosper Kandabongee Yeng","raw_affiliation_strings":["Abu Dhabi University, Abu Dhabi, United Arab Emirates"],"raw_orcid":"https://orcid.org/0000-0003-2553-5936","affiliations":[{"raw_affiliation_string":"Abu Dhabi University, Abu Dhabi, United Arab Emirates","institution_ids":["https://openalex.org/I117222138"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":2,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":{"value":1850,"currency":"USD","value_usd":1850},"apc_paid":{"value":1850,"currency":"USD","value_usd":1850},"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.21742312,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"14","issue":null,"first_page":"28258","last_page":"28281"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.46939998865127563,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.46939998865127563,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11986","display_name":"Scientific Computing and Data Management","score":0.2838999927043915,"subfield":{"id":"https://openalex.org/subfields/1802","display_name":"Information Systems and Management"},"field":{"id":"https://openalex.org/fields/18","display_name":"Decision Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T10883","display_name":"Ethics and Social Impacts of AI","score":0.043699998408555984,"subfield":{"id":"https://openalex.org/subfields/3311","display_name":"Safety Research"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/traceability","display_name":"Traceability","score":0.7531999945640564},{"id":"https://openalex.org/keywords/credential","display_name":"Credential","score":0.7361000180244446},{"id":"https://openalex.org/keywords/workflow","display_name":"Workflow","score":0.49380001425743103},{"id":"https://openalex.org/keywords/identity","display_name":"Identity (music)","score":0.4300999939441681},{"id":"https://openalex.org/keywords/intelligence-analysis","display_name":"Intelligence analysis","score":0.40860000252723694},{"id":"https://openalex.org/keywords/semantics","display_name":"Semantics (computer science)","score":0.3984000086784363},{"id":"https://openalex.org/keywords/formal-verification","display_name":"Formal verification","score":0.3862999975681305},{"id":"https://openalex.org/keywords/access-control","display_name":"Access control","score":0.3853999972343445},{"id":"https://openalex.org/keywords/executable","display_name":"Executable","score":0.3833000063896179},{"id":"https://openalex.org/keywords/enforcement","display_name":"Enforcement","score":0.35850000381469727}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8119999766349792},{"id":"https://openalex.org/C153876917","wikidata":"https://www.wikidata.org/wiki/Q899704","display_name":"Traceability","level":2,"score":0.7531999945640564},{"id":"https://openalex.org/C2777810591","wikidata":"https://www.wikidata.org/wiki/Q16861606","display_name":"Credential","level":2,"score":0.7361000180244446},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5440000295639038},{"id":"https://openalex.org/C177212765","wikidata":"https://www.wikidata.org/wiki/Q627335","display_name":"Workflow","level":2,"score":0.49380001425743103},{"id":"https://openalex.org/C2778355321","wikidata":"https://www.wikidata.org/wiki/Q17079427","display_name":"Identity (music)","level":2,"score":0.4300999939441681},{"id":"https://openalex.org/C517642484","wikidata":"https://www.wikidata.org/wiki/Q2388514","display_name":"Intelligence analysis","level":2,"score":0.40860000252723694},{"id":"https://openalex.org/C184337299","wikidata":"https://www.wikidata.org/wiki/Q1437428","display_name":"Semantics (computer science)","level":2,"score":0.3984000086784363},{"id":"https://openalex.org/C111498074","wikidata":"https://www.wikidata.org/wiki/Q173326","display_name":"Formal verification","level":2,"score":0.3862999975681305},{"id":"https://openalex.org/C527821871","wikidata":"https://www.wikidata.org/wiki/Q228502","display_name":"Access control","level":2,"score":0.3853999972343445},{"id":"https://openalex.org/C160145156","wikidata":"https://www.wikidata.org/wiki/Q778586","display_name":"Executable","level":2,"score":0.3833000063896179},{"id":"https://openalex.org/C2779777834","wikidata":"https://www.wikidata.org/wiki/Q4202277","display_name":"Enforcement","level":2,"score":0.35850000381469727},{"id":"https://openalex.org/C2779960059","wikidata":"https://www.wikidata.org/wiki/Q7113681","display_name":"Overhead (engineering)","level":2,"score":0.35339999198913574},{"id":"https://openalex.org/C2775948798","wikidata":"https://www.wikidata.org/wiki/Q5160261","display_name":"Conformance checking","level":5,"score":0.3440999984741211},{"id":"https://openalex.org/C2777407602","wikidata":"https://www.wikidata.org/wiki/Q1888932","display_name":"Mandatory access control","level":4,"score":0.335099995136261},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.33219999074935913},{"id":"https://openalex.org/C2778134712","wikidata":"https://www.wikidata.org/wiki/Q1047307","display_name":"Bundle","level":2,"score":0.31700000166893005},{"id":"https://openalex.org/C168065819","wikidata":"https://www.wikidata.org/wiki/Q845566","display_name":"Debugging","level":2,"score":0.3147999942302704},{"id":"https://openalex.org/C178005623","wikidata":"https://www.wikidata.org/wiki/Q308859","display_name":"Anonymity","level":2,"score":0.3109000027179718},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.31040000915527344},{"id":"https://openalex.org/C2775924081","wikidata":"https://www.wikidata.org/wiki/Q55608371","display_name":"Control (management)","level":2,"score":0.3068999946117401},{"id":"https://openalex.org/C130191384","wikidata":"https://www.wikidata.org/wiki/Q2996887","display_name":"Copycat","level":2,"score":0.3059999942779541},{"id":"https://openalex.org/C2776452267","wikidata":"https://www.wikidata.org/wiki/Q1503443","display_name":"Secrecy","level":2,"score":0.29989999532699585},{"id":"https://openalex.org/C141141315","wikidata":"https://www.wikidata.org/wiki/Q2379942","display_name":"Guard (computer science)","level":2,"score":0.2939000129699707},{"id":"https://openalex.org/C92717368","wikidata":"https://www.wikidata.org/wiki/Q1162538","display_name":"Plaintext","level":3,"score":0.2840999960899353},{"id":"https://openalex.org/C178489894","wikidata":"https://www.wikidata.org/wiki/Q8789","display_name":"Cryptography","level":2,"score":0.28189998865127563},{"id":"https://openalex.org/C15569618","wikidata":"https://www.wikidata.org/wiki/Q3561421","display_name":"Liveness","level":2,"score":0.27970001101493835},{"id":"https://openalex.org/C151319957","wikidata":"https://www.wikidata.org/wiki/Q752739","display_name":"Asynchronous communication","level":2,"score":0.2703999876976013},{"id":"https://openalex.org/C110251889","wikidata":"https://www.wikidata.org/wiki/Q1569697","display_name":"Model checking","level":2,"score":0.2696000039577484},{"id":"https://openalex.org/C17231256","wikidata":"https://www.wikidata.org/wiki/Q5156540","display_name":"Completeness (order theory)","level":2,"score":0.2685999870300293},{"id":"https://openalex.org/C34388435","wikidata":"https://www.wikidata.org/wiki/Q2267362","display_name":"Bounded function","level":2,"score":0.2597000002861023},{"id":"https://openalex.org/C199168358","wikidata":"https://www.wikidata.org/wiki/Q3367000","display_name":"Orchestration","level":3,"score":0.25679999589920044}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/access.2026.3665991","is_oa":true,"landing_page_url":"https://doi.org/10.1109/access.2026.3665991","pdf_url":null,"source":{"id":"https://openalex.org/S2485537415","display_name":"IEEE Access","issn_l":"2169-3536","issn":["2169-3536"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Access","raw_type":"journal-article"}],"best_oa_location":{"id":"doi:10.1109/access.2026.3665991","is_oa":true,"landing_page_url":"https://doi.org/10.1109/access.2026.3665991","pdf_url":null,"source":{"id":"https://openalex.org/S2485537415","display_name":"IEEE Access","issn_l":"2169-3536","issn":["2169-3536"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Access","raw_type":"journal-article"},"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/16","score":0.8041011691093445,"display_name":"Peace, Justice and strong institutions"}],"awards":[],"funders":[{"id":"https://openalex.org/F4320322303","display_name":"Jordan University of Science and Technology","ror":"https://ror.org/03y8mtb59"}],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Artificial":[0],"intelligence":[1],"(AI)-driven":[2],"identity":[3],"(ID)":[4],"systems":[5,43],"(document":[6],"onboarding,":[7],"wallet-based":[8],"credential":[9],"presentation,":[10],"fraud/risk":[11],"scoring)":[12],"increasingly":[13],"face":[14],"regulatory":[15],"obligations":[16],"requiring":[17],"demonstrable":[18],"accountability,":[19],"traceability,":[20],"and":[21,31,44,77,81,99,112,136,147,159,191,208,216,229],"technical":[22],"documentation.":[23],"Yet":[24],"current":[25],"compliance":[26],"practice":[27],"remains":[28],"predominantly":[29],"document-centric":[30],"manual,":[32],"making":[33],"it":[34],"difficult":[35],"to":[36,143],"keep":[37],"evidence":[38,64,80,105,138,177,184,209],"synchronized":[39],"with":[40,175],"rapidly":[41],"evolving":[42],"models.We":[45],"present":[46],"a":[47,212],"compliance-as-code":[48,204],"approach":[49,118],"for":[50,183],"AI-driven":[51,223],"ID":[52,155,224],"workflows":[53],"that":[54,140,203],"(i)":[55],"maintains":[56],"clause-to-control":[57],"traceability":[58],"under":[59,197],"policy/configuration":[60],"evolution,":[61],"(ii)":[62],"treats":[63],"completeness":[65],"as":[66,83,109,189,219,221],"an":[67,137],"enforceable":[68],"property":[69],"via":[70],"fixed":[71],"monitoring-window":[72],"semantics":[73],"(silence":[74],"is":[75,106],"non-ambiguous),":[76],"(iii)":[78],"exports":[79],"outcomes":[82],"Open":[84],"Security":[85,95],"Controls":[86],"Assessment":[87,97],"Language":[88],"(OSCAL)-native":[89],"assessor":[90],"packages":[91,174],"(Component":[92],"Definition,":[93],"System":[94],"Plan,":[96],"Results,":[98],"automatically":[100,107,179],"generated":[101],"POA&M),":[102],"where":[103],"missing":[104],"materialized":[108],"structured":[110],"findings":[111],"remediation":[113],"items.":[114],"We":[115,149],"implement":[116],"our":[117,169],"using":[119],"policy-as-code":[120],"enforcement":[121],"(OPA/Rego),":[122],"CI":[123],"configuration":[124],"testing":[125],"(Conftest),":[126],"release-time":[127],"provenance":[128],"gates":[129],"(policy":[130],"bundle":[131],"digests),":[132],"runtime":[133],"decision":[134],"logging,":[135],"graph":[139],"binds":[141],"events/resources":[142],"control":[144,217],"IDs,":[145],"releases,":[146,168],"hashes.":[148],"evaluate":[150],"on":[151],"two":[152],"publicly":[153],"reproducible":[154],"workloads":[156],"(MIDV-500":[157],"onboarding":[158],"OpenID4VP/W3C":[160],"VC":[161],"DM":[162],"v2.0-aligned":[163],"wallet":[164],"verification).":[165],"Across":[166],"four":[167],"prototype":[170],"generates":[171],"complete":[172],"OSCAL":[173],"hash\u2013linked":[176],"resources,":[178],"emits":[180],"POA&M":[181],"items":[182],"gaps,":[185],"surfaces":[186],"window-level":[187],"staleness":[188],"findings,":[190],"shows":[192],"no":[193],"material":[194],"latency":[195],"overhead":[196],"measured":[198],"load.":[199],"These":[200],"results":[201],"suggest":[202],"can":[205],"improve":[206],"assessability":[207],"integrity/attribution":[210],"within":[211],"bounded":[213],"threat":[214],"model":[215],"scope,":[218],"well":[220],"make":[222],"systems\u2019":[225],"assurance":[226],"more":[227],"maintainable":[228],"assessor-ready.":[230]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2026-02-19T00:00:00"}