All tools Reference · Vendor-neutral

Enterprise IAM reference architecture.

How I'd design identity for a large, regulated organisation — the layers, the control points, and how they fit together. Vendor-neutral: this is the shape of the system, not a product list. Every box maps to a capability you can assess and a control you can evidence.

GOVERNANCE & COMPLIANCE ISO 27001 · NIST CSF · ACSC Essential Eight · APRA CPS 234 — control ownership, testing & evidence AUTHORITATIVE SOURCES HRISjoiners · movers · leavers Contractor / partner registernon-employee identities Device & asset inventoryposture signals IDENTITY FABRIC Identity Governance (IGA)lifecycle · RBAC roles · access reviews · SoD Identity Provider & Directory · PDPauthentication · phishing-resistant MFA · SSO · conditional access Privileged Access (PAM)vault · just-in-time elevation · session brokering Non-human & AI identityservice accounts · tokens · agents — owned, scoped, rotated PROTECTED RESOURCES SaaS applicationsbehind PEP Cloud (AWS / Azure)behind PEP On-prem systemsbehind PEP Data storesbehind PEP provision authorize IDENTITY VISIBILITY & ITDR centralised identity telemetry · behavioural detection · response: disable · revoke sessions · reset · quarantine every layer above emits signals here — and trust can be revoked from here in real time

01 Authoritative sources

Identity starts with truth, not tickets. HR systems drive the employee lifecycle; a contractor/partner register governs everyone else; a device & asset inventory supplies the posture signals that later decisions depend on. Every identity has a source, an owner and an expiry — no exceptions for "temporary" access.

02 Identity Governance (IGA)

The system of record for who should have what. Joiner-mover-leaver automation provisions from the authoritative source; RBAC keeps grants role-derived; risk-based certifications and continuous separation-of-duties checks keep entitlements honest. This is where access is decided and proven.

03 Identity Provider & Directory — the Policy Decision Point

Where every access request is judged. Strong, phishing-resistant authentication, SSO, and conditional access that weighs identity, device posture and context per request — the Zero-Trust PDP. The directory is a crown-jewel asset and is protected like one.

04 Privileged Access (PAM)

Administrative power, contained. Credentials vaulted, sessions brokered and recorded, and standing privilege driven toward zero with just-in-time elevation. The goal isn't a bigger vault — it's that, at any moment, almost no privilege is standing and exposed.

05 Non-human & AI identity

The fastest-growing and least-governed population. Service accounts, API tokens, workload identities and AI agents each get an owner, least-privilege scope, and rotation — governed with the same rigour as humans, because they are more numerous, more privileged and less watched.

06 Protected resources & enforcement

SaaS, cloud, on-prem and data each sit behind a Policy Enforcement Point that applies the PDP's decision. Least privilege at the door decides how much damage a compromised session can do — so enforcement and entitlement are designed together, not bolted on.

07 Identity Visibility & ITDR — across everything

Every layer emits telemetry to a centralised, queryable, tamper-resistant store. Behavioural baselining detects the login-not-break-in attacks; rehearsed response levers — disable, revoke sessions and tokens, reset, quarantine — contain them in minutes. Detection and response are a property of the whole fabric, not a bolt-on.

Design principles

Authoritative sourcing

Lifecycle is driven by systems of truth, never by memory or tickets. Reconciliation proves intended access matches reality.

Least privilege by default

Birthright is minimal; everything else is requested, time-bound and reviewed. Standing privilege trends toward zero.

Per-request, context-aware decisions

Trust is evaluated continuously on identity, device and context — the network is never a proxy for trust.

Evidence as a first-class output

Every control produces audit evidence by design, mapped to the frameworks the organisation is measured against.

Govern machines like humans

Non-human identities carry owners, scope and lifecycle — the next breach class, designed for now.

Detection & response built in

Identity is the most-attacked surface; visibility and fast response levers are part of the architecture, not an afterthought.

Trust zones

Segmentation expressed as escalating trust requirements — movement between zones is brokered and inspected, never implicit.

Zone 0 · Untrusted
Internet and unmanaged devices. No implicit access — every request is authenticated and authorised on its merits.
Zone 1 · Standard
Authenticated users on managed, compliant devices reaching business applications under conditional access.
Zone 2 · Identity control plane
IdP, directory, IGA and PAM — crown-jewel systems, hardened, isolated and tightly monitored.
Zone 3 · Privileged (Tier 0)
Domain controllers and administrative planes — reached only via just-in-time, brokered, recorded sessions.
Zone 4 · Sensitive data
Regulated and crown-jewel data: strongest authentication, least privilege, full audit on every access.

Key flows

Provisioning

Source event → IGA evaluates role & policy → directory and downstream apps provisioned with least-privilege, role-derived access.

Authentication

Request → PDP weighs identity, device & context → PEP enforces at the resource → re-evaluated continuously; trust revocable mid-session.

Privileged elevation

Request → approval → time-boxed JIT grant → brokered, recorded session → automatic expiry, fully audited.

De-provisioning

Leaver event → disable everywhere within hours → revoke sessions & tokens → reconcile target systems to prove nothing remains.

Anti-patterns this design eliminates

Help desk as source of truth

Identity events driven by tickets and memory instead of authoritative systems — the root of orphaned access.

Standing & shared privilege

Permanent admin rights and shared credentials — the 24/7 attack surface attackers prize most.

Network as trust

"Inside the firewall" treated as trusted — the assumption nearly every modern breach exploits.

Ungoverned machine identity

Service accounts, tokens and agents with no owner, no scope and no rotation.

Scattered, short-lived logs

Identity telemetry spread across systems with retention too short to investigate an incident.

MFA gaps & silent exceptions

Coverage holes and undocumented exemptions — where one missing control becomes a breach.

Adoption roadmap

A pragmatic sequence — risk-reduction first, optimisation later. Most organisations sit mid-Phase 2.

Phase 1 · Foundations · 0–6 months

Get the truth and the doors right

Authoritative-source-driven joiner-mover-leaver automation, MFA on every internet-facing door, privileged credentials vaulted, and identity logs centralised. Closes the gaps behind most incidents.

Phase 2 · Governance · 6–18 months

Make access provable

RBAC with risk-based certifications and separation-of-duties, brokered and recorded privileged sessions, conditional access, and a non-human identity inventory with owners.

Phase 3 · Optimised · 18 months+

Toward Zero Trust

Just-in-time / near-zero standing privilege, phishing-resistant MFA everywhere, per-request context-aware access, ITDR with posture management, and governed AI & agent identity.

Usage & licence

Free to adopt and adapt as a starting blueprint for client engagements, internal programs or RFP responses — please retain attribution to Aditi Shah · helloaditi.au. Vendor-neutral by design; map the capabilities to your chosen platforms. Provided as-is, without warranty.

Enterprise IAM Reference Architecture · v1.0 · 2026

Want to know where your own program sits against this? Run the IAM Maturity Index or work through the Identity Security Baseline — and get in touch to design it for real.