This is the map for the identity series: one argument about building identity security for the company you actually have, broken into posts you can read in any order. It starts from a single hub and branches into six threads. It is a graph more than a line, because the threads cross. Phishing-resistant MFA leans on single sign-on. Device trust comes back around under BYOD. Continuous access ties the operational layer to the pillars it watches.
Start at the hub and follow whichever thread matches the problem in front of you. The table below lists every post, the path through the graph that reaches it, and the standards and open-source projects it draws on, so you can jump to a specific control or see what a given piece leans on.

The map above is the clean version. In practice the posts reference each other constantly, across threads as much as within them. Here is the same series drawn as its actual web of links, each post colored by its thread.

The Six Threads
- Building the ladder is the IAM you stand up first: one front door, automatic lifecycle, roles and attributes, a broker for the dangerous access, break-glass for the bad day, and knowing what each grant can actually reach.
- Zero trust, end to end walks the pillars in blast-radius order: prove the user, prove the device, drop the flat network, check authorization at the object, and let access know what the data is.
- Workload and machine identity is identity for the things that are not people: workloads that cross cloud boundaries, the service accounts they used to be, the non-human identities that now outnumber humans, and the agents arriving next.
- Running it is the operational layer once the ladder is built: ending a session everywhere, evaluating access continuously, reviewing entitlements from telemetry instead of spreadsheets, and detecting the identity attacks that get through.
- Product authorization is fine-grained authorization inside the software you ship: why that model is never finished, how the policy, the evaluation, and the data are three separate choices rather than one, and how to carry the caller’s identity deep into a call graph that has forgotten who asked.
- Synthesis is what the whole thing adds up to: collapse the surface before you defend it, take out the friction that makes people hoard access, and run a secure enterprise on devices you do not own.