@SecurityWriter I think this is in large part a result of an unexpected change in threat models: if you assume every one of your peers is trusted design gets much easier. Then security comes by and tells you that your users are sometimes assholes and your B2B partners can get compromised and it changes the game. But your original plan wasn't wrong considering your original assumptions.