Zero trust identity modernization in state government at scale

At a glance

What this is: This is a case study of state government identity modernization that extends authentication, self-service, and help desk verification across a large hybrid Microsoft environment.

Why it matters: It matters because large IAM programmes must govern human access, NHI-adjacent operational workflows, and hybrid authentication paths without creating new support and compliance gaps.

By the numbers:

• The agency was generating roughly 2,500 help desk calls per month for identity-related requests.

👉 Read RSA Security's case study on modernizing identity at state government scale

Context

Large public-sector identity programmes fail when cloud controls, legacy authentication, and support workflows are treated as separate problems. In this case, the agency needed a way to modernize identity at scale across a Microsoft environment without breaking the assurance requirements tied to law enforcement, legacy applications, and on-premises systems.

The core issue is not simply authentication method choice. It is whether the identity platform can carry policy, auditability, and recovery processes across environments that do not share the same control plane, while still reducing help desk load and strengthening phishing resistance.

Key questions

Q: How should organisations extend identity controls across hybrid Microsoft and on-premises environments?

A: They should preserve a single policy and audit model while extending authentication to the environments that Entra or similar cloud tools do not fully cover. That means supporting legacy protocols, higher-assurance workloads, and recovery processes without fragmenting governance. The goal is consistent control across the full estate, not a separate tool for every environment.

Q: Why does help desk identity verification belong in IAM governance?

A: Because support staff can become an attack path when recovery and reset workflows rely on weak proofing. If an attacker can socially engineer the help desk, they can often bypass stronger sign-in controls indirectly. IAM teams should govern support workflows as privileged identity processes, with the same scrutiny used for elevated access.

Q: What do teams get wrong about phishing-resistant MFA programmes?

A: They often focus on the factor type and ignore deployment coverage, recovery design, and operational consistency. A strong method that only works for part of the estate does not deliver a zero trust posture. Programmes should be judged by how broadly they can be applied and how well they survive support, legacy, and audit realities.

Q: How do you know if identity modernization is actually improving governance?

A: Look for fewer manual resets, better audit visibility, and a consistent authentication experience across cloud, hybrid, and on-premises systems. If reporting still depends on spreadsheets or if support remains a major trust boundary, governance has not materially improved. Real improvement shows up in evidence, not just in user-facing convenience.

Technical breakdown

Hybrid identity architecture across Microsoft and on-premises systems

A hybrid identity architecture extends policy across cloud and legacy environments without forcing every workload into one platform. In this case, SAML and OIDC were used to connect Microsoft Entra Identity with an external authentication layer, while RADIUS, LDAP, and legacy token estates remained in place. That matters because many public-sector and regulated environments cannot collapse everything into a single cloud-native control plane. The technical challenge is consistency: the same user must authenticate across Microsoft 365, on-premises applications, and higher-assurance environments without fragmenting policy or reporting.

Practical implication: map where your current IAM stack stops and where hybrid policy extension must take over.

Phishing-resistant MFA and passwordless authentication

Phishing-resistant authentication removes the reliance on reusable secrets that attackers can replay, intercept, or socially engineer out of users. The article describes a mix of push, biometrics, QR codes, FIDO2, and FIPS-certified hardware authenticators. That is important because zero trust only works when stronger authentication is available across the full user base, not just for cloud-native applications. The mechanism here is not one factor replacing another in isolation. It is a layered authentication estate that can satisfy different assurance levels while preserving existing token investment and supportability.

Practical implication: treat passwordless as a programme with tiered assurance paths, not a single product swap.

Help desk identity assurance and self-service recovery

Help desk workflows are often the weakest identity control in large organisations because support staff become a proxy trust boundary. RSA Help Desk Live Verify replaces knowledge-based verification and ad hoc identity checks with bi-directional passwordless assurance. That closes a common social engineering path: attackers call support, impersonate a user, and reset credentials or change access. The self-service layer also shifts routine credential enrollment and recovery away from manual intervention, which reduces operational load while removing a high-friction attack surface.

Practical implication: redesign recovery and reset workflows as security controls, not just service desk processes.

NHI Mgmt Group analysis

Hybrid identity is now a governance problem, not just an integration problem. The article shows that the agency could not rely on a cloud-only or on-prem-only model because different assurance requirements existed in parallel. That is a classic identity governance split: policy consistency, auditability, and recovery need to follow the user across domains. Practitioners should treat hybrid coverage as a control objective, not a migration phase.

Help desk recovery remains one of the most exploitable identity paths in large enterprises. The post correctly treats support workflows as part of the authentication surface, not an operational afterthought. When a user can be socially engineered into a reset or recovery event, MFA alone does not close the loop. Identity programmes should govern recovery as a privileged workflow with explicit assurance steps, not a convenience function.

Phishing resistance only matters if it is deployable across the full estate. The agency needed stronger methods for cloud, legacy, RADIUS-connected, and high-assurance environments at the same time. That is the practical reality for many identity teams: zero trust language is easy, but the control has to survive heterogeneity. The implication is that programme design must assume mixed assurance tiers, not a uniform endpoint.

Unified reporting is the difference between identity administration and identity governance. Manual spreadsheets cannot support audit, lifecycle tracking, or operational assurance at this scale. The move to automated reporting and real-time visibility shows that governance depends on evidence, not intent. For practitioners, the lesson is that authentication modernization must include lifecycle telemetry and audit artefacts from day one.

NHI-style lifecycle discipline is increasingly relevant to human identity operations too. Token estates, self-service enrollment, and recovery workflows behave like governed identity assets that need inventory, lifecycle status, and revocation logic. The same discipline used for non-human identities applies when humans rely on hardware authenticators and managed recovery paths. Practitioners should think in terms of managed identity assets, not just user accounts.

From our research:

• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why identity programmes still fail when governance depends on incomplete inventories.
• For a deeper lifecycle lens, NHI Lifecycle Management Guide shows how provisioning, rotation, and offboarding need to be managed as one control chain.

What this signals

Identity modernization will increasingly be judged by operational evidence, not architecture diagrams. The agencies that succeed will be the ones that can show real-time auditability, lower recovery friction, and consistent policy enforcement across cloud and legacy systems. That is where identity governance becomes measurable rather than aspirational.

With 97% of NHIs carrying excessive privileges, according to Ultimate Guide to NHIs, the same logic applies to human support workflows that have grown into de facto privileged paths. If recovery is not designed as a governed control, it will keep expanding the attack surface.

Help desk redesign is now a Zero Trust issue, not a service management issue. Programmes that keep relying on knowledge-based verification and manual exception handling will struggle to prove assurance at scale. Teams should be preparing for identity operations where recovery, proofing, and audit evidence are all machine-verifiable.

For practitioners

• Map the hybrid control boundary Document which applications, authentication methods, and recovery workflows sit outside your cloud IAM control plane. Include RADIUS, legacy apps, and high-assurance environments so policy gaps are visible before migration decisions are made.
• Treat help desk recovery as a privileged workflow Require stronger identity assurance for resets, enrollment, and account recovery than for routine sign-in. Remove knowledge-based verification where possible and define explicit approval and proofing steps for support staff.
• Preserve existing tokens while adding phishing resistance Plan a transition path that keeps hardware and software tokens working while introducing FIDO2, biometrics, QR, and passwordless options. This reduces disruption and avoids forcing a hard cutover that can stall adoption.
• Automate audit evidence for authentication and lifecycle events Replace spreadsheet reporting with real-time telemetry for token lifecycle status, authentication events, and user activity. That evidence should be usable for audit, incident review, and compliance reporting without manual reconciliation.

Key takeaways

• This case shows that identity modernization succeeds when hybrid control, support workflows, and audit evidence are designed together.
• The scale of the environment, with 145,000 users and thousands of monthly identity calls, shows why manual governance does not hold up.
• Practitioners should treat recovery, verification, and reporting as core IAM controls, not secondary service functions.

Key terms

• Hybrid Identity Architecture: An identity model that spans cloud services, on-premises systems, and legacy protocols under a shared control approach. It keeps policy, assurance, and reporting aligned even when applications cannot all move to one platform. In practice, this reduces fragmentation while preserving operational continuity.
• Phishing-resistant Authentication: Authentication methods that are designed to resist interception, replay, and social engineering, such as FIDO2 hardware, biometrics, and some passwordless flows. These controls reduce dependence on reusable secrets and raise the bar for account takeover, especially when combined with strong recovery governance.
• Help Desk Verification: The identity checks used by support teams before they reset credentials, enroll authenticators, or grant recovery access. When these checks rely on knowledge-based questions or informal processes, they become a high-risk trust boundary. Strong verification treats support as part of the security programme, not a separate service function.
• Identity Lifecycle Telemetry: Operational evidence showing how identities, authenticators, tokens, and recovery events move through enrollment, use, reporting, and revocation. It gives governance teams a way to prove control effectiveness instead of relying on manual spreadsheets or after-the-fact reconciliations.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or IAM programme maturity, it is worth exploring.

This post draws on content published by RSA Security: Modernizing Identity at Scale. Read the original.