With Git, users simply "declare" their identity within the configuration of the Git client, which ends up being recorded as the "author" when commits are made against a repository. However, when pushing to a repository hosted within Stash, the identity used to authenticate to the repository may be different then that identity that was recorded when the commits were made.
Furthermore, there is no reliable way to verify or be reasonably certain that commit X was actually performed by user Y. The user could simply have declared their identity to be something false. The lack of a reliable audit trail of changes is a significant issue, particularly for corporations.
One solution to this issue is to require users to perform signed commits (or in the case of pull requests, only allow pull requests against a signed commit tag). The ability is needed to configure a repository to only allow commits that have been signed and verify that the signature is both valid and trusted. At present, this seems to be the only way to establish a reliable audit trail within Git.