Skip to main content

Frontier Identity is the identity program for what is shipping now: workforce, customer, authorization, and agentic identity.

The Frontier Identity Framework is how we deliver it: three layers of orchestration, mapped by one Identity Ontology.

What Frontier Identity is

Frontier Identity covers four domains: Workforce Identity, Customer Identity, Authorization Modeling, and Agentic Identity Management. Each has its own platform, its own standards, and its own ways to get breached.

Two things make this hard right now. The platforms and the AI on top of them move faster than most teams can keep up with. And the configuration underneath a program is usually too brittle to change quickly.

The Frontier Identity Framework is how we work both problems at once. It is not a maturity model and it will not score your program. It shows where the real work is across the four domains and how the pieces fit together.

Okta Workforce Identity Cloud (WIC)

Workforce Identity

The platform now carries every decision made since rollout

Workforce identity is where most enterprise IAM programs live. Okta governs employee access: joiner, mover, and leaver workflows, application integrations, adaptive access policies, device trust, and ITDR response.

The hard part is rarely the initial deployment. It is the complexity that accumulates over years of organic growth. Policies encode access assumptions that no longer hold. Integrations were added by engineers who have since left. Nobody can fully explain the group structure.

Policy drift compounds at every joiner, mover, and leaver event. Any migration has to account for dependencies nobody has fully mapped, in an environment where downtime is measured in revenue.

Assess, map, migrate, and hand over

Every engagement starts with a full read of the current Workforce Identity Cloud (WIC) tenant: the integrations, the policies, and the lifecycle workflows.

We map the dependencies and find the gaps between what the policies were meant to do and what they actually do. The plan is built around the tenant you have, not a tidy version of it.

Migration runs as a phased cutover with a rollback for every wave. When it is done we hand over how it all works, so your team can run it without us.

Engagement

A global financial services firm consolidates its identity providers

A global financial services firm had inherited separate identity providers through acquisition. No single team could answer who had access to what.

We mapped every integration dependency, sequenced business units to move independently, and gave each wave its own rollback plan.

The firm now runs on one workforce identity platform, with a unified view of access across business units and geographies.

Auth0 Customer Identity Cloud (CIC)

Customer Identity

Login has to be easy for customers and hard for attackers

Customer identity sits between security, user experience, and growth. Make registration or login clunky and customers leave. Leave it open to credential stuffing and the breach costs far more than the lost signups.

B2B is the harder version. Enterprise customers bring their own identity providers, expect strict tenant isolation, and ask about federation on the first sales call.

Federation is where most of the risk hides. A trust boundary set up wrong is a direct path into customer data.

Architecture design on Auth0, from login to fine-grained authorization

We design authentication architectures on Auth0 Customer Identity Cloud (CIC), from consumer applications with millions of users to B2B platforms with complex tenancy.

Universal Login centralizes the login experience. Auth0 Organizations model B2B tenancy and tenant isolation. Auth0 Actions carry custom logic at the right extensibility points.

Auth0 FGA enters where the access model needs more than roles: relationship-based authorization, modeled centrally instead of scattered across applications.

24M

users and 250+ applications served by CIAM our architects have delivered

Engagement

A healthcare SaaS platform redesigns patient authentication

A fast-growing health technology company had outgrown its original authentication architecture. Patients expected the low-friction login of consumer applications. The platform needed HIPAA-compliant handling of protected health information.

We redesigned the customer identity architecture: enterprise federation for hospital partners, progressive profiling to cut registration friction, and step-up verification only where risk warrants it.

New health systems now onboard through a standard federation process, and HIPAA audit evidence generates from authentication logs instead of manual documentation.

Auth0 FGA (OpenFGA)

Authorization Modeling

Roles multiply until nobody can answer who has access to what

Most organizations start with role-based access control, and it works until it doesn't. As products grow, roles multiply, permissions overlap, and exceptions pile up. Eventually nobody can answer the basic question: who has access to what?

At that point you have a modeling problem, not a tooling problem. Adding more roles or more policy conditions only makes it worse.

The fix is to step back and model access deliberately, then build that model in the platform instead of letting it accrete role by role.

The three models, and when each one fits

RBAC remains the right model for many contexts: a clean baseline that stops role sprawl and stays legible to engineers and auditors alike. We use it where it fits and do not over-engineer past it.

ReBAC is the right model for collaborative platforms, MSP hierarchies, and access that derives from a relationship. Alice can edit this document because she owns the project it belongs to, not because of her job title. We implement ReBAC on Auth0 FGA, based on the OpenFGA specification, modeling relations centrally so one authorization layer replaces logic scattered across applications.

PBAC is the right model for regulatory contexts: separation of duties, time-based access, and approval workflows. It produces audit-ready permission trails for SOX, HIPAA, PCI, and financial services regulations.

100+

business units onto one Auth0 FGA authorization model

Engagement

A Major MSP and Networking Service Provider centralizes authorization on Auth0 FGA

A Major MSP and Networking Service Provider had grown through acquisition into a security platform spanning more than 100 business units. Authorization logic had accumulated inside individual products, with conflicting sources of truth.

We designed a centralized model on Auth0 FGA that encodes the MSP relations directly: Accounts, Groups, Users, and the cross-tenant access the hierarchy requires. The full model was delivered, approved by client leadership, and validated across business units and MSP use cases.

"Anthony is our principal dev and he's not an easy person to impress, but he relayed to me that he's really impressed with JP. His knowledge, his demeanor, and how personable he is in meetings with other teams." - VP of IAM

For a national retailer, the same discipline consolidated a decade of accumulated roles into a composable model that engineers and auditors can reason about.

Okta and the Model Context Protocol (MCP)

Agentic Identity Management

Agents reached production before the identity layer did

AI agents are moving from demos to production. Most operate on broad, static service-account credentials that bypass the access controls human users are held to.

An agent needs a real identity, not a shared service account. It acts on behalf of a person, and the identity system has to record that.

Agents increasingly reach enterprise tools through the Model Context Protocol, which makes the tool call the new authorization boundary.

A delegation chain with attribution at every hop

We model the full delegation chain: Human as principal, IdP as authority, Agent as actor, MCP proxy as control plane, Tool as resource. Every action is authorized by the human the agent acts for, and every hop records it.

The mechanics are open standards, available on current Okta infrastructure. OAuth Actor Tokens (RFC 8693) record the agent acting for the human. Resource indicators (RFC 8707) scope each token to a single audience. FIDO2 or CIBA adds phishing-resistant step-up where a call is high-risk.

We enforce the chain at a single point between agents and MCP servers. Zero changes to existing agents or downstream tools. Every decision logs the agent, the human principal, the tool, and the outcome.

How we deliver

Orchestration on three layers

The four domains are what we work on. Orchestration is how we do it: three layers that let us move a program without taking it down.

Journey Time Orchestration (Layer 1) handles what the user sees and does. Runtime Orchestration (Layer 2) connects any identity provider to any application. Control-Plane Orchestration (Layer 3) changes the configuration underneath both.

All three work from the same map, the Identity Ontology, so a change in one layer stays consistent with the rest.

Diagram of the three orchestration layers. Journey Time Orchestration, Layer 1, covers sign-up, sign-in, and recovery journeys. Runtime Orchestration, Layer 2, lets any identity provider talk to any application. Control-Plane Orchestration, Layer 3, manages users, groups, policies, and authorization data. The Identity Ontology ties all three layers together.

Layer 1

Journey Time Orchestration

Layer 1 is everything the user touches: the screens, the authentication flows, onboarding, and account recovery.

This is registration, login, credential recovery, and stepping up verification when the risk changes. When it works nobody notices. When it does not, you see it in drop-off and support tickets.

We build these flows across all four domains: customer onboarding, workforce recovery, and the approvals an agent has to hand back to a person.

Layer 2

Runtime Orchestration

Runtime Orchestration, also called Final-Mile Orchestration, sits between the identity provider and the application. Any identity provider talks to any application, whatever protocol either side speaks.

That covers the application that only speaks a legacy protocol, and the one that will speak whatever comes next. Nothing gets left off the migration because of how it authenticates.

The same layer carries resiliency and continuity: if a provider degrades, sessions continue and access holds. Identity keeps serving the business while the platform underneath it changes.

Layer 3

Control-Plane Orchestration

Control-Plane Orchestration manipulates the objects underneath the program: users, groups, policies, authorization data, and related configuration across IAM tooling and connected applications.

The machinery treats configuration as data. Deterministic reads capture tenant state into a normalized model: run the read twice, get the same result. Writes are human-approved, logged with the approver and the full diff. Rollback is a write of the previous version.

Agents execute the repetitive per-application work under that control, with our architects making the policy calls. For Temporal Technologies, that is how 40 applications landed on one IdP in a single day, using the Authonomy accelerator.

40

applications onto one IdP in 1 day

up to 80%

of per-application configuration executed by agents

The Identity Ontology

The Identity Ontology maps your identity program to a semi-structured representation: identities, applications, policies, and the relationships between them.

It is the shared picture that ties the three layers together. A journey change, a runtime bridge, and a control-plane write all reference the same objects.

It is also where every engagement starts. Assessments read the current state into it. Migrations and transformations are planned against it, so decisions rest on what is actually configured.

Change management

Orchestration changes who does what. Work that consumed a team of console operators becomes policy decisions, reviews, and approvals.

That shift needs managing, and named senior architects carry it. The same people who design the program run the workshops, the reviews, and the handover.

Start with an assessment, a workshop, or ongoing advisory
The outcome

IAM Transformation

The point of all this is a program you can actually change: one that moves when the business needs it to, and keeps moving after we leave.

Because the work runs against one map with agents doing the repetitive parts, we can scope it tightly enough to quote a fixed fee and stand behind it.

Engagements are fixed-fee and outcome-based, services only. We do not resell software.

What the framework does not cover

We are specialists, so we are clear about where we stop.

We work the Okta family. Workforce Identity Cloud (WIC) for employee access, Auth0 Customer Identity Cloud (CIC) for customer-facing apps, and Auth0 FGA, built on OpenFGA, for fine-grained authorization.

We stay in the identity layer. ITDR and adaptive access are where we touch the wider security stack; the rest of it we leave to the specialists who own it.

  • Microsoft Entra, SailPoint, CyberArk, and similar identity platforms
  • Broader security architecture: endpoint, network access control, and SIEM and SOAR integration
  • License resell: engagements are services only

Find out where your program stands

A 30-minute working session maps your identity program against the four domains and three layers.

Map your program against the framework