Frontier Identity is the identity program for what is shipping now: workforce, customer, authorization, and agentic identity.
The Frontier Identity Framework is how we deliver it: three layers of orchestration, mapped by one Identity Ontology.
What Frontier Identity is
Frontier Identity covers four domains: Workforce Identity, Customer Identity, Authorization Modeling, and Agentic Identity Management. Each has its own platform, its own standards, and its own ways to get breached.
Two things make this hard right now. The platforms and the AI on top of them move faster than most teams can keep up with. And the configuration underneath a program is usually too brittle to change quickly.
The Frontier Identity Framework is how we work both problems at once. It is not a maturity model and it will not score your program. It shows where the real work is across the four domains and how the pieces fit together.
The four domains
Most organizations have work in all four at once. For each one, here is the problem we usually find and what we do about it.
Workforce Identity
The platform now carries every decision made since rollout
Workforce identity is where most enterprise IAM programs live. Okta governs employee access: joiner, mover, and leaver workflows, application integrations, adaptive access policies, device trust, and ITDR response.
The hard part is rarely the initial deployment. It is the complexity that accumulates over years of organic growth. Policies encode access assumptions that no longer hold. Integrations were added by engineers who have since left. Nobody can fully explain the group structure.
Policy drift compounds at every joiner, mover, and leaver event. Any migration has to account for dependencies nobody has fully mapped, in an environment where downtime is measured in revenue.
Assess, map, migrate, and hand over
Every engagement starts with a full read of the current Workforce Identity Cloud (WIC) tenant: the integrations, the policies, and the lifecycle workflows.
We map the dependencies and find the gaps between what the policies were meant to do and what they actually do. The plan is built around the tenant you have, not a tidy version of it.
Migration runs as a phased cutover with a rollback for every wave. When it is done we hand over how it all works, so your team can run it without us.
A global financial services firm consolidates its identity providers
A global financial services firm had inherited separate identity providers through acquisition. No single team could answer who had access to what.
We mapped every integration dependency, sequenced business units to move independently, and gave each wave its own rollback plan.
The firm now runs on one workforce identity platform, with a unified view of access across business units and geographies.
Customer Identity
Login has to be easy for customers and hard for attackers
Customer identity sits between security, user experience, and growth. Make registration or login clunky and customers leave. Leave it open to credential stuffing and the breach costs far more than the lost signups.
B2B is the harder version. Enterprise customers bring their own identity providers, expect strict tenant isolation, and ask about federation on the first sales call.
Federation is where most of the risk hides. A trust boundary set up wrong is a direct path into customer data.
Architecture design on Auth0, from login to fine-grained authorization
We design authentication architectures on Auth0 Customer Identity Cloud (CIC), from consumer applications with millions of users to B2B platforms with complex tenancy.
Universal Login centralizes the login experience. Auth0 Organizations model B2B tenancy and tenant isolation. Auth0 Actions carry custom logic at the right extensibility points.
Auth0 FGA enters where the access model needs more than roles: relationship-based authorization, modeled centrally instead of scattered across applications.
24M
users and 250+ applications served by CIAM our architects have delivered
A healthcare SaaS platform redesigns patient authentication
A fast-growing health technology company had outgrown its original authentication architecture. Patients expected the low-friction login of consumer applications. The platform needed HIPAA-compliant handling of protected health information.
We redesigned the customer identity architecture: enterprise federation for hospital partners, progressive profiling to cut registration friction, and step-up verification only where risk warrants it.
New health systems now onboard through a standard federation process, and HIPAA audit evidence generates from authentication logs instead of manual documentation.
Agentic Identity Management
Agents reached production before the identity layer did
AI agents are moving from demos to production. Most operate on broad, static service-account credentials that bypass the access controls human users are held to.
An agent needs a real identity, not a shared service account. It acts on behalf of a person, and the identity system has to record that.
Agents increasingly reach enterprise tools through the Model Context Protocol, which makes the tool call the new authorization boundary.
A delegation chain with attribution at every hop
We model the full delegation chain: Human as principal, IdP as authority, Agent as actor, MCP proxy as control plane, Tool as resource. Every action is authorized by the human the agent acts for, and every hop records it.
The mechanics are open standards, available on current Okta infrastructure. OAuth Actor Tokens (RFC 8693) record the agent acting for the human. Resource indicators (RFC 8707) scope each token to a single audience. FIDO2 or CIBA adds phishing-resistant step-up where a call is high-risk.
We enforce the chain at a single point between agents and MCP servers. Zero changes to existing agents or downstream tools. Every decision logs the agent, the human principal, the tool, and the outcome.
Orchestration on three layers
The four domains are what we work on. Orchestration is how we do it: three layers that let us move a program without taking it down.
Journey Time Orchestration (Layer 1) handles what the user sees and does. Runtime Orchestration (Layer 2) connects any identity provider to any application. Control-Plane Orchestration (Layer 3) changes the configuration underneath both.
All three work from the same map, the Identity Ontology, so a change in one layer stays consistent with the rest.
Diagram of the three orchestration layers. Journey Time Orchestration, Layer 1, covers sign-up, sign-in, and recovery journeys. Runtime Orchestration, Layer 2, lets any identity provider talk to any application. Control-Plane Orchestration, Layer 3, manages users, groups, policies, and authorization data. The Identity Ontology ties all three layers together.
Journey Time Orchestration
Layer 1 is everything the user touches: the screens, the authentication flows, onboarding, and account recovery.
This is registration, login, credential recovery, and stepping up verification when the risk changes. When it works nobody notices. When it does not, you see it in drop-off and support tickets.
We build these flows across all four domains: customer onboarding, workforce recovery, and the approvals an agent has to hand back to a person.
Diagram of the three orchestration layers. Journey Time Orchestration, Layer 1, covers sign-up, sign-in, and recovery journeys. Runtime Orchestration, Layer 2, lets any identity provider talk to any application. Control-Plane Orchestration, Layer 3, manages users, groups, policies, and authorization data. The Identity Ontology ties all three layers together.
Runtime Orchestration
Runtime Orchestration, also called Final-Mile Orchestration, sits between the identity provider and the application. Any identity provider talks to any application, whatever protocol either side speaks.
That covers the application that only speaks a legacy protocol, and the one that will speak whatever comes next. Nothing gets left off the migration because of how it authenticates.
The same layer carries resiliency and continuity: if a provider degrades, sessions continue and access holds. Identity keeps serving the business while the platform underneath it changes.
Diagram of the three orchestration layers. Journey Time Orchestration, Layer 1, covers sign-up, sign-in, and recovery journeys. Runtime Orchestration, Layer 2, lets any identity provider talk to any application. Control-Plane Orchestration, Layer 3, manages users, groups, policies, and authorization data. The Identity Ontology ties all three layers together.
Control-Plane Orchestration
Control-Plane Orchestration manipulates the objects underneath the program: users, groups, policies, authorization data, and related configuration across IAM tooling and connected applications.
The machinery treats configuration as data. Deterministic reads capture tenant state into a normalized model: run the read twice, get the same result. Writes are human-approved, logged with the approver and the full diff. Rollback is a write of the previous version.
Agents execute the repetitive per-application work under that control, with our architects making the policy calls. For Temporal Technologies, that is how 40 applications landed on one IdP in a single day, using the Authonomy accelerator.
40
applications onto one IdP in 1 day
up to 80%
of per-application configuration executed by agents
Diagram of the three orchestration layers. Journey Time Orchestration, Layer 1, covers sign-up, sign-in, and recovery journeys. Runtime Orchestration, Layer 2, lets any identity provider talk to any application. Control-Plane Orchestration, Layer 3, manages users, groups, policies, and authorization data. The Identity Ontology ties all three layers together.
The Identity Ontology
The Identity Ontology maps your identity program to a semi-structured representation: identities, applications, policies, and the relationships between them.
It is the shared picture that ties the three layers together. A journey change, a runtime bridge, and a control-plane write all reference the same objects.
It is also where every engagement starts. Assessments read the current state into it. Migrations and transformations are planned against it, so decisions rest on what is actually configured.
Change management
Orchestration changes who does what. Work that consumed a team of console operators becomes policy decisions, reviews, and approvals.
That shift needs managing, and named senior architects carry it. The same people who design the program run the workshops, the reviews, and the handover.
IAM Transformation
The point of all this is a program you can actually change: one that moves when the business needs it to, and keeps moving after we leave.
Because the work runs against one map with agents doing the repetitive parts, we can scope it tightly enough to quote a fixed fee and stand behind it.
Engagements are fixed-fee and outcome-based, services only. We do not resell software.
What the framework does not cover
We are specialists, so we are clear about where we stop.
We work the Okta family. Workforce Identity Cloud (WIC) for employee access, Auth0 Customer Identity Cloud (CIC) for customer-facing apps, and Auth0 FGA, built on OpenFGA, for fine-grained authorization.
We stay in the identity layer. ITDR and adaptive access are where we touch the wider security stack; the rest of it we leave to the specialists who own it.
- Microsoft Entra, SailPoint, CyberArk, and similar identity platforms
- Broader security architecture: endpoint, network access control, and SIEM and SOAR integration
- License resell: engagements are services only
Find out where your program stands
A 30-minute working session maps your identity program against the four domains and three layers.
Map your program against the framework