add new SSO stuff

aws/whats-new/architecture/README.md

@@ -1,11 +1,23 @@
 # What's New with our AWS Architecture
 
+## 2026-01-16: Updates to Identity Center Permission set and centralizign of policies
+
+Because we have multiple organizations, and we implement the same permissionsets with the same associated AWS policies and inline policies, we have been
+needing to make changes in three places.  We have begun the process to establish a structure for centralizing the associated permissions so we change in
+one place (but apply in three).  In addition, we have developed a script to make creation of new groups which are associated to the System Common (`sc-` permissionsets)
+simpler.  Here is the documentation for creating the [SSO Groups](https://github.e.it.census.gov/terraform/support/blob/master/docs/how-to/aws-sso/create-sso-group.md)
+along with the new [script](https://github.e.it.census.gov/terraform/support/tree/master/local-app/python-tools/sso-tools/sso-create-sc-group).  This will be
+firmed up shortly.
+
+We started with the normalization of the Service Catalog permissionsets, turning them into `sc-servicecatalog-tN` for N of 1,2,3.  We'll then use this new
+strructure to create groups limited to specific accounts or OUs and users for use within those accounts.
+
 ## 2026-01-07: SCP to restrict access to permitted Bedrock models only
 
 We have implemented a service control policy in lab-gov and ent-ew to restrict access to only the permitted Bedrock models.
 More details on the models and this change [here](https://github.e.it.census.gov/terraform/cloud-information/blob/master/aws/documentation/services/bedrock/scp.md),
 and Bedrock [here](https://github.e.it.census.gov/terraform/cloud-information/blob/master/aws/documentation/services/bedrock/).  It is expected
-this change to be applied to ent-gov shortly afterwards.
+this change to be applied to ent-gov once we have completed the CRQ process.
 
 ## 2026-01-02: Stop all non-organization CloudTrail