Untangling Policy and Access Management Complexity in SASE

One of the central promises of Secure Access Service Edge (SASE) is policy-driven control — consistent, context-aware access and security policies, applied seamlessly across users, devices, locations, and applications.

But many organisations quickly discover that implementing this vision is anything but simple.

As businesses adopt SASE, they’re often confronted with a tangled web of legacy access rules, fragmented identity systems, overlapping security policies, and inconsistently enforced governance. Far from delivering simplicity, policy and access management becomes one of the most challenging areas to unify.

For CIOs, CISOs, and Heads of Security or Infrastructure, understanding and addressing this challenge is key to delivering on the promise of SASE without undermining user experience, compliance, or operational agility.

Why Policy Management Is Harder Than It Looks

The idea of centralised, identity-driven policy is attractive — but real-world environments are rarely clean slates.

Common sources of complexity include:

  • Multiple identity providers (IdPs) across regions, business units, or M&A activity
  • Role-based access models that have grown organically and are inconsistently applied
  • Different enforcement points for networking, security, remote access, and cloud apps
  • Siloed tooling, each with its own policy language, logic, and lifecycle
  • Shadow IT and exceptions, where access isn’t tracked or governed centrally

In short, most organisations manage policy like a patchwork quilt — stitched together over time, brittle in places, and difficult to scale or govern effectively.

Why This Matters in a SASE World

SASE introduces the opportunity — and the need — to rethink access control and policy enforcement. It shifts the model from:

Traditional Model SASE Model
Network-based access (IP, VLANs) Identity-, context-, and risk-based access
Perimeter trust models Zero Trust principles
Static rules per location/app Dynamic, centralised policy enforcement
Distributed enforcement and control Unified, cloud-native policy engines

To realise this, however, organisations need to rationalise how policies are defined, applied, and maintained — which is often where complexity creeps in.

Where the Friction Shows Up

Poorly managed policy and access controls create friction for users, risk for the business, and inefficiency for operations. Typical symptoms include:

  • Conflicting access rules that result in legitimate access being denied — or, worse, too broadly granted
  • Manual exceptions and workarounds that become permanent
  • Policy sprawl, where rules are duplicated across multiple systems (firewalls, proxies, ZTNA tools, SaaS apps)
  • Difficulty auditing who has access to what, and why
  • Compliance gaps, especially where cloud and on-premise access policies don’t align

This friction erodes trust in IT and makes SASE adoption appear more disruptive than beneficial.

From Fragmentation to Unification: Leadership Priorities

Resolving policy complexity is not just a technology project — it’s a governance and architecture challenge that requires strong cross-functional leadership.

Below are key actions leaders should take to untangle and modernise policy and access management in a SASE context.

1. Establish a Single Policy Framework

Develop a unified policy architecture that defines how access decisions are made, regardless of technology layer. This should include:

  • Core principles (e.g. least privilege, Zero Trust)
  • Common attributes (e.g. user identity, device posture, location, app sensitivity)
  • Enforcement logic (e.g. allow, deny, step-up auth, isolate)
  • Lifecycle rules (e.g. joiners, movers, leavers)

This policy model becomes the blueprint for tool integration and enforcement.

Leadership tip: Collaborate with HR, Legal, and Compliance teams to ensure policies align with regulatory and organisational norms.

2. Centralise Identity and Context

SASE relies on accurate identity and context — so fragmented or outdated identity systems will derail your efforts.

Steps to take:

  • Consolidate IdPs where possible, or federate them under a unified layer
  • Synchronise user roles and group memberships across systems
  • Integrate device, location, and risk posture data into access decisions
  • Use modern identity standards (SAML, OAuth, OpenID Connect) for consistent enforcement

Leadership tip: Treat identity as the control plane — not just an authentication method. It’s the foundation of trust in SASE.

3. Map and Rationalise Existing Access Policies

Before you can unify, you need visibility. Start by cataloguing:

  • Current policies across firewalls, proxies, ZTNA, VPNs, SaaS apps, and IaaS
  • Who owns and maintains them
  • Where they overlap or contradict
  • Where there are excessive exceptions

Look for patterns — such as overly broad access, duplicate rules, or “temporary” exceptions that have become permanent.

Leadership tip: Use this mapping to define target-state policies and identify areas for automation and standardisation.

4. Automate Policy Enforcement Where Possible

Manual policy creation and updates introduce inconsistency and delay. SASE platforms often offer policy automation based on:

  • Role and group membership
  • Device compliance
  • Risk score (based on behavioural analytics)
  • Geolocation or network context

Automating enforcement reduces human error and accelerates incident response.

Leadership tip: Build guardrails that allow safe automation without losing necessary oversight.

5. Embed Governance and Lifecycle Management

Policy management isn’t “set and forget.” You need clear ownership, change control, and regular review.

Key governance practices include:

  • Assigning policy owners (not just admins)
  • Enforcing change control for critical access rules
  • Regularly auditing entitlements and access paths
  • Monitoring policy effectiveness and impact

Leadership tip: Create a central policy board or steering group that includes stakeholders from both IT and business units.

Signs of Progress

As your organisation matures in SASE policy and access management, you should see:

  • Fewer policy silos and reduced duplication
  • Faster time-to-access for new users and services
  • Improved auditability and compliance posture
  • Fewer exceptions and support tickets related to access
  • More confident decision-making around risk-based access

Conclusion: Simplification Takes Strategy

Policy and access complexity is one of the most underestimated hurdles in the SASE journey. It’s not just about technology — it’s about people, processes, and control.

Leaders who succeed here do so by creating clear architectural principles, aligning identity and policy governance, and taking a structured, phased approach to unifying their access strategy.

SASE offers a powerful vision of consistent, context-aware access for the modern enterprise. But to get there, you’ll need to untangle the policy mess of the past — and build something more agile, secure, and manageable for the future.

If policy enforcement feels like the weakest link in your SASE journey, it might be time to stop adding tools — and start rethinking the architecture that connects them.