Have to wonder how these notifications are available to these unauthorised users? its similar in some respects to if you tell someone your username and password to any other application, they can then ‘be you’.
having said that, you could perhaps look at covering this by using the special field properties (/Documentation/manual/html/special_fields__properties.htm) and on the ‘form is opened’ write to a (hidden) field the special “user-domainusername’.
if the forms are accessed via the SSO gateway, then this field will only populate if a Perfectforms user is accessing the form, and as you’ve seen already these users will not be able to be masquerading as the actual user. Where the field is not populated (ie you can then add in a validation control to check if this field is ’empty’) then you can look at either setting all the fields to readonly or disabled, or present a message to the user that they are not authorised