Exactly. We have application level authentication on top of various network level security policies. Karen from accounting can't even see servers that she doesn't need, and anything she does need has additional authentication requirements. Even if someone mistakenly gave her access to something at one of these layers, she would need that same mistake at multiple layers to actually get in.