you wouldn't need to store a token at all; the issue with new enemy is about the contents of a resource; if there are no contents, there is no new enemy. Taking your team example, if a new team gets assigned to a department, its not an issue if they can't see the Department for a few seconds (no risk). Similarly, if they get removed from a department, they just had access 5s ago, so its not risky unless someone tries to open a specific, say, document, and at that point you'd use the document's ZedToken to verify access