SOMA-DR: Decision Receipts for Explainable Recovery and Key Rotation in Post-Quantum IAM

Identity and Access Management (IAM) increasingly relies on adaptive controls—step-up challenges, recovery verification, device and behavior signals, and continuous authorization—to reduce account takeover and misuse. At the same time, IAM systems must prepare for post-quantum cryptography (PQC) transitions that affect credentials, signing, and verification paths. These shifts create a practical governance problem: when an identity action is allowed, challenged, denied, or escalated (e.g., passwordless enrollment, recovery credential release, privileged step-up, or machine key rotation), teams must be able to explain why the decision happened, what evidence was considered, and how the decision can be independently verified later. This paper introduces Decision Receipts (DR): a verifiable, privacy-aware record produced at decision time that captures (i) policy context and versioning, (ii) normalized evidence descriptors (not raw personal data), (iii) action outcomes and reason codes, and (iv) cryptographic signatures supporting long-term auditability under PQC. We propose an open receipt schema, canonicalization rules, and verifier workflows using widely deployed identity standards (OAuth 2.0, OpenID Connect, JWT) and modern signing containers (JWS/COSE), with optional anchoring into transparency logs for tamper-evidence. The approach is intentionally IP-safe and adoptable as an audit overlay independent of any specific orchestrator implementation.