The lock on every other door

Identity is the log-in layer that gates everything else — the system that decides whether your staff and your customers can sign in at all. It is also the fastest “switch-off” risk in the whole technology stack: cut it, and every connected service goes dark at once. We looked at twenty-one identity and access products to ask who controls that lock, whether the data can stay in Britain, and why moving identity is the hardest migration you will ever attempt.

Most of this series asks where your data lives. Identity asks a different question: who decides whether you can reach it. Single sign-on — one log-in that opens email, files, finance, HR and a hundred other apps — is wonderful for users and ruthless as a single point of failure. Workforce identity (the system that signs your staff in, usually called IAM, identity and access management) and customer identity (CIAM, the sign-in your end users see) sit upstream of everything else. When that layer is provided from abroad, the question is not only “where is the data?” but “whose courts, and whose corporate decisions, hold the key to the front door?”

The reach is statutory, not hypothetical. The US CLOUD Act of 2018 (18 U.S. Code § 2713) requires American providers to hand over data they control on a valid warrant, wherever in the world it is stored. Section 702 of the Foreign Intelligence Surveillance Act (50 U.S. Code § 1881a) lets US agencies compel those same providers to assist with intelligence collection on non-US persons. A UK data region does not place data beyond either statute if the company holding it answers to a US court. Identity is precisely the layer where that matters most.

The leaders are almost all American

Start with who actually runs workforce sign-in for British organisations, and a pattern appears immediately: the names that dominate are US-controlled.

Microsoft Entra ID (formerly Azure Active Directory) is the default for any organisation already on Microsoft 365, and Microsoft is US-listed. Microsoft’s own documentation is candid about a wrinkle that catches buyers out: even where the UK is offered for Microsoft 365 Advanced Data Residency, the Entra ID “Core Store” — the directory of who your users are — is not included in those local-residency commitments and is held on a regional basis (for European customers, within the EU Data Boundary), not pinned to Britain. The identity directory is one of the things least likely to sit where the documents sit.

Okta is the largest independent workforce-identity vendor, Nasdaq-listed. Its own data-residency page lists cells “throughout the US, EMEA, Japan, Australia, Canada and India” — there is no UK cell; British customers run in the broader EMEA region. Its customer-identity product, Auth0, offers an EU region but, again, no Britain-only option. Ping Identity is owned by US private-equity firm Thoma Bravo, which bought Ping in 2022 and then acquired ForgeRock in 2023 and folded it in — so the two names a buyer might have weighed against each other are now one US-PE-controlled company. Amazon Cognito and Google round out the American hyperscaler offering: Cognito user pools can be created in the AWS London region and store profile data only in that region, but Amazon’s own documentation notes optional features (analytics, for example) route data to US-East — and the operator is US-listed Amazon regardless.

The cohort, and where control really sits

Below the giants sits a long tail of specialist vendors — identity verification, anti-money-laundering onboarding, customer sign-in — and here the ownership check does real work, because the marketing rarely matches the corporate register.

Onfido, long sold as a London identity-verification champion, completed its acquisition by US-based Entrust in April 2024; its identity-verification platform is now an Entrust product. Signhost (Evidos) sits under the same US Entrust roof. IDnow is German-founded but controlled by US private-equity firm Corsair Capital. JumpCloud and Ory are US-controlled — Ory’s authentication components (Kratos, Hydra, Keto, Oathkeeper) are genuinely open source under the Apache licence and self-hostable, but the sponsoring company answers to the US. tmgroup‘s verification arm sits under PE house Aurelius (Luxembourg fund vehicle); Netheos belongs to Italy’s Namirial; Signicat to Nordic Capital (Jersey-domiciled fund).

The genuinely European-controlled options are fewer, and worth naming precisely. Nevis Security is Swiss, owned by the Anda family’s IHAG group, and offers an on-premises deployment — you run it yourself. Zitadel is a Swiss-founded open-source platform (AGPL-licensed) you can self-host on your own Postgres database. OneWelcome is owned by France’s Thales — European, but a large defence-and-security group, not a light-touch start-up. itsme is the Belgian state-influenced national identity scheme. Yubico (the YubiKey hardware key) is Swedish and Nasdaq-Stockholm-listed; its keys hold secrets on the device itself, which is a different sovereignty story — the secret never leaves your pocket.

And then the British names. Yoti is UK, founder-controlled, and hosts in UK data centres (Equinix and Telehouse, plus AWS UK) — it appears on the UK government’s digital-identity register. Thirdfort is UK, venture-backed, with UK data residency. Amiqus and Legl are UK client-onboarding and AML platforms. LexisNexis Risk Solutions (RiskNarrative, ThreatMetrix) is a UK-incorporated subsidiary — but its ultimate parent is RELX PLC, London-listed, so control is genuinely British at the top even though the brand is global. Ubisecure is UK-registered, with a history inside Japan’s GMO GlobalSign before its spin-out.

The genuinely sovereign route runs through open source

The cleanest way to put identity beyond a foreign court is to host it yourself, on open-source code. Three names matter here.

Keycloak is the most widely deployed open-source identity platform — Apache-licensed, now a Cloud Native Computing Foundation project. But note the sovereignty footnote: Keycloak was created by Red Hat, which is owned by IBM (US-listed). The code is free and self-hostable and the project is community-governed under the CNCF; the commercial steward is American. Self-host it on UK infrastructure and the CLOUD Act has nothing to reach, because nothing US-controlled holds your data — that is the point of running it yourself.

Authentik is open source (MIT-licensed) and self-hosted at its core — though the sponsoring company, Authentik Security Inc., is US-based. Zitadel (Swiss) and Ory (US-sponsored, German-rooted) complete the self-hostable set. In every case the sovereignty comes from where you run it, not from the vendor’s flag: open code on British infrastructure is British-controlled in the only sense that the statutes care about.

For the public sector there is a fourth answer that does not appear in the commercial cohort at all: GOV.UK One Login, built and operated by the Government Digital Service, with the Department for Science, Innovation and Technology as data controller. It is the one identity system in this article that is unambiguously UK-controlled by design.

The twenty-one, at a glance

Product	Controlled from	UK data region?	Self-hostable?	Notes
Microsoft Entra ID [1]	USA (listed)	Partial — UK ADR exists, but Entra Core Store excluded	No	Default for M365 estates; directory held regionally
Okta — Workforce Identity [2]	USA (Nasdaq)	No — EMEA cell, no UK cell	No	Largest independent IAM vendor
Okta — Auth0 (CIAM) [2]	USA (Nasdaq)	EU region; no UK-only option	No	Customer-identity cloud
Ping Identity — PingOne [3]	USA (Thoma Bravo, PE)	No	No	ForgeRock folded in, 2023
Amazon Cognito [4]	USA (Amazon, listed)	London region available	No	Some optional features route to US-East
Google CIAM / Identity [5]	USA (Alphabet, listed)	No UK region (US/EU)	No	Hyperscaler default
Onfido — Entrust IDV [6]	USA (Entrust)	No	No	UK brand; US-owned since Apr 2024
Signhost (Evidos) [6]	USA (Entrust)	Optional	No	Same US parent as Onfido
IDnow [7]	USA (Corsair Capital, PE)	No — EU (Germany)	No	German-founded, US PE control
JumpCloud [8]	USA (VC-backed)	No	No	Directory platform
Ory (Kratos/Hydra/Keto) [9]	USA (Ory Corp; German-rooted)	Optional	Yes (open source)	Apache-licensed; US sponsor
OneWelcome [10]	France (Thales SA)	No — EU / regional zones	No	European defence-and-security group
Signicat [11]	Jersey fund (Nordic Capital, PE)	No — EU/EEA	No	Nordic digital-identity platform
Netheos (Trust & Sign) [12]	Italy (Namirial)	No — EU (France)	No	—
tmVerify365 [13]	Luxembourg fund (Aurelius, PE)	Yes — UK-hosted	No	AML / client ID verification
Nevis ID Platform [14]	Switzerland (Anda family)	Optional / on-prem	Yes (on-prem)	Swiss, founder-private
Zitadel [15]	Switzerland (founder-rooted)	Optional	Yes (open source)	AGPL; self-host on your own Postgres
itsme [16]	Belgium (state-influenced)	No — EU (Belgium)	No	National identity scheme
Yubico — YubiKey [17]	Sweden (Nasdaq Stockholm)	n/a — hardware key	n/a	Secret stays on the device
LexisNexis Risk (RiskNarrative/ThreatMetrix) [18]	UK (RELX PLC, LSE)	Not stated (AWS)	No	UK-listed ultimate parent
Thirdfort [19]	UK (VC-backed)	Yes	No	UK ID verification / AML
Yoti [20]	UK (founder-private)	Yes — UK data centres	No	On UK digital-identity register
Amiqus [21]	UK (VC-backed)	EU (AWS Ireland; UK backup)	No	Client onboarding / AML
Legl [22]	UK (VC-backed)	Not stated (AWS)	No	KYC / AML onboarding
Ubisecure [23]	UK (registered)	Configurable — EU; UK available	Hybrid	History inside GMO GlobalSign (JP)
— Keycloak (reference) [24]	USA steward (Red Hat / IBM) — code CNCF/open	Your choice	Yes (open source)	Most-deployed open-source IAM
— Authentik (reference) [25]	USA (Authentik Security Inc.) — code open (MIT)	Your choice	Yes (self-host core)	Enterprise edition available
— GOV.UK One Login (reference) [26]	UK (GDS / DSIT)	Yes	n/a (public sector)	Government-operated

The switch-off risk is the whole point

Identity is the continuity question made concrete. If a single sign-on provider goes down — outage, contract dispute, sanctions, a control decision taken in another jurisdiction — every service wired to it goes dark at the same moment. There is no graceful degradation: staff cannot log in to email, finance, HR or the help desk, and customers cannot reach their accounts. That is what makes identity the fastest “switch-off” in the stack, and why concentrating it in a single foreign-controlled provider is a different order of risk from concentrating, say, your document storage.

It is also the hardest thing to move. Migrating identity means re-pointing every connected application’s sign-in, re-enrolling every user’s multi-factor authentication (MFA — the second factor, such as an app prompt or a hardware key), re-issuing credentials and re-mapping every group and permission. Documents migrate; directories fight back. The practical consequence is that the identity decision is the stickiest one a buyer makes — which is exactly why it deserves the most scrutiny before signing, not after.

What buyers should take from this

The dial applies here as everywhere else, and the positions are clear. Take the US default deliberately: if you are on Entra or Okta, know that the directory itself may not sit in Britain even when your documents do, hold your own keys where you can, and treat the identity layer as your single most important continuity dependency — with a documented break-glass plan for the day sign-in fails. Add a sovereign layer for the sensitive cases: UK-controlled verification (Yoti, Thirdfort) for customer onboarding; a hardware key (YubiKey) so the crucial secret never leaves the device. Or self-host the open stack — Keycloak, Authentik or Zitadel on UK infrastructure — and accept the operational homework in exchange for putting the lock genuinely beyond a foreign court.

Four questions decide it. Who controls the company that runs our sign-in? Does our user directory — not just our documents — sit in Britain? Could we self-host the same capability on open code if we had to? And if our identity provider switched off tomorrow, how long until our people are back in? In a category where the leaders are almost entirely American and the directory is the thing least likely to stay home, those are the questions worth asking before the contract, because afterwards the door only opens one way.

Sources

All facts are taken from each vendor’s own published documentation (data-residency, trust and security pages), company registries, and the named statutes, read directly during June 2026. One primary reference per vendor.

1. Microsoft (Entra ID) — SEC 10-K: https://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&CIK=0000789019&type=10-K ; Entra data residency (Core Store / EU Data Boundary): https://learn.microsoft.com/en-us/entra/fundamentals/data-residency
2. Okta (Workforce Identity / Auth0) — SEC 10-K: https://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&CIK=0001660134&type=10-K ; data residency (cells, no UK cell): https://www.okta.com/okta-data-residency/
3. Ping Identity (Thoma Bravo; ForgeRock folded in) — Thoma Bravo completion release: https://www.thomabravo.com/press-releases/thoma-bravo-completes-acquisition-of-forgerock-combines-forgerock-into-ping-identity
4. Amazon Cognito — AWS regional data considerations: https://docs.aws.amazon.com/cognito/latest/developerguide/security-cognito-regional-data-considerations.html ; Amazon SEC 10-K: https://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&CIK=0001018724&type=10-K
5. Alphabet (Google Identity / CIAM) — Cloud data residency / locations: https://cloud.google.com/about/locations ; Alphabet SEC 10-K: https://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&CIK=0001652044&type=10-K
6. Entrust (Onfido; Signhost/Evidos) — acquisition completion: https://www.entrust.com/company/newsroom/entrust-completes-acquisition-of-onfido-creating-a-new-era-of-identity-centric-security
7. IDnow — Corsair Capital majority investment (Mar 2025): https://www.idnow.io/pr/idnow-announces-strategic-majority-investment-from-corsair-capital/
8. JumpCloud — company / trust: https://jumpcloud.com/legal/trust
9. Ory (Kratos/Hydra/Keto/Oathkeeper) — open-source licence + self-host: https://github.com/ory/kratos
10. Thales (OneWelcome) — Thales identity platform: https://cpl.thalesgroup.com/access-management/onewelcome-identity-platform ; parent listing (Euronext Paris): https://www.thalesgroup.com/en/group/investors
11. Signicat (Nordic Capital) — company / ownership: https://www.signicat.com/about
12. Namirial (Netheos) — company: https://www.namirial.com/en/about-us/
13. tmgroup (tmVerify365) — Companies House PSC: https://find-and-update.company-information.service.gov.uk/search?q=tmgroup
14. Nevis Security — company / deployment (on-prem): https://www.nevis.net/en/company
15. Zitadel (CAOS AG) — GitHub (open source, self-host): https://github.com/zitadel/zitadel
16. itsme (Belgian Mobile ID) — about: https://www.itsme-id.com/en-BE/about
17. Yubico — investor / listing (Nasdaq Stockholm): https://www.investors.yubico.com/ ; product (keys hold secrets on device): https://www.yubico.com/products/
18. LexisNexis Risk Solutions — RELX PLC (London-listed ultimate parent): https://www.relx.com/investors
19. Thirdfort — Companies House: https://find-and-update.company-information.service.gov.uk/search?q=thirdfort
20. Yoti — Companies House: https://find-and-update.company-information.service.gov.uk/company/08998951 ; UK digital-identity register: https://www.digital-identity-services-register.service.gov.uk/provider-details?providerId=38
21. Amiqus — Companies House: https://find-and-update.company-information.service.gov.uk/search?q=amiqus+resolution
22. Legl — Companies House (The Justice Platform Ltd): https://find-and-update.company-information.service.gov.uk/search?q=the+justice+platform
23. Ubisecure — Companies House: https://find-and-update.company-information.service.gov.uk/search?q=ubisecure+holdings
24. Keycloak — open-source project / GitHub (Apache; CNCF; Red Hat/IBM steward): https://github.com/keycloak/keycloak
25. Authentik — GitHub (open source, self-host; Authentik Security Inc., US PBC): https://github.com/goauthentik/authentik
26. GOV.UK One Login — Government Digital Service: https://www.gov.uk/government/organisations/government-digital-service
27. US CLOUD Act — 18 U.S. Code § 2713: https://www.law.cornell.edu/uscode/text/18/2713
28. FISA Section 702 — 50 U.S. Code § 1881a: https://www.law.cornell.edu/uscode/text/50/1881a