WatchGuard Blog

Go to 

You Don’t Need 20 Different Perimeters. You Need One Identity Fabric.

Identity is the privacy perimeter. See how an IdP-led identity fabric and export controls reduce risk across SaaS, cloud, and AI

Guest post by WatchGuard Tech All-Star, Michael Carter II

At a glance: 
The trend is hard to ignore: most attackers do not “break in” anymore; they sign in using stolen or abused identities, not by bypassing a next-gen firewall, your EDR, or those fancy email and collaboration tool defenses. If an unauthorized identity can export it, you have not protected it, no matter how many controls you have in place. The fix is to treat identity as the control plane: standardize on an IdP-led identity fabric, enforce just-in-time access for humans and non-human identities, and measure privacy as “who (or what) can access which data, and why. 

Key takeaways: 

  • Identity is the real privacy perimeter in SaaS, cloud, and hybrid work. 
  • “Export privilege” should be treated as a first-class privacy least privilege control. 
  • AI and non-human identities quietly expand blast radius if permissions are not governed. 
  • If your IdP is the source of truth, privacy becomes measurable, enforceable, and auditable. 

Why identity is now the real privacy perimeter 

Over the last few years, high-profile breaches have shown a consistent pattern: attackers are far more likely to come in through stolen or abused identities than by bypassing a next-gen firewall, or your EDR, and those fancy email and collaboration tool defenses. In 2024 and 2025, a large share of public incidents were driven by compromised credentials, infostealer-harvested cookies, and adversary-in-the-middle identity theft, leading to abuse of legitimate sessions in SaaS and critical business applications. Rather than “hacking the network,” attackers are authenticating successfully into our organizations, often using the same login screens employees use every day. 

At the same time, organizations have multiplied their “perimeters” with distributed and hybrid work options: VPNs, CASBs, SaaS web apps, multiple cloud provider controls, in-app access models, and dozens of separate admin consoles. Each tool brings a partial view of access and an endless amount of bouncing around hoping you did not miss something in your configurations, but none creates a unified, identity-centric picture of who (or what) can access which data and why. The result is governance chaos: privacy promises on paper, but no single place to enforce or measure them, increasing your risk. 

What an “identity fabric” is, in plain language 

A unified identity fabric changes that. When an IdP (or tightly integrated set of IdPs and identity governance systems) becomes the source of truth for human and non-human identities, it can centralize authentication, policy, and telemetry across SaaS, cloud, and internal apps. 

Instead of 20 partial perimeters, you get one fabric where you can define roles, assign conditional access, enforce step-up authentication for just-in-time access, and enforce multi factor authentication strengths. Then you push those controls to every surface your business identities touch no matter who, what, or where they come from. 

If you are looking for a practical example of extending centralized MFA and conditional access into modern SaaS, WatchGuard has been expanding this coverage in AuthPoint, including support for modern protocols and broader SaaS reach (see: Powering Modern SaaS with AuthPoint OIDC). 

The most important privacy truth: if an unauthorized identity can export it, you have not protected it 

No matter how many controls you have in place, if an unauthorized identity can export it... you haven’t protected it. 

Many of the most damaging recent incidents weren’t about the initial access of data that was held for ransom. They were about the blast radius from privileged access to data that should not have been there in the first place. Public reporting on recent mega-breaches shows hundreds of millions to over a billion individual records exposed when attackers landed on over-privileged accounts with broad export, sync, or programmatic access capabilities to internal systems and controls. 

In several cases, the difference between an “incident” and a “catastrophe” was whether attackers could exfiltrate large data sets via legitimate interfaces under what looks to be legitimate business operations, not whether packets were blocked by a perimeter device or other boundary defenses. 

AI amplifies the risk, quietly and at scale 

This is where AI quietly amplifies the risk. As organizations integrate AI tooling into workflows, they often grant AI services access to document repositories, source code, tickets, and data lakes so agents can “assist” humans. If those AI services or non-human identities (API keys, service principals, bots) are over-permissioned, they inherit the ability to export or summarize sensitive information at scale. An AI agent that can read everything can also leak everything through misconfiguration, prompt injection, or a compromised identity access token. 

For MSPs thinking about how identity controls show up in real-world AI deployments, Pax8 has published practical guidance on tightening zero trust controls for tools like Microsoft 365 Copilot, including identity and access recommendations (see: 7 Zero Trust Security Principles for Copilot). 

A practical identity-fabric playbook for privacy and export control 

Traditional data protection controls can help, but they are trailing controls. If identities, human or agentic, have broad export, sync, or bulk-read permissions, those controls are left trying to infer intent after the fact rather than containing the data before it leaps into the public domain without explicit consent. 

A standardized IdP fabric and least privilege framework lets you pull this control up a layer: you define which identities can export and under which conditions, with just-in-time elevations, and for how long that data is accessible to such entities. In other words, you start treating “exportation and sharing” as a privilege that must be explicitly justified and time-bound, not a default capability baked into generic roles, departments, or workflows. 

In an AI world that is only becoming more agentic, least privilege and just-in-time access are not just security principles; they are privacy and IP data controls. If an identity can export it, summarize it, or fine-tune it for that big presentation of yours, that is the perimeter you must design for and extensively monitor to ensure trust with your clients. 

Practical starting point (fast path): 

  • Inventory identities, including non-human identities (API keys, service principals, bots, service accounts). 
  • Identify where export, sync, and bulk-read permissions exist today. 
  • Require step-up authentication and time-bound elevation for export. 
  • Remove standing high-risk privileges wherever possible. 
  • Track and review identity access drift on a recurring cadence. 

If you want a quick framing of conditional access as an an “if-then” enforcement mechanism, Pax8 breaks it down clearly here: Why MSPs should adopt conditional access policies. 

If you want a concrete example of how granular “conditions” can be expressed in an identity policy, WatchGuard documents controls like geofencing as part of WatchGuard’s Zero Trust Policy Conditions (see: Zero Trust Geofence Conditions). 

If your IdP is the source of truth, your privacy story is measurable 

Privacy frameworks talk about data minimization, purpose limitation, and access limitation, but they rarely tell you how to operationalize those principles in a multi-SaaS, multi-cloud, decentralized identity access, with ever-increasing AI-enabled environments. Without a single place to describe identities, their roles and entitlements, privacy quickly becomes a never-ending checkbox exercise instead of real, actionable attack surface reduction: documents, consent banners, and DPIAs that never change who can actually touch personal data are only one part in a larger story lacking the substance of control or a reliable source of truth. 

When the IdP and its surrounding identity governance stack become the operational source of truth, everything changes. Modern IdPs and identity governance platforms allow organizations to: 

  • Centralize authentication and authorization policies for human users and non-human identities, including service accounts and machine identities used by AI systems. 
  • Map roles and groups to business functions and data classifications, then enforce least privilege based on actual job needs, privacy requirements, and compliance frameworks. 
  • Automate joiner/mover/leaver workflows so excessive and stale access to regulated data is systematically removed as soon as possible without a human in the loop, not left to manual clean-up costing soft dollars that could be used elsewhere in revenue-generating activities for you or your clients. 

Once access decisions can only live in that fabric, data privacy becomes measurable instead of aspirational. 

You can track metrics like: 

  • How many identities, human and non-human, can access specific regulated data sets. 
  • How many of those identities have standing high-risk privileges versus time-bound, just-in-time access. 
  • How quickly access is revoked when roles change, when personnel leave, or when AI agents and services are decommissioned. 

These are governance, risk, and compliance (GRC) metrics that actually matter in an agentic world where the human in the loop becomes more abstract as automation and agents flourish into the digital workforce. They show auditors and boards not just that policies exist, but that access to customer data, internal IP, and AI model actions are actively constrained and monitored via a consistent identity control plane. 

As AI systems become more tightly integrated into business processes, and non-human identities form the “unseen workforce” behind the scenes, treating the IdP fabric as infrastructure for privacy and IP protection will be the difference between organizations that merely write about trust and those that can prove it when the adversary comes knocking. 

This is the turning point in strategic opportunities for security and architecture leaders to capitalize on: move the conversation from “more tools and perimeters” to “one identity, secure access,” make export and bulk access an explicit privilege, and use the IdP as the measurement engine for privacy and GRC in a human-plus-agent world. 

Closing questions 

  • How are you tackling your privacy concerns in an ever-increasing AI-integrated world? 
  • Have you standardized your identity fabric and embraced your managed identities as your new perimeter for attack defense and privacy protections? 
  • How are you limiting and monitoring export, sync, and bulk-read when it comes to your non-human identities? 

If you want implementation examples for identity-first controls like MFA policy design and rollout, WatchGuard’s AuthPoint documentation is a practical starting point (see: AuthPoint Deployment Guide). 

If you are an MSP standardizing delivery through a marketplace, Pax8 maintains a WatchGuard vendor hub you can reference for packaging and lifecycle management (see: WatchGuard on Pax8). 

Forward Unto Dawn
Michael Carter II 
Sr. Security Solutions Engineer and Infrastructure NERD 
Specializing in Network, Identity, and Endpoint Security with an immense passion of wanting to help us all secure our future, together. 

Filed under: Data Privacy & Compliance, Data Privacy, Risk Management