Auditor: “We need proof MFA is enforced for all 10,000 accounts.”
Team: “We’ll export the Okta user list with MFA status and...”
Privacy Officer: “Absolutely not. That spreadsheet is a GDPR reportable breach waiting to happen.”
Auditor: “I still need immutable, point-in-time evidence.”
…dead silence.
You just hit the core paradox of modern compliance:
Auditors demand proof. Privacy laws demand you don’t keep that proof.
Traditional tools pick a side and lose:
- Store everything → perfect audits, terrible privacy
- Store nothing → perfect privacy, failed audits
There’s a third way almost nobody uses.
The Receipt Model: Store Proof, Not Payloads
Think Apple Pay. Your phone never stores your real credit card, just a token, a cryptographic signature, and a pointer to the bank. Compliance evidence should work exactly the same way.
Here’s an example receipt you could store (and notice what’s missing):
{
"system_id": "okta-prod",
"control_id": "MFA-001",
"verdict": "PASS",
"observed_at": "2025-01-15T14:30:00Z",
"audit_pointer": "okta://policy/12345/version/7",
"payload_sha256": "a7c8f3e2d1b4c9f6e3..."
}No usernames, no emails, no configs, no secrets.
How it works
- Collector queries Okta → gets policy JSON
- Engine evaluates → PASS/FAIL
- Compute SHA-256 of the exact JSON evaluated
- Store verdict + timestamp + hash + pointer → discard raw data
Six months later the auditor asks for proof. You hand them the receipt. They can:
- Verify nothing was tampered with (hash)
- See exactly when you checked (timestamp)
- Pull the live policy from Okta and validate themselves (pointer)
This is the sweet spot because:
- Auditors get → timestamped, reproducible, tamper-evident evidence
- Privacy gets → zero PII stored, data minimization by design
- Security gets → no juicy evidence honeypot for attackers
Evidence Lake architecture (3 layers)
- API collectors (least-privilege)
- Evaluation engine → verdict + hash + pointer
- Append-only storage (S3 + object lock) → ~200-byte receipts retained 7 years
Real examples
- FedRAMP root MFA: 365 receipts/year = 73 KB instead of 1.8 MB of sensitive config snapshots
- Privileged access reviews: store just the violation count + pointer instead of spreadsheets full of usernames
- Vault root tokens: prove zero active tokens without ever exporting the tokens themselves
Dealing with auditors
“I need the actual policy, not your summary.” You: “Here’s the exact pointer to pull it live from Okta. The stored hash proves it matches what we evaluated on [date].”
When they still look skeptical: “We’ve never accepted this before.” You: “That’s fair — but this is the exact model courts use for digitally signed evidence and that NIST 800-53, DORA (EU effective Jan 2025), and FedRAMP now explicitly endorse: cryptographic hash + timestamp + verifiable pointer. We’re not inventing anything; we’re applying decades-old forensic evidence standards to compliance. It’s actually more rigorous than storing raw user lists.” They usually stop pushing at that point.
Cost vs Benefit
- Cost: 2–3 weeks of engineering
- Benefit: no more GDPR heart attacks, 95% less storage, auditors off your back for good
Start with one high-risk control this quarter. You’ll never go back to evidence spreadsheets again. Every piece of data you collect is a liability. Before you store anything, ask: “Do I need the data, or just proof I checked it?”
99% of the time, you just need the receipt.
