One option would be to build a SCIM integration with SpiceDB that writes relationships based on claims (e.g. roles). You could have a much richer data model in SpiceDB and use those relationships as a bridge into that model, so that not everything has to be as coarse-grained as AD.