Skip to content
Federated TrustComparison

Vendor landscape · snapshot 2026-07-17

Compare the identity landscape.

Federated Trust, FusionAuth, C1, Okta, and Auth0 solve different problems that buyers evaluate together. This matrix compares them across 44 capabilities — with a twist the industry avoids: the Federated Trust column carries the same public maturity labels as our trust center, so designed work is never dressed up as shipped product.

00Platforms
00Capabilities
00Capability groups
00Evidence levels

Federated Trust

Federated Trust

Cross-company identity, authorization, and custody plane

Managed service today; customer-controlled and sovereign profiles are designed targets.

Committed public maturity registry — every cell carries its status label. Status registry

FusionAuth

Inversoft

Self-hostable CIAM identity server

Self-host anywhere (Docker, packages, Kubernetes) or dedicated single-tenant FusionAuth Cloud.

Public documentation and pricing pages, version 1.68.0. Source

C1

ConductorOne

AI-native identity governance and access overlay

Multi-tenant SaaS control plane; self-hosted open-source connectors reach private infrastructure.

Public marketing, documentation, and launch press — no public versioning or pricing. Source

Okta

Okta, Inc.

Workforce identity cloud

Multi-tenant SaaS only, with government-scoped variants; no self-hosted control plane.

Public documentation, trust pages, and press releases. Source

Auth0

Okta, Inc.

Customer identity cloud (CIAM)

Multi-tenant public cloud or dedicated vendor-managed Private Cloud on AWS or Azure.

Public documentation, platform pages, and press releases. Source

Showing 44 of 44 capabilities across 8 of 8 groups, comparing 5 of 5 platforms.

3 of 3 capabilities

Platform role and architecture

What each product fundamentally is. These five are not interchangeable: two issuers, a governance overlay, a workforce cloud, and a cross-company trust plane.

Platform role and architecture: capability comparison across 5 platforms
CapabilityFederated TrustFusionAuthC1OktaAuth0
Identity provider of recordHosts sign-in and issues the tokens applications trust.PartialLimited / pilot

Central issuer with branded login for named hosts; protocol and profile rollout is limited/pilot.

Yes

Complete CIAM identity server: hosted login, registration, tokens, and sessions.

No

C1 does not host login or issue tokens; it governs access and presumes an IdP underneath.

Yes

Full workforce IdP: Universal Directory, SSO, and token issuance across the Okta Integration Network.

Yes

Developer-first CIAM issuer: Universal Login, tokens, and sessions at consumer scale.

Governance over existing systemsMaps and governs access held in other IdPs and applications.PlannedDesigned

Federated Trust governs its own authority plane; overlay governance of third-party systems is not the product.

No

An identity server, not an IGA overlay; no cross-system review or remediation product.

Yes

The core product: a universal graph over IdPs, apps, and infrastructure with policy-driven remediation.

Add-on

Okta Identity Governance (paid add-on): requests, reviews, and lifecycle over Okta-integrated apps.

No

CIAM platform; enterprise governance overlay is not the Auth0 surface.

Cross-organization trust planeOne shared, canonical authority for relationships and grants that span company boundaries.PartialLimited / pilot

The core thesis: canonical organizations, relationships, and revocable cross-company grants. Code and contract evidence; rollout gated.

No

Tenants are isolated namespaces; the vendor recommends separate instances for strong isolation.

Unknown

Scope is one enterprise per tenant; no cross-organization authority appears in reviewed public docs.

Partial

Orgs are per-company; B2B is org-to-org federation and hub-and-spoke patterns, not one shared plane.

Partial

Auth0 Organizations model business customers inside one tenant; not a shared cross-company authority.

6 of 6 capabilities

Deployment and data control

Where the control plane runs, who can hold the keys, and whether the product can leave the vendor’s cloud. This is where the five differ most.

Deployment and data control: capability comparison across 5 platforms
CapabilityFederated TrustFusionAuthC1OktaAuth0
Vendor-managed cloud serviceA hosted service the vendor operates for you.YesImplemented

The central service runs today as a managed edge deployment for named hosts.

Yes

FusionAuth Cloud runs dedicated deployments (Basic, Business, HA tiers).

Evidence
Yes

Multi-tenant SaaS control plane — the only offered form.

Yes

Multi-tenant SaaS cells, including FedRAMP-scoped Okta for Government variants.

Yes

Multi-tenant public cloud plus dedicated Private Cloud deployments.

Evidence
Dedicated single-tenant optionYour own isolated deployment rather than shared multi-tenant cells.PlannedDesigned

The customer-controlled connected profile is a designed target, not a generally available offering.

Yes

Every FusionAuth Cloud deployment is dedicated, and self-hosting is single-tenant by definition.

Unknown

No dedicated or single-tenant control-plane option in reviewed public docs.

Partial

Government-scoped environments exist; a general dedicated-instance product is not offered.

Yes

Private Cloud on AWS or Azure: dedicated, vendor-managed instances with performance guarantees.

Evidence
Self-hosted control planeRun the whole product on infrastructure you operate.PlannedDesigned

The sovereign profile (customer-run data plane) is designed; no self-host package is generally available.

Yes

Docker, ZIP, RPM/DEB, Kubernetes/Helm — run it anywhere, including fully private networks.

Evidence
No

SaaS only; only the open-source Baton connectors run in your environment.

No

Cloud only. Access Gateway bridges on-premises apps, but the platform is not self-hostable.

No

No on-premises option; the legacy PSaaS appliance was retired and Private Cloud is vendor-operated.

Air-gapped or offline operationOperate with no connection to the vendor or the internet.PlannedDesigned

Sovereign/offline data plane with signed offline authorization projections — designed, evidence-gated.

Add-on

Enterprise offline license supports air-gapped self-hosting; cloud-fed breached-password data is limited offline.

No

A SaaS control plane cannot run disconnected.

No

No offline or air-gapped mode.

No

No offline or air-gapped mode.

Customer-held key custodyBYOK/HYOK: the customer, not the vendor, controls protected-material keys.PlannedDesigned

Custody classes with BYOK/HYOK semantics and no universal provider key are the designed differentiator.

Unknown

Key Master generates or imports keys in-product; no substantiated HSM, external-KMS, or BYOK signing custody found.

No

The headless substrate centralizes credentials and vaulting inside the C1 SaaS — the opposite custody bet.

Unknown

No customer-held signing-key custody offering in reviewed public docs.

Add-on

Customer-managed encryption keys ship with the Highly Regulated Identity add-on.

Region and residency selectionChoose where identity data lives.PlannedDesigned

Customer-controlled placement is core to the designed data-plane profiles.

Yes

Self-host in any jurisdiction; FusionAuth Cloud offers documented region choice.

Unknown

No public residency-selection documentation was found.

Partial

Orgs are placed in regional cells at creation; real but coarse residency control.

Yes

Public cloud regions across the US, EU, AU, JP, UK, and CA, plus Private Cloud placement.

6 of 6 capabilities

Authentication and sessions

Sign-in ceremonies, factors, and session control. Mature CIAM products lead here today; Federated Trust labels exactly what is rolled out.

Authentication and sessions: capability comparison across 5 platforms
CapabilityFederated TrustFusionAuthC1OktaAuth0
Hosted, brandable sign-inA vendor-hosted login experience you can brand.PartialLimited / pilot

Branded home authority and per-brand facades are live for named hosts; the general profile rollout is gated.

Yes

Complete themed hosted flows: login, registration, recovery, verification, MFA, and consent.

No

Not an identity provider; no hosted login.

Yes

Okta-hosted sign-in widget with organization branding.

Yes

Universal Login with deep branding and no-code customization.

Passkeys / WebAuthnPhishing-resistant FIDO2 credentials.PartialLimited / pilot

RP-ID- and origin-scoped ceremonies exist in code and focused tests; per-host availability is rollout-gated.

Add-on

Hosted and API WebAuthn; platform authenticators from Licensed Community, roaming authenticators at Enterprise.

No

Authentication factors belong to the IdPs C1 sits above.

Yes

Okta FastPass and WebAuthn factors with phishing-resistant policy controls.

Yes

Native passkey support in Universal Login.

Magic links and one-time codesEmail or SMS sign-in without a password.PartialLimited / pilot

Email OTP and magic-link ceremonies are part of the approved progressive sign-in for named hosts.

Yes

Passwordless link and code APIs with custom delivery support.

No

Not an identity provider.

Yes

Email magic link and OTP factors.

Yes

Passwordless email and SMS connections.

Multi-factor method catalogBreadth of configurable second factors.PlannedDesigned

Assurance-aware step-up is designed; a broad configurable method catalog is not claimed today.

Add-on

TOTP in the free tier; email, SMS, and voice factors, recovery codes, and step-up in paid editions.

No

Factors are enforced by the underlying IdP; C1 can require them via policy conditions.

Yes

Okta Verify push and OTP, FIDO2, TOTP, SMS/voice, and device signals.

Yes

Push, OTP, WebAuthn, SMS/voice, email, and recovery factors.

Risk-based adaptive challengesChallenge intensity that responds to context and risk.PlannedDesigned

Policy can consume assurance and risk context by design; a generally available adaptive product is not claimed.

Add-on

Risk-based challenges and an MFA lambda landed in 1.68; advanced policies are Enterprise.

No

Sign-in risk decisions belong to the IdP.

Add-on

Adaptive MFA and Identity Threat Protection are separately licensed.

Add-on

Adaptive MFA add-on scores risk per authentication.

Session inspection and revocationSee and end active sessions administratively.PartialLimited / pilot

Host-scoped sessions and central minting exist for the facade model; the full admin lifecycle is incomplete.

Yes

Application, SSO, and refresh sessions with inspect and revoke APIs; no OIDC back-channel logout.

Partial

Remediation can disable accounts and revoke grants in connected systems; not a session store of record.

Yes

Session and token revocation APIs plus Universal Logout for supported apps.

Yes

Session and refresh-token inspection and revocation APIs.

7 of 7 capabilities

Federation and protocols

Standards coverage: how each product speaks to the rest of the world. Certification and edition gates matter as much as the acronyms.

Federation and protocols: capability comparison across 5 platforms
CapabilityFederated TrustFusionAuthC1OktaAuth0
OAuth 2.0 / OIDC providerActing as the authorization server for your applications.PartialLimited / pilot

Authorization code with S256 PKCE, metadata, JWKS, and UserInfo-oriented paths carry focused tests; no certification claim.

Status registry
Yes

Authorization code, PKCE, discovery, introspection, device flow, and legacy grants.

No

Not an authorization server for your applications.

Yes

OpenID Certified provider with custom authorization servers.

Yes

OpenID Certified provider; standard and custom domains.

SAML 2.0 (SP and IdP)Classic enterprise federation in both directions.PlannedPlanned

A planned connection profile; no generally available SAML conformance is claimed.

Yes

SP and IdP roles; SP-initiated in Community, IdP-initiated from Starter.

No

Consumes SSO for its own console; not a SAML provider for your apps.

Yes

Full SP and IdP SAML with extensive app catalog support.

Yes

SAML SP and IdP roles with enterprise connections.

SCIM provisioningStandards-based user and group provisioning.PlannedPlanned

SCIM user and group lifecycle is planned; no conformance is claimed today.

Add-on

Inbound SCIM server at Enterprise; no bulk operations.

Partial

Provisioning runs through C1 connectors rather than a standards-first SCIM surface.

Yes

Deep inbound and outbound SCIM across the integration network — a core strength.

Partial

Inbound SCIM for enterprise connections; outbound workforce provisioning is not the focus.

Social identity providersConsumer sign-in with Apple, Google, and friends.Unknown

No general social-provider catalog is claimed today.

Yes

Apple, Facebook, Google, LinkedIn, and X, plus a gaming catalog partly in Starter.

No

Not applicable to a governance overlay.

Yes

Social IdP integrations for customer-facing orgs.

Yes

The category benchmark: dozens of social connections out of the box.

Enterprise IdP brokeringFederate external OIDC/SAML/LDAP identity providers into your apps.PartialLimited / pilot

A connection schema and a named Entra/OIDC path exist; the broader connection lifecycle is gated.

Yes

OIDC, SAML, LDAP, and generic connectors with reconcile lambdas and managed domains.

No

C1 consumes IdPs; it does not broker them for your applications.

Yes

Inbound federation with routing rules across thousands of orgs.

Yes

Enterprise connections with home-realm discovery.

Token exchange / on-behalf-ofRFC 8693-style narrowing of delegated authority across services and agents.PlannedPlanned

A roadmap reference (RFC 8693) for narrowing delegated authority; not an available issuance flow.

Unknown

No RFC 8693 token-exchange endpoint in reviewed public docs.

Unknown

Brokers credentials through its own APIs; no public RFC 8693 claim.

Preview

Cross App Access — an OAuth token-exchange profile — is rolling out across the platform in 2026.

Evidence
Yes

On-Behalf-Of and custom token exchange are generally available.

Sender-constrained tokens (DPoP)Proof-of-possession so stolen tokens cannot be replayed.PlannedPlanned

A roadmap profile in the committed registry; current clients are not represented as sender-constrained.

Add-on

Authorization-code DPoP binding at Enterprise; resource servers must validate proofs.

Unknown

Not applicable to the reviewed public surface.

Yes

DPoP-bound tokens supported, and required for several Okta management APIs.

Partial

Certificate-bound tokens ship with Highly Regulated Identity; DPoP-specific support is less clearly published.

6 of 6 capabilities

Authorization

Who may do what, decided where. The interesting differences are in fine-grained models, delegation, and what happens when the authority is unreachable.

Authorization: capability comparison across 5 platforms
CapabilityFederated TrustFusionAuthC1OktaAuth0
Roles and groupsClassic role- and group-based access.PartialLimited / pilot

Roles are expressed through the canonical relationship graph plus local configuration roles.

Yes

Application-scoped roles, registrations, and flat (non-nesting) groups.

Partial

Mirrors roles and entitlements from connected systems into its graph; not your runtime authorizer.

Yes

Groups, group rules, and fine-grained admin roles.

Yes

RBAC with roles and permissions embedded in tokens.

Relationship-based / fine-grained authorizationGoogle Zanzibar-style relationship checks at runtime.PartialLimited / pilot

Typed relationship and policy evaluation exists in code and tests; independent deployment evidence remains gated.

Add-on

A hosted and supported Permify FGA option at Enterprise.

Partial

Real-time authorization is claimed inside the headless substrate; public depth is thin so far.

Yes

Okta FGA (OpenFGA lineage), generally available since March 2024 with a 99.99% SLA.

Evidence
Yes

Auth0 FGA — the same OpenFGA lineage, packaged developer-first.

Attribute and context policyDecisions that weigh assurance, environment, device, and time.PartialLimited / pilot

A small deterministic policy language evaluates assurance, environment, residency, time, license, and outage context.

Partial

Lambdas and application logic shape tokens and policy; no single canonical ABAC engine.

Yes

Conditional multistep policies over the graph and context drive automated decisions.

Yes

Rich policy conditions across sign-on, app, and device contexts.

Partial

Actions inject context at runtime; FGA adds contextual tuples and conditions.

Attenuated capability delegationShort-lived, non-escalating capabilities bound to audience, action, proof, and revocation state.PartialLimited / pilot

Strict attenuation, a signed-envelope verifier, and exact request binding exist in code and tests; rollout evidence is gated.

Unknown

No signed attenuated-capability chain in reviewed public docs.

Unknown

No comparable public capability-attenuation model.

Unknown

No comparable public capability-attenuation model.

Unknown

Token exchange narrows scope but no attenuated-capability chain is published.

Resource-local final denyEvery relying service revalidates and may narrow or deny — the center cannot force an allow.PlannedDesigned

A required design contract: audience, tenant, revision, revocation, and local policy are rechecked at the resource.

Unknown

Resource servers validate tokens; no universal local-final-deny contract is published.

Unknown

Centralized decision model; no equivalent published contract.

Unknown

No equivalent published contract.

Unknown

No equivalent published contract.

Offline authorizationAuthorization keeps working, safely, when the authority is unreachable.PlannedDesigned

Signed, versioned, expiring offline projections that fail closed — designed with explicit staleness and rollback rules.

Partial

A different route: the entire server can run disconnected, so authorization is as offline as your deployment.

No

SaaS-dependent by design.

No

SaaS-dependent by design.

No

SaaS-dependent by design.

4 of 4 capabilities

Agents and workloads

The 2026 battleground: non-human identity. Every vendor now claims it; the mechanisms and maturity differ sharply.

Agents and workloads: capability comparison across 5 platforms
CapabilityFederated TrustFusionAuthC1OktaAuth0
Machine and workload identityService-to-service authentication that is not a borrowed human account.PlannedDesigned

Workload identity is a distinct decision in the designed application lifecycle (publisher, install, consent, grants).

Yes

Client credentials plus the Entities model.

Yes

Non-human identities are first-class citizens of the graph.

Yes

OAuth service apps; Okta Privileged Access covers infrastructure credentials.

Yes

Machine-to-machine applications with client credentials.

First-class AI-agent identityAgents authenticate as agents, with their own lifecycle and governance.PlannedDesigned

Agents authenticate as agents with purpose-bound, reviewable, revocable delegation — a designed target with honest maturity labels.

Unknown

No first-class agent-subject model in public docs.

Yes

Governing AI agents alongside humans and services is the headline capability.

Yes

Okta for AI Agents is generally available, including FedRAMP-scoped variants.

Evidence
Yes

Auth0 for AI Agents (formerly Auth for GenAI) is generally available for developers.

MCP authorizationGoverning what Model Context Protocol clients and servers may reach.PlannedDesigned

MCP is a governed developer and authorization surface in the target architecture; not shipped.

Preview

A preview administrative MCP server exists; the vendor warns against production credentials.

Yes

AI Access Management governs access to MCP connections and tools.

Preview

Cross App Access is an official MCP authorization extension; platform rollout lands through 2026.

Evidence
Yes

Auth0 for MCP is generally available today.

Auditable on-behalf-of chainsWho asked, which agent acted, and with what narrowed authority.PartialLimited / pilot

Human-to-agent actor chains are part of the capability model, with code and test evidence; rollout is gated.

Unknown

No published actor-chain semantics.

Partial

One audit trail spans agent actions; the chain semantics are C1’s own, not a token standard.

Preview

Cross App Access identity-assertion grants record the requesting agent and user context.

Yes

On-Behalf-Of Token Exchange carries user context into agent calls.

5 of 5 capabilities

Governance and lifecycle

Joiner-mover-leaver mechanics, reviews, and the audit trail that proves it all happened.

Governance and lifecycle: capability comparison across 5 platforms
CapabilityFederated TrustFusionAuthC1OktaAuth0
Administrative user lifecycleCreate, search, lock, deactivate, and delete users programmatically.PlannedDesigned

Durable subjects and governed associations are architected; a complete admin lifecycle is not generally available.

Yes

Full lifecycle APIs: create, search, verify, lock, reactivate, delete, and bulk operations.

Partial

Orchestrates lifecycle in connected systems; the identities themselves live elsewhere.

Yes

Universal Directory with full lifecycle APIs.

Yes

Management API covers the full user lifecycle.

Downstream provisioningPush joiner-mover-leaver changes into other applications.PlannedPlanned

Provisioning into downstream systems is queued design work, not a current claim.

No

Webhooks can drive your own automation; there is no packaged downstream provisioning.

Yes

Provisioning and deprovisioning through managed and self-hosted connectors is core product.

Yes

Lifecycle Management plus Workflows remain the category benchmark.

No

CIAM focus; workforce downstream provisioning is not the product.

Just-in-time accessGrant narrowly and briefly instead of permanently.PartialLimited / pilot

Short-lived attenuated capabilities are the JIT mechanism — cryptographic rather than workflow-based.

No

No JIT access-request product.

Yes

JIT provisioning and revocation with conditional multistep approval policies.

Add-on

Access Requests ship with Okta Identity Governance.

No

No JIT access-request product.

Access reviews and certificationsPeriodic recertification campaigns with evidence.Unknown

No review or campaign product; the adjacent audit and evidence plane is design work.

No

Not an IGA product.

Yes

Intelligent access reviews and campaigns are a headline feature.

Add-on

Access certifications ship with Okta Identity Governance.

No

Not an IGA product.

Audit trailA trustworthy record of who did what.PartialLimited / pilot

Append-only audit, governed writers, and signed identity events are central; broad runtime enforcement is incomplete.

Yes

Audit, event, and login logs with exports; Admin UI mutations are audited.

Yes

One audit trail across human, service, and agent access is a core claim.

Yes

System Log with streaming and SIEM export.

Yes

Tenant logs with streaming integrations.

7 of 7 capabilities

Developer platform and operations

The daily-driver surfaces — APIs, events, infrastructure-as-code — and the operational promises behind them.

Developer platform and operations: capability comparison across 5 platforms
CapabilityFederated TrustFusionAuthC1OktaAuth0
Admin APIs and SDKsProgrammatic control with official client libraries.PlannedDesigned

Versioned API, RPC, and SDK contracts are required by the architecture; no public packages have shipped.

Yes

Full REST admin API with OpenAPI and official SDKs in seven languages.

Yes

Every capability is exposed via API, MCP, CLI, and Terraform.

Yes

Mature management APIs and SDKs.

Yes

Management and authentication APIs with broad SDK coverage.

Webhooks and event streamingPush identity events into your systems.PartialLimited / pilot

Signed identity events and audit requirements exist; a broad public webhook product does not.

Yes

A broad webhook catalog with retries, signing, mTLS, and Kafka publication.

Partial

Automations react to events across the graph; the public outbound event surface is thinner than the IdPs’.

Yes

Event hooks plus Log Streaming to EventBridge and Splunk.

Yes

Log streams to EventBridge, Azure Event Grid, Datadog, and more.

Terraform and declarative configManage the platform as code.PartialLimited / pilot

Repo-owned desired state and typed deploy tooling exist internally; there is no public customer provider.

Partial

An official Terraform provider covers most — not all — configuration; Kickstart bootstraps pristine instances.

Yes

Terraform is a first-class product surface.

Yes

Official Okta Terraform provider.

Yes

Official Terraform provider plus the Deploy CLI.

Custom logic hooksRun your own code inside identity flows.PlannedDesigned

A deliberate trade: deterministic, non-Turing-complete policy instead of tenant-supplied code, with typed adapters at the edges.

Yes

Sandboxed ECMAScript lambdas across token, MFA, SAML, SCIM, and reconcile paths.

Partial

Automations and workflow configuration; no arbitrary tenant-code runtime is published.

Yes

Workflows (no-code) plus inline hooks.

Yes

Actions: Node.js code on every flow — the extensibility benchmark.

Managed HA and published SLAThe operational promise behind the service.Unknown

No generally available service profile or customer SLA yet; deployment and runbook evidence exists for named services.

Add-on

HA Cloud spans availability zones; the 99.99% SLA applies to Enterprise HA Cloud.

Unknown

No public SLA found in reviewed docs.

Yes

99.99% uptime SLA with a public trust dashboard.

Add-on

99.99% SLA on Enterprise; Private Cloud adds performance guarantees.

Compliance attestationsThird-party attestations and authorizations you can cite.Unknown

No certification set is claimed; standards are governing references with per-claim status.

Status registry
Yes

SOC 2 Type 2, ISO 27001, and GDPR claims via its Trust Center; FIPS mode exists but FIPS certification is disclaimed.

Partial

SOC 2 Type II.

Yes

SOC 2, ISO, and FedRAMP High through Okta for Government.

Evidence
Yes

SOC 2, ISO 27001/27018, HIPAA BAA, and PCI options; no standalone FedRAMP authorization is published.

Public pricingCan you price it without a sales call?No

Not commercially packaged; preview engagements are explicitly bounded discussions.

Yes

Public MAU-based pricing and a free self-hosted Community edition.

No

Quote-based; no public pricing.

Partial

Public per-user list prices for workforce SKUs; enterprise agreements dominate in practice.

Yes

Public plans with a free tier; enterprise quotes beyond.

How to read this comparison

Two vocabularies are in play. Every product cell uses one of seven evidence levels. Federated Trust cells additionally carry the committed maturity label from the public status registry — the same one attached to every claim on this site.

Available
Generally available in the product as publicly documented on the snapshot date.
Scoped or partial
Real capability with documented limits: scoped hosts, partial coverage, or a different mechanism than the row implies.
Higher tier or add-on
Offered, but gated behind a higher edition, paid add-on, or specific plan.
Preview or early access
Public preview, early access, or staged rollout announced by the vendor.
Planned or designed
A stated target or designed contract. Not represented as available today.
Not offered
Outside the product’s model as publicly described — not a temporary gap.
No public evidence
No public evidence found in the reviewed sources. Absence of evidence, not proof of absence.
Implemented
Implemented in a Federated Trust service path with current evidence. The named deployment and evidence scope still matter.
Limited / pilot
Code or contracts exist, but integration, operational, or assurance gates still prevent general availability.
Designed
An approved target shape or contract that is not represented as generally available. A validated deployment package is still required.
Planned
A stated engineering target that is not represented as implemented, generally available, or deployed today.
Independently validated
Implemented and assessed independently for a named scope and evidence date. This label does not extend beyond that evidence.
Governing reference
Authoritative material used to guide design and review. This status is not a certification or a universal conformance claim.

This comparison is a dated snapshot assembled by Federated Trust from each vendor’s public documentation, pricing, and press material. It is not a certification, benchmark, or procurement recommendation. Product names and trademarks belong to their owners; none of the vendors reviewed or endorsed this page. Federated Trust cells use the same committed maturity labels as the trust center and never present designed or planned work as available. Corrections are welcome.

Sources reviewed 2026-07-17. Spot an error? preview@federatedtrust.com

Where Federated Trust fits

Different bet: authority stays with the owner.

The vendors above centralize custody to deliver convenience. Federated Trust is designed for the opposite trade — customer-held keys, resource-local final deny, and sovereign data planes — and labels exactly how much of that exists today.