Reference Architecture Diagram + Narrative (IdP/MFA + PAM/JIT + HSM/KMS/PKI + Secrets)

                       ┌────────────────────────────────────────────────┐
                       │         SOURCES OF IDENTITY & ENTITLEMENT      │
   HRIS/ERP  ▸  Directory (AAD/LDAP)  ▸  B2B/B2C Portals  ▸  Service Accounts
   (join/move/leave events)              (partners/citizens)   (apps/robots)
                       └───────────┬───────────────┬───────────────┬──────┘
                                   │               │               │
                                   ▼               ▼               ▼
        ┌──────────────────────────────────────────────────────────────────┐
        │                    IDENTITY PROVIDER & ACCESS LAYER              │
        │  ▸ IdP/SSO (SAML/OIDC)  ▸ MFA/FIDO2/WebAuthn  ▸ SCIM lifecycle   │
        │  ▸ UEM/MDM posture (OS, patch, crypto)  ▸ Risk-based policies    │
        └───────────────┬──────────────────────────────────────────────────┘
                        │                policy-as-code (ABAC/OPA/Rego)
                        ▼
        ┌──────────────────────────────────────────────────────────────────┐
        │     PRIVILEGED ACCESS MGMT (PAM/JIT) & SESSION RECORDING         │
        │  ▸ Vaulted creds ▸ JIT elevation ▸ Dual control ▸ Full replay     │
        │  ▸ Break-glass workflows ▸ Approval chains ▸ Time-boxed access    │
        └───────────────┬────────────────────────────┬──────────────────────┘
                        │                            │
                        ▼                            ▼
   ┌────────────────────────────────┐      ┌─────────────────────────────────┐
   │  HSM / KMS / PKI (KEY FABRIC)  │      │       SECRETS MANAGEMENT        │
   │▸ Root-of-Trust ceremonies       │      │ ▸ App/CI/CD/Runtime secrets     │
   │▸ CA/RA  ▸ Cert issuance (mTLS)  │      │ ▸ Namespaces/leases/rotation    │
   │▸ Envelope/TDE/Tokenization      │      │ ▸ Dynamic DB/API credentials     │
   │▸ Rotation & crypto-erasure      │      │ ▸ Transit encryption-as-a-svc    │
   └───────────────┬────────────────┘      └──────────────────┬──────────────┘
                   │                                           │
                   ▼                                           ▼
  ┌──────────────────────────────────────────┐   ┌─────────────────────────────┐
  │  ACCESS TARGETS (ALL DOMAINS #1–19)      │   │   SIGNING & TRUST SERVICES  │
  │  ▸ ZTNA/SASE POPs  ▸ Apps/APIs  ▸ DBs    │   │  ▸ Image/Artifact Sign (CI) │
  │  ▸ Meshes (mTLS)  ▸ SD-WAN/Segs/OT/PCI   │   │  ▸ Code/Doc/Email Signing   │
  └──────────────────────────────────────────┘   │  ▸ Notarization/WORM links  │
                                                 └─────────────────────────────┘

 Telemetry & Governance  ──►  SIEM/SOAR (UEBA)  ▸  AIOps  ▸  ITSM/CMDB  ▸  GRC/Audit (WORM/holds)

---

Narrative (how identity, privilege, and keys stay coherent across everything)

1) Purpose & posture

• Objective: Establish a single, provable trust fabric for humans, machines, and data: who may do what, where, when, and with which keys, everywhere across Architectures #1–19.
• Posture: Identity-first + least privilege, device-aware, keys-as-a-service, secrets minimized and rotated, evidence-by-default.

2) Sources of truth → IdP (syntax of “who”)

• HRIS/ERP emits join/move/leave events; SCIM drives account lifecycle.
• IdP/SSO (SAML/OIDC) unifies auth; MFA/FIDO2/WebAuthn binds users to devices resistant to phishing.
• UEM/MDM + EDR posture is a policy signal (OS, patch, disk crypto, sensor health) for adaptive access.

3) PAM/JIT (semantics of “who may do what, for how long”)

• Vaulted secrets for infrastructure and OT; JIT elevation issues ephemeral creds; dual control and session recording create replayable evidence.
• Break-glass paths are isolated, logged, and post-reviewed; every privileged step links to a ticket/change in ITSM/CMDB.

4) HSM/KMS/PKI (meaning with custody)

• HSM anchors Root-of-Trust ceremonies; PKI issues short-lived certificates for mTLS (apps, meshes, ZT connectors, IoT).
• KMS provides envelope encryption (DB TDE, object storage), tokenization/pseudonymization for PCI/PHI/PII, and crypto-erasure procedures for emergency sanitization.
• Rotations are automatic and provable (attested events stored immutably).

5) Secrets management (reduce, rotate, remove)

• Dynamic secrets (DB/API) on short leases; revocation/rotation on demand.
• Namespaces per app/team/tenant; transit encryption service for apps without local crypto.
• Tight coupling to CI/CD (Architecture 19) for signed artifacts, policy-gated deploys, and zero plaintext in pipelines.

6) Targets (everywhere the trust is consumed)

• SASE/ZTNA enforces identity+device context; service meshes trust only PKI-issued mTLS.
• SD-WAN/Segmentation policies ingest identity/role tags to steer and restrict flows (PCI/PHI/OT).
• DBs/Datalakes/APIs consume KMS keys and tokenization controls; code/docs/email use signing/notarization for non-repudiation.

7) Telemetry, GRC & evidence (pragmatics of trust)

• SIEM/SOAR (with UEBA) fuses IdP events, PAM replays, KMS/PKI logs, and secrets usage; playbooks can revoke tokens, expire certs, rotate keys, quarantine accounts, open ITSM incidents, and stamp GRC evidence.
• WORM/Audit vault stores key ceremonies, cert CRLs/OCSP, PAM videos, policy snapshots, and legal holds, mapped to frameworks (PCI, HIPAA, CJIS, NERC, ISO, SOC 2, GDPR).

---

Reference KPIs

• Auth→permit latency: <2 s median
• Privileged session coverage (recorded): ≥99%
• Key/secret rotation SLA: ≤24 h (critical ≤60 min)
• Cert expiry SLO breaches: 0
• Account lifecycle (J/M/L) completion: ≤15 min propagation
• Policy conformity (least privilege): >98%

Minimal BOM (aligned with the matrix)

IdP/SSO/MFA (SAML/OIDC/FIDO2), UEM/MDM, EDR/XDR, PAM/JIT + session recording, HSM/KMS/PKI (CA/RA), Secrets manager (dynamic creds, transit enc), Tokenization/Masking, SIEM/SOAR (UEBA), AIOps, ITSM/CMDB, GRC + WORM audit store, Policy-as-Code (OPA/Rego).

---