For completeness, here's what the client tags look like for anyone else needing to implement this in the future:
Each tag is simply an expression like hasRole('sg_Plant1_Supervisor')
Then in bindings for a simple permission, you only need to bind directly to the Vision client tag. For more complex bindings, you can use the tag/tags directly in expressions.
For an extra added bonus, in my case, I'm naming my default tag provider the same as the plant name being used by the company in all the security groups, so my expressions can be like this:
hasRole('sg_' + {[System]Client/System/DefaultTagProvider} + '_Supervisor')