Start with Identity
Subscribe
← Guides
architecture · Advanced

Identity-first architecture: principles that hold up at scale

By Deepak Gupta · Updated 2026-01-15 · 15 min

Principle 1: One system of record per identity type

Humans, workloads, devices, and AI agents are distinct identity types. They share patterns but should not share their primary directory. Trying to model workload identity inside an HR-driven IAM directory leads to schema gymnastics. Keep them separate, federate at the access decision.

Principle 2: Authentication and authorization are separate concerns

Conflating them produces brittle policy. Authentication answers "who is this?" Authorization answers "what can they do here?" Make them different services, different teams if you can afford it.

Principle 3: Short-lived credentials by default

Long-lived API keys, service account passwords, and 90-day rotating secrets are the leading cause of credential incidents. Issue short-lived credentials (minutes, not months) from a central authority. Workload identity via SPIFFE or cloud-native equivalents is the modern baseline.

Principle 4: Risk signals at every decision point

Static role assignments lose context. Use risk signals — device posture, location, behavior, time-of-day — at every meaningful access decision. The IdP is one source of signal, not the whole picture.

Principle 5: Audit logs are first-class

Every identity-affecting event must produce a structured audit log entry. The compliance assessor needs them, the SOC needs them, the customer needs them for their own audit. Build for that requirement from the start.

Principle 6: Recover gracefully

The hard part of identity is failure modes. Lost devices, fired admins, compromised credentials. Design recovery flows before you design happy paths.

Principle 7: Federate, don't replicate

If you find yourself copying user data from one system to another, you're building a synchronization problem you'll regret. Federate to the source of truth where you can.

Where these principles came from

The author has reviewed identity architectures at financial services, healthcare, retail, and SaaS companies. These principles repeatedly distinguish architectures that scale from architectures that have to be redesigned at every order of magnitude.