Policy orchestration for SASE access control: PlainID and Zscaler

At a glance

What this is: This is a vendor analysis of policy orchestration for SASE, focused on how PlainID integrates with Zscaler to centralize authorization, discover policies, and enrich access tokens.

Why it matters: It matters because IAM, PAM, and Zero Trust teams need consistent authorization decisions across applications, data, and enforcement points, or policy drift will undermine access control.

👉 Read PlainID's analysis of identity security challenges in SASE

Context

SASE access control breaks down when identity, policy, and enforcement live in separate layers with different views of entitlements. In practice, that creates policy drift, inconsistent token handling, and gaps between what an identity provider decides and what a security edge actually enforces.

PlainID's framing is a useful reminder that Zero Trust for enterprise access is not only about network inspection. For IAM and security architecture teams, the harder problem is keeping authorization decisions synchronized across the policy engine, the token, and the enforcement layer so that access remains both contextual and auditable.

Key questions

Q: How should teams govern authorization in SASE environments?

A: Teams should govern authorization in SASE by treating identity, policy, and enforcement as one control chain. The practical aim is consistency, not just centralization. If access decisions are made in one place but enforced in another without the same entitlement context, policy drift appears quickly. Start by mapping decision points, defining one authorization model, and verifying that revocation propagates across every layer that consumes the token.

Q: Why do enriched access tokens create governance risk?

A: Enriched access tokens create governance risk when the entitlement claims inside them are stale, too broad, or based on incomplete policy data. Once those claims are embedded, downstream systems may enforce them as if they were authoritative. That turns authorization freshness into a runtime security requirement. Teams need clear rules for claim generation, update latency, and revocation handling.

Q: What breaks when policy discovery does not match enforcement reality?

A: When policy discovery does not match enforcement reality, teams gain visibility without control. The discovered policy set may look complete while edge systems still apply exceptions, local overrides, or outdated rules. That leaves administrators with a false sense of coverage. The remedy is to compare discovered policy intent against actual enforcement behaviour and close the gaps found.

Q: What is the difference between token enrichment and authentication?

A: Authentication establishes that an identity is who it claims to be. Token enrichment adds authorization context after that identity has been verified, such as fine-grained entitlements or access scope. The two are not interchangeable. Authentication answers whether access can begin, while enrichment helps determine what access is actually allowed once the session is established.

Technical breakdown

Policy orchestration in SASE environments

Policy orchestration is the coordination of authorization logic across multiple control points so that access decisions do not diverge as traffic moves through the stack. In the PlainID-Zscaler model, policy discovery pulls existing access rules into a central view, then centralized decisions are pushed back for enforcement. That pattern matters because distributed policy stores often create contradictory decisions, especially when applications, edge controls, and identity providers each maintain their own partial view of entitlement. The risk is not just complexity. It is inconsistent enforcement of the same user request depending on where the request lands.

Practical implication: map where authorization is decided, where it is stored, and where it is enforced before adding another SASE control plane.

Token enrichment and fine-grained entitlements

Token enrichment means adding authorization context to an access token after policy evaluation so downstream systems can enforce a narrower decision set. Here, the token is not just proof of authentication. It becomes a carrier for verified entitlements that can express read-only access, application scope, or other fine-grained limits. The architectural challenge is that the token now depends on the quality of upstream policy data and the timeliness of the authorization decision. If entitlements are stale, overly broad, or misaligned with the requesting identity, the enriched token can hard-code the wrong trust decision into later enforcement.

Practical implication: validate how entitlement claims are derived, refreshed, and revoked before relying on enriched tokens for critical access.

Identity-aware controls in Zero Trust architecture

Zero Trust architecture assumes every access request must be evaluated in context, not granted by default. In SASE, that means identity-aware controls must align with the broader authorization strategy, including least privilege, contextual access, and policy continuity across layers. The key design issue is that network proximity alone cannot determine whether a user should receive access to a sensitive application. Authorization has to be explicit, current, and consistent at every enforcement point. That is why policy orchestration becomes a governance problem as much as a technical one: a mismatch between policy intent and enforcement behaviour creates a blind spot that Zero Trust is supposed to eliminate.

Practical implication: treat ZT policy alignment as a control-design exercise, not a deployment checkbox.

NHI Mgmt Group analysis

Policy drift is the real SASE control failure, not lack of connectivity. The PlainID-Zscaler pattern addresses a common enterprise problem: access rules exist, but they are fragmented across systems that do not enforce them uniformly. That fragmentation creates a governance gap where policy intent, token content, and edge enforcement can diverge. The implication is that identity teams must measure authorization consistency, not just policy volume.

Token enrichment turns authorization into an enforcement dependency. Once fine-grained entitlements are embedded in the token, downstream controls inherit every upstream weakness in policy quality and decision freshness. That makes the authorization layer part of the runtime control path, not a passive administration layer. Practitioners should treat entitlement accuracy as a production security control, not a configuration detail.

Zero Trust in SASE fails if identity-aware controls are bolted on after the network decision. The article's core message is that enforcement points must align with authorization strategy before access is granted. When that sequence is reversed, the security stack can authenticate traffic but still authorize too broadly. Security architects should insist that policy continuity spans identity, token, and enforcement.

Centralized policy discovery is valuable only if it exposes real governance gaps. Seeing existing policies is not the same as fixing them, but it does give teams a baseline for remediation and standardization. The strategic value is in uncovering where ad hoc rules, duplicated entitlements, or edge-specific exceptions have accumulated. The practitioner takeaway is to use policy discovery as a governance inventory, not a reporting artifact.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why policy discovery and entitlement inventory remain foundational control problems.
• For the broader control model, the Ultimate Guide to NHIs , Standards explains how Zero Trust and identity governance frameworks map to machine and human access decisions.

What this signals

Policy orchestration is becoming the practical test of Zero Trust maturity. Teams can no longer treat SASE as a network project when entitlement decisions now flow through identity and token layers. The governance signal is whether the organisation can keep authorization consistent as access moves across applications, data, and enforcement points.

Identity visibility becomes more valuable when it reveals exceptions, not just assets. If policy discovery surfaces duplicated rules and local overrides, that inventory can drive recertification and cleanup work rather than reporting alone. This is where the control model shifts from static access administration to continuous authorization governance.

Enterprises that want to align SASE with identity-first security should pair authorization visibility with external control references such as the NIST Cybersecurity Framework 2.0 and NIST SP 800-207 Zero Trust Architecture. That combination helps security teams distinguish between authentication, authorization, and enforcement when they are evaluating runtime access flows.

For practitioners

• Inventory authorization decision points Map where identity providers, policy engines, and enforcement layers each make or apply access decisions. Document mismatches in scope, timing, and entitlement handling before introducing additional SASE integrations.
• Validate token claim freshness Check how quickly entitlement changes propagate into enriched access tokens and how revocation is enforced after policy updates. Stale claims should be treated as a control defect, not an edge-case operational issue.
• Standardize policy semantics across enforcement layers Define a single access policy model for applications, data, and network enforcement so that read-only, conditional, and high-risk access mean the same thing everywhere.
• Use policy discovery to find governance exceptions Review discovered policies for duplicated rules, local overrides, and uncontrolled exceptions that weaken centralized authorization. Feed those findings into recertification and access review workflows.

Key takeaways

• SASE control quality depends on whether authorization decisions remain consistent from policy engine to enforcement point.
• Token enrichment can improve precision, but it also imports any weakness in entitlement freshness or policy quality into runtime access.
• Identity teams should use policy discovery to expose governance exceptions and then normalise those rules across the access stack.

Key terms

• Policy orchestration: Policy orchestration is the coordinated management of authorization rules across multiple systems so they produce one consistent access outcome. In SASE environments, it reduces drift between identity providers, policy engines, and enforcement points, which is where access decisions often become unreliable.
• Token enrichment: Token enrichment is the process of adding authorization context or entitlements to an access token after the identity has been verified. It helps downstream systems enforce narrower access, but it also makes the quality and freshness of upstream policy data security-critical.
• Policy drift: Policy drift is the gradual divergence between intended access policy and what enforcement systems actually apply. It often appears when teams manage overlapping rules in different tools, making the same identity receive different access depending on where the request is evaluated.
• Identity-aware access control: Identity-aware access control is a model in which access decisions depend on verified identity and contextual authorization, not just network location. In SASE, it links authentication, authorization, and enforcement so the security edge can make decisions aligned with policy intent.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by PlainID: Identity Security Challenges in SASE. Read the original.