• In the government sector, identity is critical infrastructure, and IAM failures become public failures.
• Accountability is critical, which puts pressure on agencies to carefully and thoroughly manage access and identity, and capable of leaving an unassailable paper trail.
• AI is a multiplier, raising the bar for proving chain of custody. 
• A step-by-step approach to IAM repatriation returns control to the entities with a responsibility to operate and manage services on the strongest possible terms.

As I’ve admitted in past blogs, I was (for a while) firmly in the “buy, don’t build” camp when it came to Identity and Access Management (IAM). SaaS IAM promised speed, fewer operational headaches, and a cleaner path to modernization. As noted before, in plenty of commercial environments, that trade still makes sense.

But the public sector isn’t “plenty of environments.” It’s unique.

Part 1 exposed the uncomfortable truth that identity has become the control plane—not a login screen, not a directory, not a checkbox. It’s the decision engine driving almost everything that matters. And AI didn’t just raise the stakes, it changed the math—from simple addition to rapid multiplication. AI x Identity = more non-human identities, more authorization events, more burst traffic, more policy checks, and much, much more telemetry.

Part 2 of this series laid out the practical path forward, including a targeted approach to IAM repatriation  focused on deterministic, survivable, and evidence-grade capabilities. This calculated repatriation doesn’t  declare war on SaaS or cloud, but it does step up where they fall short.

Now we’ve arrived at Part 3, with a focus on the critical public sector. The thesis here is straightforward: Public sector leaders should take the identity warning even more seriously—because in government, identity isn’t just security infrastructure, it’s civic infrastructure with the possibility for geopolitical consequences.

Identity isn’t the “front door” anymore—it’s the operating system

In a public sector environment, the identity stack is stitched into everything:

• Citizen portals and benefits systems
• Licensing, permitting, and payments
• Public safety operations and emergency response tooling
• Workforce access across agencies, departments, and contractors
• Privileged administration of sensitive systems and data stores

When identity is healthy, nobody notices. When identity becomes slow, unreliable, or opaque, it doesn’t feel like “an IAM issue.” It feels like a government failure to deliver services.

And that’s the part CISOs, along with CIOs, agency heads, and oversight bodies, must internalize: IAM outages and IAM blind spots become public failures. Not abstract risk. Not internal friction. But tangible, trust-breaking, anger-provoking public impact.

Where IAM failures become public failures

Here are some real-life scenarios that spotlight the gravity of risk decisions:

Service delivery breaks first.
If token issuance slows, federation becomes intermittent, or authorization calls time out, downstream systems fail in an ugly cascade. Citizens don’t experience “degraded auth.” They experience the portal is down, the application won’t submit, the status never updates, the payment won’t process. These failures rupture critical trust.

Crisis operations follow.
During cyber events, natural disasters, and public safety surges, teams need controlled speed: fast access, fast privilege, fast response. If IAM is rate-limited or unavailable, the workflows these cyber first-responders depend on—such as incident access paths, emergency change, containment tooling—become brittle at exactly the wrong moment. Brittle can become broken unless speed is restored.

Zero Trust becomes conditional.
Public sector organizations are steadily moving toward architectures where identity and policy evaluation sit at the center of segmentation and continuous authorization. When the identity control plane can’t keep up, teams get forced into bad choices: block mission execution, or relax controls “temporarily.” Temporary exceptions don’t stay temporary. Short-term bargains become long-term defects.

Workarounds spread.
Shared accounts. Over-broad service identities. Long-lived tokens. Bypass paths. These aren’t moral failures—they’re predictable human behavior under pressure. But they create governance and audit gaps that take years to unwind.

If your IAM control plane can be slowed by external throttles or fail in ways you can’t mitigate locally, that isn’t just “vendor risk.” In government, it’s continuity of operations risk—with accountability attached. Government’s “for the people” promise means that government failures feel like personal betrayals and trust, once lost, might be lost forever. 

Accountability isn’t a feature in government—it’s the product

In commercial environments, you might get away with “we believe X happened” while you investigate. In government, you’re often expected to prove the chain of events with defensible evidence—especially when sensitive data, citizen outcomes, or privileged operations are involved. 

That proof typically requires three things:

Clear attribution. Who initiated the action? Under what authority? Through what approved workflow? That includes workforce identities, contractors, admins, and, increasingly, automation acting on behalf of humans.

Evidence integrity. Identity telemetry is often the most important investigative dataset you have. Oversight and auditors expect logs that are complete, consistent, and defensible—not sampled away, not delayed behind premium tiers, not fragmented across systems with mismatched semantics. When decisions are challenged, retention and integrity controls aren’t optional.

Explainable authorization. It’s no longer sufficient to log “allowed” or “denied.” We need to reconstruct why access was allowed: what policy evaluated, what attributes mattered (role, context, device posture, network constraints, risk signals), what step-up checks occurred, and whether any exception paths were invoked.

When IAM is primarily an external service, parts of that evidentiary story can become harder to guarantee at the fidelity and timeliness public sector oversight expects. Repatriating core policy decisioning and telemetry helps us design the evidence model intentionally—aligned to mission, audit, and governance requirements rather than vendor defaults.

AI turns identity into a transaction system—and “who did what” gets complicated

AI is already showing up everywhere in public sector operations—from casework support, document triage, and fraud analysis, to citizen service bots, AI Ops for infrastructure, and workflow automation across agencies.

The obvious impact is volume, quantified in more non-human identities and authorization events than ever before. A single AI-assisted task can kick off dozens or even hundreds of backend calls demanding ”read this record,” “update that workflow,” “create that ticket,” “fetch those documents,” or “initiate that approval.” These aren’t logins; they are continuous policy checks at an overwhelming machine speed.

This is where SaaS constraints can become structural. Rate limits become security limits, and event-driven pricing can quietly pressure organizations to reduce logging, weaken enforcement, or “opt out” of visibility. An entity as foundational as government can’t allow economics—or external throttles—to shape how effective their controls are.

Perhaps the hardest impact is on delegation and accountability.

AI introduces “on-behalf-of” chains wherein:

• a human initiates an intent
• an agent selects tools and plans actions
• systems execute data access and changes across domains

So the question becomes whether or not you can prove, end-to-end:

• who initiated the request
• what the agent was permitted to do
• what it actually did (every call, every access)
• what it attempted and was blocked from doing
• what approvals or step-up checks were triggered

AI raises the bar for proving chain of custody at the exact moment it increases volume. That’s exactly why I keep coming back to the same conclusion: Identity telemetry is security evidence, and evidence can’t be “best effort.”

What repatriation enables in the public sector

Repatriating key IAM capabilities is not nostalgia. It’s an engineering decision to restore determinism: deterministic enforcement, deterministic performance, and deterministic evidence quality.

Here’s what that looks like in practice:

Local survivability and predictable scaling. When policy decisioning and token validation happen close to workloads, services stay enforceable even if upstream dependencies wobble. That matters for citizen-facing continuity and for crisis operations. It also matters for AI burst patterns when capacity planning becomes a responsibility and an advantage.

Sovereign key custody with a smaller blast radius. Owning signing keys and high-assurance token paths improves incident-time control, with faster rotation, clearer separation of duties, and less shared-fate exposure for the workflows that matter most.

Forensic-grade telemetry by design. Repatriation makes it easier to guarantee full-fidelity logging, consistent retention, and integrity controls that stand up under scrutiny. That’s not just good security—it’s good governance.

First-class machine identity governance. AI-driven operations force maturity with short-lived credentials, tight scopes, clear ownership, automated revocation, and strong auditability for service identities and agents. These must be treated like privileged access, not plumbing.

This is the public sector version of the vision Part 2 laid out: Keep SaaS where it accelerates outcomes, but insulate the “must-not-fail” core from rate limits, opaque operations, and incentives that punish visibility.

A pragmatic path forward (without a big-bang migration)

Repatriation is a targeting exercise, not a religion.

Scrap black and white thinking and take a more nuanced and strategic approach. Start with the capabilities that sit on the critical path for mission delivery and accountability:

1. Move authorization decisioning closer to the mission systems and APIs
2. Treat machine identities and agents as privileged access—short-lived, scoped, owned, auditable
3. Repatriate token services and key custody for high-assurance workflows
4. Build the identity telemetry pipeline as evidence infrastructure—complete, correlated, protected, retained

Run it like a product, not a project. Focus on SLOs, load testing, redundancy, failure-mode drills, and clear operational ownership between security and platform engineering.

The big takeaway

In the public sector, IAM failures become public failures—and “we can’t prove it” is an unacceptable argument when citizen data, privileged operations, or policy decisions are impacted.

AI continues to accelerate both scale and the scrutiny each interaction involves: more identities, more actions, more automation, and a higher expectation that every high-impact decision can be traced end-to-end.

That’s why, as an architect, I’m making the case for repatriating IAM, with a renewed emphasis on capabilities that are resilient, scalable, and evidentiary. Cloud is not bad. SaaS is not broken. But in government, identity is critical infrastructure with potentially life-changing human impact, and that critical infrastructure needs to operate on the strongest terms that are best-prepared to protect citizens and earn trust.