SSO risks: single credential compromise = access to all connected apps ("blast radius"), IdP availability = availability for all services, weak IdP authentication undermines all services.
SSO with weak MFA is dangerous. SSO with phishing-resistant MFA (FIDO2) is excellent. Plan for IdP unavailability. Monitor for unusual SSO patterns (accessing many apps quickly). Break-glass accounts bypass SSO for emergency access.