Reference architecture · reviewed 2026-05-22

Zero Trust IAM reference architecture

A practical Zero Trust IAM architecture for an enterprise with a hybrid workforce + multi-cloud + SaaS portfolio.

Audience

Mid-large enterprise CISO / Identity Architect designing a Zero Trust modernization arc over 18-36 months.

Assumptions

Workforce of 5,000-50,000 with a mix of office, remote, and BYOD
Multi-cloud (AWS + Azure + GCP, or two of three)
100-500 SaaS applications integrated for SSO
Existing IdP + AD; modernizing, not greenfield
Privileged access platform deployed (CyberArk / BeyondTrust / Delinea)

Components

The pieces that make it up.

Identity Provider (IdP)
Authoritative authentication; Conditional Access policy engine; SSO to all federated apps.
IGA platform
Lifecycle automation, access certifications, SoD enforcement, role mining.
PAM platform
Privileged credential vault, session monitoring, JIT elevation.
Identity-aware proxy
Pre-application authorization. Removes the VPN as the perimeter.
Endpoint posture provider
Device-trust signal feeding into the IdP Conditional Access engine.
Risk engine
Real-time risk score from sign-in patterns, geo, device, behavior.
Policy decision point (PDP)
Externalized authorization for applications. RBAC + ABAC + ReBAC.
SIEM / XDR
Aggregates identity events; runs ITDR detection rules.

Key decisions

The decisions that define the architecture.

IdP is the sole source of authentication
All apps federate to the IdP. No local accounts on production systems. No standalone user stores. Single audit point.
No standing privileged accounts
Privileged access is JIT only. The PAM platform issues credentials at request time, scoped to the task, bounded in duration.
Externalized authorization
Applications query a central PDP for authorization decisions. Avoids stuffing roles into tokens; avoids per-app authorization drift.
Continuous risk-based authentication
Authentication isn't a one-time gate. Risk score is recomputed on each high-value action; step-up MFA on anomaly.
Identity-aware proxy in front of internal apps
No VPN. Per-app access policies enforced at the proxy. Lateral movement is structurally limited.

Trade-offs

What you gain. What you pay for it.

Gain
Lateral movement structurally limited
Cost
Identity-aware proxy is a new perimeter to operate (HA, latency budget, change cadence).
Gain
JIT eliminates standing-privilege attack surface
Cost
Developers + operators must change muscle memory; small ops friction.
Gain
Externalized authorization gives a single audit point
Cost
PDP becomes critical infrastructure; SLA + redundancy concerns.
Gain
Risk-based MFA reduces friction on low-risk sessions
Cost
False-positive rate must be tuned; user trust depends on consistent behavior.

The diagram in one paragraph

Users (workforce, contractors, B2B partners) authenticate to the IdP. The IdP consults the risk engine + endpoint posture before issuing tokens. Tokens federate to either the identity-aware proxy (for internal apps) or directly to SaaS (via SAML/OIDC). For privileged actions, the PAM platform issues JIT credentials scoped to the task. Every authentication + authorization decision flows to the SIEM/XDR for ITDR detection.

What this architecture is not

Not a product list. Not "buy these 8 things and you're zero trust." Not a 6-month project. The components are 8+; the modernization arc is 18-36 months at mid-enterprise scale; the cost is closer to a transformation program than a tool deployment.

Phasing

A workable phasing for an existing enterprise (already has IdP + AD + some IGA + some PAM):

Phase 1 (months 0-6): Conditional Access policies + device-trust integration. Workforce MFA at 100%. Phishing-resistant MFA for privileged.
Phase 2 (months 6-12): IGA modernization (cloud IGA, risk-tiered certifications, JML automation).
Phase 3 (months 12-18): PAM standing-privilege elimination. JIT elevation deployed to all production systems.
Phase 4 (months 18-24): Identity-aware proxy rollout for internal apps. VPN deprecation arc.
Phase 5 (months 24-36): Externalized authorization for the application portfolio. PDP integration.

Design this for us?

The reference is a starting point. We design + deliver the program.

Talk to an architectMore architectures

The pieces that make it up.

Identity Provider (IdP)

Authoritative authentication; Conditional Access policy engine; SSO to all federated apps.

IGA platform

Lifecycle automation, access certifications, SoD enforcement, role mining.

PAM platform

Privileged credential vault, session monitoring, JIT elevation.

Identity-aware proxy

Pre-application authorization. Removes the VPN as the perimeter.

Endpoint posture provider

Device-trust signal feeding into the IdP Conditional Access engine.

Risk engine

Real-time risk score from sign-in patterns, geo, device, behavior.

Policy decision point (PDP)

Externalized authorization for applications. RBAC + ABAC + ReBAC.

SIEM / XDR

Aggregates identity events; runs ITDR detection rules.

The decisions that define the architecture.

IdP is the sole source of authentication

All apps federate to the IdP. No local accounts on production systems. No standalone user stores. Single audit point.

No standing privileged accounts

Privileged access is JIT only. The PAM platform issues credentials at request time, scoped to the task, bounded in duration.

Externalized authorization

Applications query a central PDP for authorization decisions. Avoids stuffing roles into tokens; avoids per-app authorization drift.

Continuous risk-based authentication

Authentication isn't a one-time gate. Risk score is recomputed on each high-value action; step-up MFA on anomaly.

Identity-aware proxy in front of internal apps

No VPN. Per-app access policies enforced at the proxy. Lateral movement is structurally limited.

What you gain. What you pay for it.

Gain

Lateral movement structurally limited

Cost

Identity-aware proxy is a new perimeter to operate (HA, latency budget, change cadence).

Gain

JIT eliminates standing-privilege attack surface

Cost

Developers + operators must change muscle memory; small ops friction.

Gain

Externalized authorization gives a single audit point

Cost

PDP becomes critical infrastructure; SLA + redundancy concerns.

Gain

Risk-based MFA reduces friction on low-risk sessions

Cost

False-positive rate must be tuned; user trust depends on consistent behavior.

The diagram in one paragraph

Phasing

A workable phasing for an existing enterprise (already has IdP + AD + some IGA + some PAM):

Phase 1 (months 0-6): Conditional Access policies + device-trust integration. Workforce MFA at 100%. Phishing-resistant MFA for privileged.

Phase 2 (months 6-12): IGA modernization (cloud IGA, risk-tiered certifications, JML automation).

Phase 3 (months 12-18): PAM standing-privilege elimination. JIT elevation deployed to all production systems.

Phase 4 (months 18-24): Identity-aware proxy rollout for internal apps. VPN deprecation arc.

Phase 5 (months 24-36): Externalized authorization for the application portfolio. PDP integration.