Reference architecture · reviewed 2026-05-22

Regulated-enterprise IAM reference architecture

IAM architecture for a regulated enterprise — banking, healthcare, government, energy — with continuous audit obligations.

Audience

CISO / IAM Director at a regulated enterprise designing for continuous audit-readiness, not point-in-time compliance.

Assumptions

Multiple regulatory frameworks apply (e.g. FFIEC + SOC 2, or HIPAA + HITRUST, or FedRAMP + state regulators)
Audit cycle is continuous, not annual
Workforce 10K+; both office + clinical / branch / field workers
Mature security organization (CISO + SOC + GRC team)

Components

The pieces that make it up.

Workforce IdP
Conditional Access + risk-based MFA. Sign-in policies per app-risk class.
IGA platform (SailPoint / Saviynt)
Risk-tiered certification campaigns. SoD enforcement. Continuous evidence emission.
PAM platform (CyberArk / BeyondTrust / Delinea)
Vault + session monitoring + JIT elevation on all production privileged access.
Evidence pipeline
Continuous emission of audit evidence from IdP / IGA / PAM into a long-term evidence store.
Compliance dashboard
Real-time view of control state across frameworks. Maps to control IDs (NIST 800-53, ISO 27001, SOC 2 TSC).
SIEM + ITDR
Identity threat detection + investigation. SOC integration.
B2B / partner federation (optional)
For regulated B2B partners (e.g. banking-to-bank-service-provider).

Key decisions

The decisions that define the architecture.

Evidence emission is continuous, not quarterly
The audit cycle is continuous; manual evidence collection breaks before the second framework lands. Evidence-as-code is non-negotiable at this scale.
Risk-tiered certification cadence
High-risk applications quarterly. Mid-risk semi-annually. Low-risk annually. Reviewers see manageable batch sizes; rubber-stamp rate drops.
Zero standing privileged accounts on production
Auditors increasingly cite standing privilege as a Category-1 finding. Eliminate it; you eliminate the finding class.
Unified control mapping across frameworks
A control implemented once should satisfy all applicable frameworks. Maintain the crosswalk (NIST → ISO → SOC 2 → HIPAA → FFIEC) so you don't reimplement.
Quarterly tabletop exercises
Incident response runbooks must be tested. A breached-credential scenario tabletop catches gaps before the real incident does.

Trade-offs

What you gain. What you pay for it.

Gain
Auditor-ready continuously, not just at cycle-end
Cost
Higher upfront engineering investment in evidence pipeline.
Gain
Reduced audit findings + faster cycle close
Cost
Initial-year audit-prep is heavier; payoff is years 2+.
Gain
Multiple frameworks supported with one program
Cost
Crosswalk maintenance requires a dedicated compliance lead.

The unique demand of regulated enterprises

Unlike unregulated mid-market, regulated enterprises operate on a continuous-audit clock. Findings accumulate; remediation has documentation overhead; new regulators arrive (e.g. NYDFS Part 500, state privacy laws). The IAM program must be designed to absorb framework churn without re-architecting.

What auditors actually look for in 2026

Recent trends from FedRAMP, FFIEC, HHS-OCR examinations:

Continuous evidence — not "screenshots two weeks before the audit"
Phishing-resistant MFA on privileged accounts (no more SMS for admins)
JIT elevation evidence (auditors actively test for standing privilege)
Cross-domain access controls (B2B + third-party identity treated as part of your control environment)
Risk-based authentication on consumer-facing surfaces (FFIEC 2021 supplement)

Design this for us?

The reference is a starting point. We design + deliver the program.

Talk to an architectMore architectures