# **not.botâ„¢ Use Cases: Enterprise** This document covers enterprise authentication, authorization, hiring, and operational use cases. It is part of the not.bot use cases catalog; the [Use Cases Index](http://doc_30_use_cases_index.md) holds the full catalog and the mechanism definitions the use cases draw on. --- ## **The unifying problem** Existing enterprise identity systems map permissions to accounts, then attempt to associate accounts with humans through HR records, SCIM, and downstream connectors. The mapping is operational and breaks under shadow IT, contractor pipelines, and account sharing. not.bot moves the human-to-permissions binding into the authentication layer itself. Existing analogs include identity governance platforms, platform authenticators, HR-driven offboarding workflows, and contractor management vendors. Each approximates a property that not.bot delivers as a native feature of the authentication itself. No existing authentication product offers these as inherent properties. Existing enterprises approximate them by stacking IDPs, IGA tools, HR systems, and background-check vendors through cross-system reconciliation. not.bot is the first authentication product where these capabilities fall out of the cryptographic identity model itself. --- ## **Authentication and access** ### **Human-level permissions auditing** Today's identity governance tools attempt a "person view" of permissions by reconciling accounts across systems. The reconciliation breaks whenever an account exists outside the integrations or whenever a human controls multiple accounts. With not.bot, each authentication carries an unforgeable human identity claim through site passes. The complete set of permissions a particular human holds becomes a query rather than a reconciliation project. Auditors get a definitive person-view instead of a best-effort reconstruction. **The business value:** Audit preparation that takes weeks of cross-system reconciliation today compresses to a single query. SOX, HIPAA, and SOC 2 audits become faster and more reliable. Security teams can identify orphaned permissions and over-provisioned accounts in real time rather than discovering them in post-incident forensics. Organizations that run hundreds of SaaS applications can answer "who has access to what?" with confidence for the first time. ### **Prevent account sharing** Users share credentials when deadlines or business needs make it expedient. Even occasional sharing collapses the permissions model because no one can say with confidence who has access to what. Platform authenticators implementing the FIDO2 standard get close by gating credentials with biometric authentication on a device. The device can still be handed over with the biometric tied to that device rather than to the human. not.bot binds authentication to biometric verification of a passport-verified human. The credential cannot be passed to another person. **The business value:** Shared accounts are a leading vector for insider threat incidents and compliance failures. Regulators treat account sharing as a control deficiency. Eliminating it closes audit findings, reduces insider-threat exposure, and gives security teams a definitive answer to "who did this?" after any incident. In regulated industries (healthcare, financial services, defense), this is a requirement that current tools can approximate but cannot guarantee. ### **Comprehensive offboarding** When an employee leaves, every account they touched needs to close. Today's offboarding depends on the same operational HR-driven mapping as auditing and breaks the same way. Banning the human's identity in the company namespace makes every account that authenticates through not.bot unusable in one operation. **The business value:** Incomplete offboarding is one of the most common findings in security assessments. Lingering access costs organizations an average of weeks of remediation after each departure, creates breach exposure windows, and generates compliance findings. One-operation offboarding eliminates the entire category. HR, IT security, and compliance teams stop chasing account closures across dozens of systems and move the process from a multi-day checklist to a single action. ### **Banning across an organization** A contractor fired for cause at one division and re-hired through a different agency at another division is a routine large-organization failure. HR blacklists fail through name variations, agency changes, and gaps in documentation; non-I-9 hires are the weakest case. With not.bot site passes scoped to the organization, the banned human's identity surfaces at the next attempt to authenticate, regardless of which agency or business unit re-engaged them. The check happens at authentication time rather than after the fact. **The business value:** Large organizations spend significant resources investigating and remediating cases where terminated individuals return through different channels. The cost includes re-onboarding, re-investigation, potential liability exposure, and the original problem that triggered the ban recurring. Catching the banned individual at the door instead of after re-engagement eliminates this entire cycle. For organizations with contractor pools in the thousands, the savings compound with each hiring cycle. ### **Physical access control** Badges and keycards are bearer tokens. Whoever holds the badge gets in. Keycards get lent, stolen, and cloned. Mobile wallet credentials improve on this by binding to a device, but the device can be unlocked and handed off, and the credential ties to the device rather than the human. not.bot binds access authority to a passport-verified human. The door requires biometric authentication at each read. Audit logs record the actual entrant, not the badge holder. Additional capabilities the cryptographic model enables: - Instant revocation by melting a credential singleton, with no waiting for offline panels to sync. - Narrow time-limited visitor passes signed by an employee who remains accountable for the visitor. - Signed audit trails resistant to tampering by anyone with admin access to the PACS. **The business value:** Physical security breaches traced to shared, stolen, or cloned badges represent a persistent liability for corporate campuses, data centers, and sensitive facilities. Defense contractors, pharmaceutical manufacturers, and financial institutions face regulatory requirements for individual-level access accounting that badge systems cannot provide. not.bot delivers individual-level audit trails that satisfy the strictest regulatory frameworks while reducing the operational cost of badge management, replacement, and investigation. --- ## **Authorization** Authorization differs from authentication. Authentication says who you are. Authorization says what you can do. Today each system runs its own permission model (directory groups, identity-provider entitlements, cloud IAM roles, application-specific roles) and they drift out of sync. ### **Cross-system authorization with single-point revocation** The Business DID issues authorization credentials to the employee's identity. The credential travels with the human across systems. When the employee authenticates to a downstream system, they present the relevant authorization credential. Concrete examples: - A nurse's hospital privileges credential presented to the EHR. - A lawyer's case-specific access credential presented to document management. - A consultant's client-engagement credential presented to collaboration tools. - A radiologist's read-authority credential presented to PACS systems. Revocation happens once at the credential layer (melt the singleton, or flip the revocation bit) and propagates to every system the credential reaches. This connects to human-level permissions auditing: that one is about visibility; this one is the issuance and lifecycle mechanism that makes the visibility work. **The business value:** Permission sprawl across systems is a top-five finding in most enterprise security assessments. Organizations today manage each system's permissions in isolation, creating inconsistencies that widen over time. A single credential layer reduces the number of permission-management surfaces from dozens or hundreds to one. Revocation that propagates across all systems in real time eliminates the gap between "permission revoked" and "access removed" that attackers exploit in lateral-movement campaigns. ### **Time-limited vendor and contractor access** Credentials with built-in expiration dates handle the contractor lifecycle that drifts in legacy systems. The credential expires; no offboarding ticket required. This eliminates the common pattern of vendor accounts that linger for years after the engagement ends. **The business value:** Vendor and contractor accounts represent one of the largest categories of stale-access risk in enterprise environments. Many organizations discover active contractor accounts months or years after engagements ended. Automatic expiration removes an entire class of forgotten-access vulnerabilities without requiring any human action at contract end. --- ## **Hiring and recruiting** Background check status, employment verification, education credentials, professional licensure, reference letters signed by the references themselves. The hiring process today depends on slow, expensive, and bypassable verification services. AI-generated resumes flood applicant tracking systems, and remote-work claims invite geographic and identity fraud. Verifiable credentials at each step reduce time-to-hire and improve verification quality. A candidate presenting a degree credential signed by the issuing university, an employment credential signed by their previous employer, and a professional license credential signed by the licensing board removes the need for the hiring company to chase down references and call registrars. Candidates with verified credentials stand out against the AI-generated resume tide. **The business value:** Background verification costs $50-$200 per candidate through third-party services and takes days to weeks. A mid-size company hiring 500 people per year spends six figures on verification alone, plus the productivity cost of delayed start dates. Verifiable credentials shift verification from an asynchronous investigation to an instant cryptographic check. Hiring managers get higher confidence, faster, at lower cost. For industries where credential fraud carries safety risk (healthcare, aviation, education), the value extends beyond cost savings into patient and public safety. For job boards as platforms (where the buyer is the platform operator rather than the hiring company), see [Industry Verticals Use Cases](http://doc_36_use_cases_industry_verticals.md). --- ## **Customer service authentication** Knowledge-based authentication ("what's your mother's maiden name") breaks under data breaches and social engineering. Banks, telecoms, insurers, and utilities lose money and customer trust to account takeover through their support channels. Cryptographic identity at each customer service contact closes the impersonation surface. The customer signs in to the support session. The agent verifies the customer's identity at session start. Sensitive actions (address changes, beneficiary updates, large transfers) require fresh signatures rather than knowledge questions. **The business value:** Account takeover through social engineering of customer service agents costs financial institutions billions per year. Each incident carries direct fraud loss, investigation cost, customer remediation, and reputational damage. Replacing knowledge-based authentication with cryptographic identity eliminates the most common attack vector for phone-channel and chat-channel fraud. Customer satisfaction improves too: verified customers skip the "security questions" friction that legitimate callers find tedious. --- ## **Supply chain attestations** A verified human at each handoff signs for chain of custody. Pharmaceutical supply chains, food safety regulation, regulated chemicals, defense procurement, conflict-mineral certification, and high-value logistics benefit from per-handoff cryptographic attestation tied to verified humans rather than account-level credentials that get shared across shifts. The audit trail traces back to specific humans rather than to "warehouse account 47." When a contamination, theft, or compliance failure happens, the investigation has a verified chain to follow. **The business value:** Supply chain contamination events, diversion incidents, and compliance failures trigger investigations that cost millions and take months. The investigation stalls at the point where an account-level credential was shared across a shift and no one can determine which human handled the product. Per-handoff human attestation compresses investigation timelines, strengthens regulatory compliance (FDA DSCSA, EU FMD, DoD DFARS), and creates a deterrent effect: the knowledge that each handoff is cryptographically attributed to a specific person reduces the incentive for diversion and tampering.