It is too segmented, but that’s the point. Someone sold the concept of microsegmentation before I joined and here we are with pico segmentation 
My attempts to push back have been received with timid enthusiasm.
FMC/FTD does user policies with ISE. ASA has identity firewall with CDA but it’s been EOL’d.
I don’t believe OP said he had a proxy, he was asking how to accomplish this with AD and ISE for VPN users.
There are many ways to secure networks and many different technologies that can accomplish the same goals.