This control plane turns Conditional Access snapshots into one identity-governance surface: report-only admin policies, exclusion sprawl, device-trust gaps, missing sign-in risk coverage, weak session controls, and the remediation packets needed before audit or incident windows drift.
| Policy lane | Owner | Status | Related findings | Focus | Next action |
|---|---|---|---|---|---|
| Privileged admin lane Privileged protections drifted into report-only mode with exclusion sprawl. |
Entra IAM | red | 2 | Admin policies, exclusions, and role-sensitive sign-in controls | Restore admin enforcement and cut the exclusion list back to monitored emergency accounts. |
| Device trust lane macOS browser traffic is bypassing the expected device-trust gate. |
Endpoint Engineering | red | 1 | Compliant-device enforcement and unmanaged endpoint containment | Reattach compliant-device logic and verify browser policy targeting. |
| Risk and session lane Risk and session controls are partially missing in the current policy bundle. |
Identity Protection | yellow | 3 | Sign-in risk coverage, session control, and containment posture | Reintroduce risk enforcement and session restrictions before the next audit window. |
| App targeting lane New business apps are arriving faster than the baseline policy set covers them. |
Application Access | yellow | 4 | Critical SaaS targeting and rollout completeness | Add uncovered apps to workforce coverage and confirm scope inheritance. |