Because they only address the first trust decision at sign-in. Zero Trust also requires entitlement control, device trust, privilege restriction, and ongoing visibility, otherwise a successful login can still lead to excessive access and weak accountability.
Why This Matters for Security Teams
MFA and conditional access are often treated as the finish line, but they only confirm that a session began under acceptable conditions. zero trust is broader: it assumes every request, entitlement, and action must be evaluated continuously, especially when service accounts, API keys, and automation are involved. NHI Management Group notes that Ultimate Guide to NHIs reports 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
That matters because the biggest failures usually happen after sign-in, not during it. A user or workload can pass MFA and still inherit broad entitlements, reuse stale sessions, or move laterally through connected systems if privilege and device posture are not rechecked. The Zero Trust model described in NIST SP 800-207 Zero Trust Architecture requires explicit verification of every access decision, not just an authenticated front door. In practice, many security teams discover this gap only after a valid login has already been used to access far more than intended, rather than through intentional Zero Trust design.
How It Works in Practice
Proper Zero Trust breaks access into multiple control points. MFA reduces the risk of account takeover at authentication time, while conditional access adds policy checks such as device compliance, location, or risk signals. But that still leaves entitlement scope, session duration, and downstream privilege untouched unless the organisation also governs authorisation continuously. For agentic and non-human workloads, the problem is sharper because credentials are often embedded in automation, reused across pipelines, and granted more broadly than any human user would need. The OWASP Non-Human Identity Top 10 and NHIMG guidance both emphasise that identity hygiene alone does not equal Zero Trust.
Operationally, teams need to separate four layers:
- Authentication: prove the caller is legitimate.
- Context: evaluate device, location, workload posture, and risk.
- Authorisation: grant only the minimum permission needed for the specific action.
- Observation: log and continuously reassess what the caller does after access is granted.
That is where workload identity becomes important. For machines and agents, cryptographic identity backed by short-lived credentials is more defensible than static secrets. The Guide to SPIFFE and SPIRE is useful here because it illustrates how identity can be bound to workload execution rather than a human login event. Zero Trust for NHIs also depends on rotation, revocation, and entitlement review, not just front-door access policies. These controls tend to break down when legacy applications require long-lived shared secrets because continuous evaluation is difficult to retrofit without redesigning the integration.
Common Variations and Edge Cases
Tighter access control often increases operational friction, requiring organisations to balance security gains against user experience, automation stability, and legacy compatibility. That tradeoff is real, especially in environments where brokers, scheduled jobs, or third-party integrations cannot easily reauthenticate on demand. Current guidance suggests treating these as exceptions to be eliminated over time, not as proof that MFA plus conditional access is sufficient.
Some teams also overestimate the value of device posture for non-human access. A service account does not log in from a laptop, so human-centric conditional access signals can miss the actual risk surface. In those cases, the better control is workload identity, scoped permissions, short-lived credentials, and policy evaluation at request time. NHI Mgmt Group’s Ultimate Guide to NHIs — Key Challenges and Risks is especially relevant because excessive privilege and weak visibility are common failure points. For a broader governance lens, Ultimate Guide to NHIs — Standards helps frame the control expectations more clearly.
In short, MFA and conditional access are necessary gates, but Zero Trust only exists when access remains least-privileged, time-bound, observable, and revalidated as conditions change.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-03 | Zero Trust requires continuous identity and access verification beyond sign-in. |
| NIST Zero Trust (SP 800-207) | NIST ZTA defines Zero Trust as ongoing policy enforcement, not MFA alone. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | NHI controls cover secret rotation and credential lifecycle gaps MFA does not solve. |
Add continuous access checks and entitlement review after authentication, not just at login.
