Tiered zones

Three zones, one rule: no path upward.

ADMIN, FABRIC and GREEN map onto Microsoft's Enterprise Access model. An asset's zone is the highest tier it can control — so a server's BMC lives with the identity it could seize.

ADMIN Tier 0 FABRIC · Tier 1 GREEN · Tier 2 admin only downward →
Tier 0 · most restricted

Admin

Identity and anything that can seize it.

  • Domain controllers & Entra admin roles
  • The iDRAC / BMC fleet
  • The credential vault
  • PAW-only · JIT · phishing-resistant
Tier 1 · infrastructure

Fabric

The control planes that run everything.

  • Hypervisor & cluster management
  • Kubernetes API & the public edge
  • Firewall & CDN administration
  • Administered only downward from Admin
Tier 2 · workloads

Green

Users, apps, and every AI agent.

  • User endpoints & devstations
  • Production app workloads
  • All AI / agent identities
  • No standing upward admin path

The clean-source rule

A higher zone is never administered from a lower one; credentials never flow downward. Admin is reached only from a dedicated Privileged Access Workstation, just-in-time, with a phishing-resistant key.

Give your AI zero standing privilege.

Request access