What are the three possible outcomes of the current generic security architecture that emphasizes users, application, and data

What are the three possible outcomes of the current generic security architecture that emphasizes users, application, and data. What are the shortcomings with these outcomes?