When the center cannot be reached, the operation continues. Access has to continue with it.

Aircraft keep flying. Plants keep running. Vessels keep moving. The operation does not pause because the link to the center went down.

Access management usually does. Authentication, authorization, every access decision depends on infrastructure somewhere else, and when that infrastructure cannot be reached, access cannot be granted while the operation still has to run.

Krutho was built to keep access working here, where the center cannot be reached and the operation continues anyway.


Find the environment you already run.

Disconnected environments are not edge cases. They are where critical operations already happen, every day, beyond reliable centralized reach.

Aerial views of an airport, a cargo ship at sea, an offshore oil rig and a solar farm

Aircraft

Identity for an entire fleet cannot sit on every plane. Bandwidth and onboard resources do not allow a full identity stack in the air. The aircraft operates for hours beyond reliable connectivity, and access has to hold the whole time.

Maritime

Vessels move between networks and spend long stretches with no usable link to shore. Operations continue regardless of which network, or whether any, is currently reachable.

Industrial and OT sites

Operational technology runs on constrained, often intermittent communications. Plant and field systems were never designed to pause until a central server is reachable again.

Forward and remote operations

Deployed and remote infrastructure can spend long periods fully disconnected. The operation has to run on what it holds, and access decisions still have to be made locally.

The environments differ. The operational requirement does not.
People still need to work. Systems still need to operate.
Access decisions still have to be made.


You cannot solve this by copying the center.

The standard answer breaks down precisely where the edge begins.

When a central dependency causes problems, the reflex is to copy the center closer to the operation. At the disconnected edge, full replication is not a smaller version of the central model. It is untenable, and often impossible. Three reasons, before the operational cost even begins.

Security

A full replica means every site holds the credentials and identities of the entire organization. A fleet of ten, a hundred, more, each carrying the complete identity estate of the company. The blast radius of a single compromised site becomes the whole enterprise. For most operations that is not an acceptable trade. For many it is disqualifying on its own.

Feasibility

Many environments cannot run a full identity stack at all. An aircraft does not have the bandwidth or the onboard resources to hold and serve the entire estate, and many sites are no different. The replica cannot be built where it is most needed, and on the environments that need it most, it cannot be built at all.

Read-only by nature

Even where a replica can be deployed, it is read-only. Every change still originates at the primary. There is no safe multi-master model at the edge. So a replica can verify what it already holds, but it cannot decide anything new. The moment a privilege has to change, the site has to wait for the connection to return. That loss of local authority is the problem, not a side effect of it.

A copy at the edge moves where the dependency sits.
It never removes it.
The decision still needs the center.


How Krutho runs at the edge.

Decisions execute where the operation runs, with no path back to the center required.

Krutho does not copy the center to the edge. It changes what the decision needs in order to be made at all.

The credential carries the proof

Self-contained credentials carry identity and group membership with them. The proof the decision needs travels with the user, rather than being retrieved from the center at the moment of access.

  • Locally verifiable
  • Offline capable
  • Passwordless
  • Multi-factor by construction

The decision point runs in the operational domain

The policy decision point is deployed into the application domain, operated by the team running the workload. The decision is rendered where the operation runs, not at the center.

Operation continues through disconnection

When connectivity is lost, the edge keeps verifying and deciding on what it holds. The operation continues without reaching back to the center. Connectivity becomes an operational variable, not a dependency.


Governance still reaches the edge.

Central evaluation. Local enforcement. No round trip to operate.

An engineer in a hard hat working on a laptop on the deck of a ship at sea

Running decisions locally does not cut the operation off from enterprise governance. Risk is still evaluated centrally. What changes is how that evaluation reaches the edge.

The edge operates on what it holds and renders decisions locally. The center continues to evaluate risk across the enterprise. When new risk information becomes available, an impossible-travel signal, an account suspension, it is conveyed to the edge, and the local decision point acts on it: reassessing existing sessions, retracting them where required, and informing the decisions it makes next. When the center cannot be reached, the edge continues to enforce under the policy and trust it already holds.

Governance reaches the edge.
The edge does not have to reach back to operate.


What the operator gets.

Local authority, contained failure, governance intact.

The operation continues through interruption

Loss of connectivity no longer stops access. The edge keeps verifying and deciding on what it holds, under enterprise policy, until the connection returns.

Authority exists where it is needed

The team running the workload owns its runtime and its decisions. Privilege and access are exercised locally, without waiting for a connection to come back.

Failure remains contained

A change at one site stays at that site. A site no longer carries the whole enterprise, and a failure no longer converges on a shared center.

Governance remains intact

Identity lifecycle, certification, delegated authority, and audit stay centralized and authoritative. What moves to the edge is the decision, not the governance.


Most disconnected operations already run Active Directory.

And it cannot be removed.

Two operators at an industrial control room workstation surrounded by monitoring screens

Windows endpoints depend on it. Operational technology integrates with it directly. Decades of infrastructure are built around it. The substrate is fixed.

The traditional pattern cannot apply here. Copying an entire identity infrastructure to the disconnected site fails for every reason replication already failed: the site would hold the whole estate, it cannot run the full stack, and it still could not decide anything new. So Krutho stops copying it. Active Directory stays where it is, and identity travels with the user instead.

The decision stays local. The credential carries the proof. The operation holds.

  Every operation, its own jurisdiction.