A lot to think about. Thanks guys.
The customer already has a number of FPMI projects. They also have 1000's of employees. A/D is a must and I (nor my direct client) have any control over it. (I've being told the hybrid model was created at our request because of this 
)
Up till now we have being controlling permissions with a separate profile for each project. It was my intention to maintain that setup as the customer has procedures in place to deal with that setup. I could go the database route, but then I would have to create maintenance screens for the customer. Not a lot of extra work, but now the customer has two places to maintain user profiles. (unless I can modify an authentication profile from code 
)
It sound's like I'll have to do some database stuff regardless.
Customer's IT is complicating my security setup
Currently there are 4 regions. As the system grows, and depending on the granularity the customer wants, there can be upwards of 40. The only difference is security.
That's most likely what I'll do.
In the mean time I'll create some more feature requests 