AU-16(1): Identity Preservation

11 min readLast verified: February 2026By

To meet the au-16(1): identity preservation requirement, you must ensure that when audit records cross organizational boundaries (for example, logs sent to a third party SIEM, MSSP, or shared service), the original human identity behind the action remains intact and traceable end-to-end. Operationally, this means consistent identity attributes, strong federation/mapping, and audit pipelines that do not collapse users into shared or service accounts.

Key takeaways:

  • Preserve the originating user identity across systems, tenants, and third parties, not just “who the receiving system thinks it is.”
  • Engineer audit pipelines so identity fields survive translation (API gateways, brokers, SIEM parsers, ETL jobs, ticketing, SOAR).
  • Keep evidence that identity mapping works in practice: schemas, sample cross-org log traces, and periodic tests.

AU-16(1) is a control enhancement focused on a real operational failure mode: the moment logs leave your boundary, identity fidelity often degrades. A user authenticates in Org A, triggers an action in a SaaS platform or shared environment, and the resulting audit record lands in Org B’s tooling showing only a generic account, an API key label, or a middleware service name. The security team can still see “something happened,” but cannot reliably answer: which individual did it, using what authenticated session, under whose authority, and can we prove it?

For a Compliance Officer, CCO, or GRC lead, the fastest path to operationalize AU-16(1) is to treat identity as a required field in your cross-organizational audit trail design. Your job is not to redesign IAM from scratch. Your job is to make sure the systems, integrations, and third parties that create, transform, or store audit logs preserve the original identity attributes (and the ability to map them back to a real person) without ambiguity.

This page gives requirement-level implementation guidance you can hand to control owners in IAM, SecOps, and platform teams and then audit against with repeatable evidence.

Regulatory text

Requirement (excerpt): “Preserve the identity of individuals in cross-organizational audit trails.” 1

What an operator must do: When audit records traverse organizational boundaries (your environment to a third party, a partner, a shared service provider, a managed security service provider, or a multi-tenant platform), you must keep the originating user identity attributable to a specific individual. “Preserve” means the identity is not dropped, replaced with a shared account, or transformed into an unresolvable token without a controlled mapping path. 2

Plain-English interpretation (what AU-16(1) is really asking)

AU-16(1) expects you to maintain chain-of-custody for identity in audit trails that cross boundaries. If Alice takes an action in System A that ultimately results in an event recorded in System B (or in a third party SIEM), the audit record should still allow you to prove that Alice initiated it.

A practical way to interpret “identity preservation” is:

  • Identity survives transport: forwarding, aggregation, parsing, and normalization do not delete or overwrite identity fields.
  • Identity stays attributable: the record contains a stable identifier (or a controlled reference) that maps back to a unique individual.
  • Identity remains consistent across systems: federation, SSO, and provisioning maintain a clear linkage between identities in different domains/tenants.

Who it applies to (entity and operational context)

You should scope AU-16(1) anywhere your audit trails are cross-organizational, including:

Entities

  • Federal information systems and contractor systems handling federal data using NIST SP 800-53 Rev. 5 as a control baseline. 2

Operational contexts (high-likelihood scope triggers)

  • Logs forwarded to a third party SIEM/MSSP.
  • Shared services: IdP, SSO, IGA, PAM, ticketing, SOAR platforms operated by a third party.
  • Multi-account or multi-tenant cloud setups where actions in one account are centralized elsewhere.
  • API-based integrations where a middleware component calls downstream services “on behalf of” users.
  • B2B workflows where partners submit or approve transactions that you must audit.

If your audit trail never leaves your organization, AU-16 still matters, but AU-16(1) becomes critical the moment you depend on a third party system to store, transform, or interpret audit data. 1

What you actually need to do (step-by-step)

Use this as an implementation runbook you can assign to control owners.

Step 1: Define “cross-organizational audit trail” for your environment

Create an inventory of audit flows that cross boundaries. Start with:

  • Log forwarders/collectors (agents, syslog relays, cloud log subscriptions)
  • SIEM ingestion pipelines and parsers
  • Identity providers and federation links
  • Third party apps that are “systems of record” for actions (e-sign, payment, case management)

Deliverable: “Cross-Org Audit Flow Inventory” with system name, owner, third party involved (if any), and data path.

Step 2: Set identity preservation requirements for audit records (minimum identity fields)

Define a minimum set of identity attributes that must be present at the point of generation and must remain available at the point of storage/analysis. Common fields include:

  • Unique user identifier (immutable if possible)
  • Human-readable username/email (for operations)
  • Authentication method/context (SSO, federation, API token, PAM session)
  • Source IdP / tenant / domain
  • Session identifier or request correlation ID

You are not required to standardize every system to one schema, but you must ensure there is a reliable mapping to a unique individual across domains. 1

Deliverable: “Audit Identity Field Standard” (a short control appendix or engineering standard).

Step 3: Eliminate identity collapse points (shared accounts, proxy identities, lost attribution)

Identify where identity collapses into a non-human actor:

  • Shared administrator accounts
  • Generic integration accounts used for user-initiated actions
  • API gateways that log only the gateway identity, not the caller
  • ETL/normalization jobs that overwrite user fields

Fix patterns by design:

  • Prefer federated identity (SAML/OIDC) so downstream services receive a stable subject identifier.
  • For “on behalf of” calls, pass the originating user as a protected attribute and log it at each hop.
  • Use distinct service accounts for system-to-system actions and ensure those actions are not confused with human actions in reporting.

Deliverable: “Identity Collapse Remediation List” with tickets and owners.

Step 4: Implement mapping where preservation cannot be literal

Sometimes systems cannot store full identity (privacy constraints, tokenization, platform limits). In those cases, preservation can be achieved through controlled reversibility:

  • Store a stable pseudonymous identifier in the cross-org log.
  • Maintain the mapping in your controlled system (or a contractually controlled third party), with access controls and retention aligned to your audit needs.

The key is that you can still attribute actions to individuals during investigations and audits, using an approved mapping process. 2

Deliverable: “Identity Mapping Procedure” (who can resolve, under what approval, and how it is logged).

Step 5: Validate end-to-end with test traces

Run test cases that simulate real cross-org paths:

  • A standard user performs a privileged workflow
  • A privileged admin performs a change
  • A partner/third party user performs a transaction (if applicable)

Verify that the originating identity appears correctly in:

  • Source system audit logs
  • Intermediate pipeline logs (if they exist)
  • Central SIEM or receiving system records

Deliverable: “AU-16(1) Identity Preservation Test Record” including screenshots or exported events showing the same identity/correlation across boundaries.

Step 6: Contract and integration requirements for third parties

Where a third party operates the receiving platform or part of the pipeline, require:

  • Log field preservation commitments (no dropping identity fields without approval)
  • Access to raw events or documented normalization rules
  • Support for federation claims and caller identity propagation
  • Incident cooperation language that includes identity-resolution support

This is where third-party risk management intersects directly with AU-16(1). 1

Deliverable: Contract/security addendum language or completed due diligence record showing identity preservation capabilities.

Step 7: Operationalize as a control with ownership and recurring evidence

Assign a control owner (often IAM, SecOps, or GRC with technical owners) and define:

  • What is checked periodically (sampling cross-org log flows, parser changes, new integrations)
  • Where evidence is stored
  • What triggers re-validation (new third party, new SIEM parser, new IdP, major app changes)

Daydream fits naturally here as the system to map AU-16(1) to a named owner, an implementation procedure, and recurring evidence artifacts, so assessments do not depend on tribal knowledge. 1

Required evidence and artifacts to retain

Auditors will look for proof that identity preservation is designed and operating. Maintain:

  1. Control narrative for AU-16(1): scope, systems, boundaries, and approach.
  2. Cross-Org Audit Flow Inventory (from Step 1).
  3. Audit Identity Field Standard (from Step 2) and any logging schema references.
  4. Configuration evidence (examples):
    • IdP federation claim mappings (SAML/OIDC claim configuration exports or screenshots)
    • SIEM ingestion/parser configs showing identity field extraction
    • API gateway settings for forwarding caller identity headers/claims (where applicable)
  5. Test traces (from Step 5): exported log events from source and destination showing preserved identity.
  6. Change management hooks: tickets/approvals for parser changes or pipeline transformations affecting identity fields.
  7. Third party evidence: due diligence notes, contract clauses, or third party documentation showing identity field handling.

Store artifacts in a way that supports assessment sampling without re-running tests during the audit.

Common exam/audit questions and hangups

Expect these questions and prepare short, specific answers:

  • “Show me an example where a user action in System A appears in your centralized logs with the same identity.”
    Hangup: teams show only source logs, not the cross-org record.

  • “How do you handle actions performed through middleware or automation?”
    Hangup: identity is attributed to a service account with no “on behalf of” trace.

  • “What prevents a third party from transforming or dropping identity fields?”
    Hangup: no contractual or technical control, only informal assurances.

  • “How do you resolve pseudonymous identifiers back to a person, and who can do it?”
    Hangup: mapping exists but is undocumented or access is uncontrolled.

  • “What happens when you change IdPs, SIEM parsers, or log pipelines?”
    Hangup: identity preservation breaks after changes because no regression test exists.

Frequent implementation mistakes (and how to avoid them)

Mistake Why it fails AU-16(1) Fix
Relying on shared admin accounts across org boundaries The audit trail can’t attribute to an individual Require individual accounts; use PAM with per-user checkout and session logging
Logging only the service account for “on behalf of” API calls Attribution stops at middleware Propagate caller identity (claims/headers) and log it at each hop
SIEM normalization overwrites identity fields Identity is present but lost in transformation Lock identity field mappings; add parser change approvals and regression tests
Assuming SSO automatically preserves identity everywhere Many apps record local usernames or opaque IDs Validate claim mappings and store the immutable subject plus tenant/issuer
No evidence package Control may operate, but you can’t prove it Standardize recurring artifacts and store test traces per critical flow

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for AU-16(1). Treat the risk as investigation failure and audit defensibility failure: you may detect an event but cannot prove who did what across a third party boundary, which slows incident response, complicates insider threat investigations, and increases the chance you cannot meet contractual or regulatory reporting expectations tied to accountability. 2

Practical 30/60/90-day execution plan (operator-ready)

Use this as a rollout plan you can run as a GRC-led project with technical owners.

First 30 days (Immediate)

  • Assign a control owner and technical owners for IAM and logging/SIEM.
  • Build the Cross-Org Audit Flow Inventory for highest-risk systems first (privileged systems, production, sensitive data environments).
  • Define the Audit Identity Field Standard and publish it as an engineering requirement for new integrations.
  • Pick a small set of critical flows and run initial identity preservation test traces.

Days 31–60 (Near-term)

  • Remediate the top identity collapse points found in the inventory (shared accounts, missing federation claims, middleware attribution gaps).
  • Add SIEM/parser change controls for identity fields (approval + regression test requirement).
  • Update third party due diligence and contracts for in-scope providers to address identity field preservation and cooperation for identity resolution.

Days 61–90 (Operationalize)

  • Expand testing to remaining cross-org flows and document results in a repeatable evidence pack.
  • Implement periodic sampling: a defined cadence to re-check critical flows and after major changes (IdP changes, SIEM migrations, app onboarding).
  • Put AU-16(1) into your control management system (Daydream or your existing GRC tool) with mapped owners, procedures, and recurring evidence tasks. 1

Frequently Asked Questions

Does AU-16(1) require that every system stores the user’s full name and email in logs?

No. It requires preservation of identity attribution across boundaries. A stable unique identifier plus a controlled mapping process can satisfy the requirement if you can reliably resolve it to an individual.

What counts as “cross-organizational” in practice?

Any time audit data or audit interpretation crosses a boundary you do not fully control, such as a third party SIEM/MSSP, shared services, partner environments, or multi-tenant platforms operated by another entity. 1

We use an MSSP SIEM. Is it enough that they have logs, or do we need raw events?

You need enough fidelity to preserve and demonstrate identity end-to-end. If the MSSP normalizes events, require documented field mappings and the ability to access identity-bearing raw events or an equivalent record.

How do we handle service accounts that legitimately perform automated actions?

Keep service accounts for system-to-system activity, but prevent them from obscuring human-initiated actions. For user-driven automation, pass “on behalf of” identity and ensure both the service account and originating user are recorded.

What evidence is most persuasive in an assessment?

End-to-end test traces showing the same user identity appearing in the source system and the cross-org destination (SIEM/third party platform), plus the configuration that explains how identity fields are preserved.

How should we scope AU-16(1) if we have hundreds of integrations?

Start with systems that support privileged actions, production changes, or sensitive data. Build an inventory, prioritize critical flows, then expand coverage as you standardize identity fields and testing.

Footnotes

  1. NIST SP 800-53 Rev. 5 OSCAL JSON

  2. NIST SP 800-53 Rev. 5

Frequently Asked Questions

Does AU-16(1) require that every system stores the user’s full name and email in logs?

No. It requires preservation of identity attribution across boundaries. A stable unique identifier plus a controlled mapping process can satisfy the requirement if you can reliably resolve it to an individual.

What counts as “cross-organizational” in practice?

Any time audit data or audit interpretation crosses a boundary you do not fully control, such as a third party SIEM/MSSP, shared services, partner environments, or multi-tenant platforms operated by another entity. (Source: NIST SP 800-53 Rev. 5 OSCAL JSON)

We use an MSSP SIEM. Is it enough that they have logs, or do we need raw events?

You need enough fidelity to preserve and demonstrate identity end-to-end. If the MSSP normalizes events, require documented field mappings and the ability to access identity-bearing raw events or an equivalent record.

How do we handle service accounts that legitimately perform automated actions?

Keep service accounts for system-to-system activity, but prevent them from obscuring human-initiated actions. For user-driven automation, pass “on behalf of” identity and ensure both the service account and originating user are recorded.

What evidence is most persuasive in an assessment?

End-to-end test traces showing the same user identity appearing in the source system and the cross-org destination (SIEM/third party platform), plus the configuration that explains how identity fields are preserved.

How should we scope AU-16(1) if we have hundreds of integrations?

Start with systems that support privileged actions, production changes, or sensitive data. Build an inventory, prioritize critical flows, then expand coverage as you standardize identity fields and testing.

Related Resources

Operationalize this requirement

Map requirement text to controls, owners, evidence, and review workflows inside Daydream.

See Daydream