Novel network design: secure network within a overlay network

I thought to ask how to go about the following… or if its even possible

I want to segment users in a network… not just by services… but certificate authority.

in essence, one part of the network will require special access that others do not… that allows the data to be encrypted… making it impossible to view… even if they were able to access a service

Hopefully this makes sense… and thought to see how wild the possibilities can be taken