OASB
v1.0
Controls/Identity & Provenance/1.3
L2 StandardForward-looking

1.3 Provenance Chain

1. Identity & ProvenanceWho is this agent? Can we verify?

Description

Agent provenance MUST be traceable from deployment to source code, including all build steps, dependencies, and signers.

Rationale

Supply chain attacks can introduce malicious code at any point from development to deployment. Provenance attestations enable verification.

Audit Procedure

1. Check for SLSA provenance attestations
2. Verify cosign signatures on container images
3. Check SBOM for complete dependency list

Remediation

1. Implement SLSA Level 2+ build
2. Sign artifacts with sigstore/cosign
3. Generate and publish SBOM
4. Store provenance in Rekor transparency log

Framework Mappings

CIS Control 2.5NIST PR.DS-6
Previous1.2 Verified OwnershipNext1.4 Identity Lifecycle Management