The Identity Spine

This is the map for the identity series: one argument about building identity security for the company you actually have, broken into posts you can read in any order. It starts from a single hub and branches into six threads. It is a graph more than a line, because the threads cross. Phishing-resistant MFA leans on single sign-on. Device trust comes back around under BYOD. Continuous access ties the operational layer to the pillars it watches.

Start at the hub and follow whichever thread matches the problem in front of you. The table below lists every post, the path through the graph that reaches it, and the standards and open-source projects it draws on, so you can jump to a specific control or see what a given piece leans on.

The identity series drawn as a graph: a central hub, right-sized IAM for the company you have, branches into six clustered threads. Building the ladder holds SSO, lifecycle, roles and attributes, the authorization broker, break-glass, and reachable permissions. Zero trust, end to end holds the sequence, phishing-resistant MFA, device trust, per-app access, object-level authorization, and data-centric access. Workload and machine identity holds workload identity, SPIFFE/SPIRE, non-human identities, service accounts, and agent capabilities. Running it holds sessions and logout, continuous access, telemetry-driven reviews, and detection. Product authorization holds authorization that keeps evolving, the three decisions of policy, evaluation, and data, and carrying caller identity across hops. Synthesis holds collapse the surface, frictionless access, and the BYOD endpoint

The map above is the clean version. In practice the posts reference each other constantly, across threads as much as within them. Here is the same series drawn as its actual web of links, each post colored by its thread.

The same 28 posts drawn as a link graph, one node per post colored by its thread, with an edge wherever one post links to another. The result is a dense web rather than a tree: posts cross-reference heavily across threads, not only within them. The most-referenced nodes are the ones the rest of the series leans on, telemetry-driven reviews, the authorization broker, agent capabilities, workload identity, and phishing-resistant MFA, each pulled toward by posts from several different threads

The Six Threads

  • Building the ladder is the IAM you stand up first: one front door, automatic lifecycle, roles and attributes, a broker for the dangerous access, break-glass for the bad day, and knowing what each grant can actually reach.
  • Zero trust, end to end walks the pillars in blast-radius order: prove the user, prove the device, drop the flat network, check authorization at the object, and let access know what the data is.
  • Workload and machine identity is identity for the things that are not people: workloads that cross cloud boundaries, the service accounts they used to be, the non-human identities that now outnumber humans, and the agents arriving next.
  • Running it is the operational layer once the ladder is built: ending a session everywhere, evaluating access continuously, reviewing entitlements from telemetry instead of spreadsheets, and detecting the identity attacks that get through.
  • Product authorization is fine-grained authorization inside the software you ship: why that model is never finished, how the policy, the evaluation, and the data are three separate choices rather than one, and how to carry the caller’s identity deep into a call graph that has forgotten who asked.
  • Synthesis is what the whole thing adds up to: collapse the surface before you defend it, take out the friction that makes people hoard access, and run a secure enterprise on devices you do not own.

Every Post, and What It Draws On

PostPath through the graphStandards and frameworksOpen source
IAM for the company you haveHubGartner IAM maturity model; CISA Zero Trust Maturity Model-
One front door, one place to revokeHub ▸ Building the ladder ▸ SSOSAML 2.0; OIDC; SCIM (RFC 7644)Keycloak, Authentik, Zitadel, Authelia, oauth2-proxy, Pomerium
Automate the leaver before the joinerHub ▸ Building the ladder ▸ LifecycleSCIM (RFC 7644); Shared Signals / CAEPmidPoint, Apache Syncope
Roles don’t scale the way you thinkHub ▸ Building the ladder ▸ RolesNIST RBAC; NIST SP 800-162 (ABAC)OPA, Casbin
Authorization broker modelsHub ▸ Building the ladder ▸ Broker-Teleport, HashiCorp Boundary, Vault, JumpServer
Break-glass without the backdoorHub ▸ Building the ladder ▸ Break-glassAWS service control policy pattern-
You can reach more than you were grantedHub ▸ Building the ladder ▸ Reachable permissions-PMapper, Cartography, BloodHound, AzureHound
Zero trust is a sequenceHub ▸ Zero trust ▸ SequenceNIST SP 800-207; CISA Zero Trust Maturity Model-
MFA that survives phishingHub ▸ Zero trust ▸ MFAWebAuthn; FIDO2; NIST 800-63B; CISA AA23-320ASoloKeys, Nitrokey, Keycloak, Authentik
Trust the user, then the machineHub ▸ Zero trust ▸ DeviceBeyondCorp; Apple Managed Device Attestation; Play Integritystep-ca, osquery, Fleet, Wazuh
Per-app access ends the flat networkHub ▸ Zero trust ▸ Per-app accessNIST SP 800-207; BeyondCorpOpenZiti, Pomerium, Nebula, Headscale
The gateway can’t see the objectHub ▸ Zero trust ▸ Object-level authorizationOWASP API BOLA; Google ZanzibarOPA, OpenFGA, SpiceDB, Cedar
Access should know what the data isHub ▸ Zero trust ▸ Data-centricNIST FIPS 199Presidio, OpenMetadata, DataHub
When you can use workload identityHub ▸ Workload and machine ▸ Workload identity-SPIFFE / SPIRE
Workload identity that crosses boundariesHub ▸ Workload and machine ▸ SPIFFESPIFFE; IETF WIMSESPIRE, go-spiffe, SPIFFE Helper
Non-human identitiesHub ▸ Workload and machine ▸ NHI-Gitleaks, TruffleHog, External Secrets, SPIFFE / SPIRE
Service accounts that improviseHub ▸ Workload and machine ▸ Service accountsOAuth for AI agents (IETF draft); MCP authorization; OWASP Agentic Top 10SPIFFE, Vault, Teleport, agentgateway
Agents need capabilities, not rolesHub ▸ Workload and machine ▸ Agent capabilitiesNIST AI 600-1; NIST SP 800-53; OWASP Agentic AI; SLSA; ISO/IEC 42001-
Logging out is harder than logging inHub ▸ Running it ▸ SessionsOIDC back-channel / front-channel logout; OAuth revocation (RFC 7009); SSF / CAEP; OWASP session managementKeycloak, Authentik, Ory Hydra, caep.dev
Identity is becoming continuousHub ▸ Running it ▸ ContinuousShared Signals Framework / CAEPcaep.dev
Telemetry-driven access reviewsHub ▸ Running it ▸ Telemetry reviews--
The other half of identity securityHub ▸ Running it ▸ Detection-Falco, Sigma, Wazuh
Your authorization model is never doneHub ▸ Product authorizationGoogle ZanzibarOpenFGA, SpiceDB, Ory Keto, Cedar, Oso, Topaz
Authorization is three decisions, not oneHub ▸ Product authorization ▸ Three decisionsGoogle Zanzibar; NIST SP 800-162 (ABAC)OPA, Cedar, OpenFGA, SpiceDB, Topaz
Whose request is this, three hops in?Hub ▸ Product authorization ▸ Caller identity across hopsSPIFFE; OAuth Token Exchange (RFC 8693); mTLS (RFC 8705)Istio, Linkerd, SPIRE, OPA
Collapse the surface, then defend itHub ▸ Synthesis ▸ Collapse--
Friction is why people hoard accessHub ▸ Synthesis ▸ Friction-OPA
A secure enterprise on devices you don’t ownHub ▸ Synthesis ▸ BYODBeyondCorp; Android work profile; Apple user enrollment; Play Integrity-