Every access review, every audit response, and every governance decision rests on an assumption almost no one tests: that the identity data underneath it is correct. That the accounts on the list are the accounts that exist. That the entitlements shown are the entitlements granted. That the connector feeding the review is still collecting what it collected the day it was set up.
When that assumption is wrong, the review is still completed, the box is still checked, and the finding still lands months later in an audit. The problem was that no one confirmed the data was accurate before decisions were made on top of it.
Attestations in Hydden closes that gap. It gives a named reviewer a structured, repeatable way to confirm that what Hydden collects from a source is accurate, and it produces a durable record of that decision. The following use cases show why that matters.
Use case 1: Verify the data before you govern on it
An Identity Integrity attestation asks a reviewer to confirm every layer of what Hydden collects from a connected system, not just the final list of accounts. In a single review the assigned reviewer works through:
- The connector and collection configuration, so the settings that determine what gets collected are confirmed correct
- The account attribute and property mappings, so every property is collected, creating a uniform and normalized identity
- The entitlements the source exposes
- The accounts themselves
- The roles and their memberships

Each dataset is reviewed in the platform against real-time collected data, and the review completes only after every one has been opened and confirmed. The reviewer cannot close on the accounts alone while the mappings and configuration go unchecked. That structure is the point: it forces verification of the plumbing that decides whether the accounts are even correct in the first place.
Use case 2: Reconcile what you collected against the system of record
This is the capability that changes what a review can prove. Hydden lets a reviewer put two sources side by side and compare the actual records, field by field.
Consider Oracle Database accounts that SailPoint is collecting. A reviewer can select the Oracle Database as one source and compare what Hydden has collected to what SailPoint currently has collected. You can compare Accounts or Roles, and see both sets of records aligned in a side by side view. Accounts that exist in one but not the other stand out immediately. The same applies to roles: the role names and membership counts a source reports can be checked directly against what governance is actually managing.
Below is an example comparison that shows the accounts being collected by Hydden (on the left) matches that accounts collected by SailPoint (on the right).

Alternatively, below is a different example where the group and membership information that Hydden collected from SAP (on the left) is different from what SailPoint (on the right) has collected. In this case, Hydden is providing visibility into real-time group membership, clearly showing the reviewer that membership in SAP groups were reduced last week. But SailPoint has not picked up on those changes yet so SailPoint is continuing to work with stale data.

This is how silent data drift gets caught. A source adds an account that never propagated. A role membership diverges between the system that owns it and the platform governing it. On a dashboard, both systems still show as covered. In a side-by-side comparison, the discrepancy is visible in seconds, and the reviewer can export the view to CSV as part of the record. Reviewing a list tells you what one system believes. Comparing two sources tells you whether they agree, which is the actual question behind data integrity.
Use case 3: Confirm what actually lives in your vault
The same mechanism applies to privileged access. A password manager or PAM vault is only trustworthy if the accounts it holds still exist, still have owners, and still belong there. Vault providers manage and rotate those credentials; they do not continuously prove that every managed account still reconciles with your directory and application sources.
Attestation gives you that proof. A reviewer can certify the accounts Hydden collects from the vault and compare them side by side against the directory or cloud sources those accounts should trace back to. Vaulted accounts that no longer match their source, or source accounts that were never brought under management, surface immediately. The result is a verified answer to the question that matters most about privileged access: is what is in the vault actually right? As seen in the screenshot below, the approver can add, remove, migrate to a different vault, or reconcile the account prior to attesting to the accounts in the vault.

Use case 4: Produce evidence that survives an audit
Most access review processes end with a returned spreadsheet. That is a task marked done, not evidence. When an examiner asks how you know the reviewed data was accurate, a spreadsheet cannot answer.
A completed attestation can. Every review requires a named reviewer and a mandatory comment before it can close, and closing freezes the reviewed documents into a single immutable bundle: the configuration, each reviewed data set, and the full activity history of who reviewed what and when. The bundle is a durable, downloadable artifact that shows exactly what was approved and by whom. The schema and mapping records travel with it, so auditors can see the shape of the data that was certified, not only its values. That is the difference between claiming a review happened and being able to demonstrate it.

Use case 5: Keep coverage honest across recurring cycles
Compliance is not a one-time event, and neither is data accuracy. Sources change shape, fields get renamed, accounts appear and disappear. Attestations can run on a schedule tied to a specific collector, so a new review is created automatically each cycle without anyone remembering to stand it up. Coverage does not slip because a quarter got busy, and each run picks up where the last completed one left off. Status changes can also trigger workflows, so an assignment routes a ticket to the right owner and a completed review escalates findings before the window closes.
Why this matters
Fragmented identity tooling already costs organizations an average of 12 hours per incident, and the vast majority of reviewed access sits on data no one has independently verified. Governance built on unverified data is not governance. It is documentation of a guess.
Attestation makes the accuracy of your identity data something you decide on purpose, with an owner, a required decision, and a record that holds up. Whether you are closing an access review, answering an auditor, or confirming what lives in your vault, it turns the quiet assumption at the base of every decision into a signed, defensible fact. Your tools are only as trustworthy as the data behind them. This is how you prove the data is right.
See how attestation works against your own sources. Book a demo at hydden.com.

