...
Identifying users could be as simple as having unique usernames tied to email addresses. Each resource provider should have a contact for security incidents recorded in a central place as well as the admin for each service. This could simply be a spreadsheet in a shared location.
[OS7]
The capability to enforce the implementation of the security policies, including an escalation procedure, and the powers to require actions as deemed necessary to protect resources from or contain the spread of an incident.
Enforcement may just be the ability to remove individuals and resource providers from the infrastructure for violating policies. Resource providers might locally still allow a user even if removed from the infrastructure.
An escalation procedure could simply be a chain of command to escalate noticed policy violations to senior levels of management with the authority to censure violators.
Emergency powers could simply be a way for incident response teams to disable accounts directly or remove authorizations for the infrastructure. Even if they cannot remove all access at a single resource provider, they should be able to remove users from centralized authentication, authorization and access control to control the spread of an instance. For example, they might revoke certificates for this and access from a user portal, while the individual resource providers retain control of local credentials to other services. Critically, an infrastructure should be able to contain a compromise to their infrastructure and from spreading to other infrastructures, .e.g, by revoking certificates or disabling accounts in their identity provider.
...
Some explanations from Dave Kelsey (my personal views - recalling the history)
...