Are we going to see a future where PI Trusts and PI Mappings merge?
I am all for using AD to authenticate and the PI Mapping to authorise, but I miss the authorisation being able to specify an application or even an IP range. You could use AD Software Distribution groups being members of specific AD groups used for PI Mapping authorisation but there will be occasions where end users have software installed outside of the SD groups. Also, imagine if you have a PI Administrators AD group with the relevant persons, then you grant them some form of elevated PI System privileges but you cannot restrict them to only using OSIsoft supplied applications such as PI-SMT, PI-ICU ... or vary their privilege based on the application they are connecting with.
What I had running through my mind was a PI Mapping being the parent to PI Trusts, so you first get authenticated via WIS with a default PI Identity but then conditionally get different PI Identities based on the connecting details from 0 to many PI Trusts (that are children of the PI Mapping).
Despite WIS I still see many fall-back to PI Trusts to restrict the connecting applications (outside of the PI License restrictions).