sign-on, transaction, resource, command, and surrogate security are complementary layers, not alternatives. Implementing only one leaves gaps.