- ✓SSO + tenant-wide CA policy (Entra)
- ✓EDR + ASR rules in block mode (Defender)
- ✓Perimeter firewall + SSL-VPN (FortiGate)
- ✓Cloud config baselines (AWS Config)
- ·Attack-path stitching limited to single-vendor scope
- ·No config-audit depth on identity policies
- ·Config audit depth shallow on cloud IAM





