Closing the Identity Gap Between SSO and Zero Trust

Most organisations have made real progress with identity:

• SSO has rolled out
• MFA is deployed
• Zero Trust is in the strategy documents

From a boardroom perspective, the identity programme looks healthy. However, speak to the teams responsible for running the identity infrastructure and you’ll hear a different story.

Identity data is still spread multiple locations that do not always agree with each other. Consequently, the following scenarios are not uncommon:

• HR says someone transferred three weeks ago, but their old access is still active.
• A contractor, offboarded from the main directory, still has an account on another system that nobody thought to check.
• Audit season arrives and the team spends weeks pulling together evidence from different platforms, aware of gaps they cannot close.

The login page may look modern, but the essential infrastructure underneath has not kept pace.

The Gap Nobody Talks About

There are five structural problems lurking below the SSO layer that most organisations have not addressed.

1. Identity Data is Fragmented

No single system can confidently answer, “what access does this person actually have, and is it still appropriate”. HR holds one view, the directory another, while contractor systems, app-specific user stores, and cloud platforms all hold their own. There is no single master record.

2. Join-Mover-Leaver is Manual

The joiner side has improved, but mover events tend to be where things fall apart. A role change rarely triggers a clean removal of old access in the same transaction that grants the new. Leavers are worse. The primary account becomes disabled, but downstream application accounts, shared credentials, and orphaned group memberships persist.

3. Authentication has Outrun Authorisation

Organisations have invested heavily in MFA, conditional access, and passwordless, but authentication only answers, “is this person who they claim to be”. The harder question, “should this person have access to this resource, at this classification, in this context, right now” is still being answered application by application, using coarse groups and hardcoded exceptions. This is not Zero Trust. It is perimeter security with extra steps.

4. Policy Enforcement is Inconsistent

When every application implements its own access control, a change in organisational policy means updating every system individually. In practice, some get updated, some get a workaround, and some get an exception.

5. Audit Evidence is Expensive and Incomplete

All the above compound at audit time. The team assembles evidence manually, fills gaps with attestations, and hopes the auditor does not pull too hard on any thread.

Why it is Getting Worse

Three trends are making these problems more urgent.

Cloud adoption has created multi-platform estates never designed to coexist. Entra ID is excellent at what it does, but it was not designed to be the master for every identity attribute across every platform. Organisations are hitting this wall as they try to cover fine-grained access control, non-SAML applications, or air-gapped environments.

Regulatory expectations have become specific and measurable. Essential Eight, SOCI, and DISP in Australia – along with NIST Zero Trust frameworks in the U.S. and NIS2 in Europe – now require demonstrable identity and access management practices. Auditors want evidence, not narrative.

Zero Trust has moved from aspiration to mandatory. However, without reliable identity data, dynamic authorisation, and least-privilege enforcement, it is just a new label on the same old architecture.

The Missing Layer

The answer is not to rip out what you have. It is to add the missing layer: a sovereign identity control plane that provides identity data mastering, lifecycle automation, and dynamic authorisation alongside your existing platforms.

The pattern has four parts:

1. Authoritative Identity Aggregation

This component pulls data from every source into a single mastered record, continuously, handling the messy reality of conflicting attributes and edge cases.

2. Trusted Master User Record

Represents the organisation’s real structure with the rich attribute set needed for fine-grained access decisions.

3. Centralised, Fine-Grained Authorisation

Evaluates access in real time based on attributes, context, and dynamic risk signals, with a single policy applied globally, and a consistent audit stream.

4. Sovereign Authentication and Resilience

Federates with your cloud identity provider for daily use. It also provides a direct, phishing-resistant authentication path when the primary provider is unavailable or sovereignty is required.

Each component delivers standalone value. You can start with whichever problem is most pressing and build from there.

Proven Architecture

The architecture described here has been validated end-to-end for a client to deliver the full Zero Trust lifecycle across multi-cloud and federated boundaries.

The core products are deployed across more than 30 countries, serving national defence agencies, air traffic management providers, major telecommunications carriers, and government departments in classified environments.

Download the Full White Paper

Closing the Gap Between SSO and Zero Trust