An API gateway alone leaves the internal service layer largely governed by network assumptions. That means east-west calls may be trusted too easily, workloads may use static credentials, and internal movement can go unobserved. The result is a perimeter-controlled environment with a weak backend trust model, which is a common failure pattern in distributed systems.
Why This Matters for Security Teams
An api gateway can make north-south traffic look controlled while the internal estate remains overly trusting. That gap matters because attackers do not stop at the edge: once a gateway-issued token, service account, or shared secret is accepted downstream, east-west movement can proceed without meaningful reauthentication. Current guidance from the NIST Cybersecurity Framework 2.0 and NHI research from Ultimate Guide to NHIs both point to the same operational problem: identity and trust must extend beyond the perimeter.
The issue is not that gateways are ineffective. It is that they were never designed to be the sole trust boundary for distributed systems, especially when service accounts, api key, and automation credentials are involved. If internal services still accept long-lived secrets or broad network trust, the gateway becomes a policy chokepoint rather than a real control plane. In practice, many security teams encounter lateral movement and secrets misuse only after an internal service has already been abused, rather than through intentional detection at the service layer.
How It Works in Practice
When organisations rely on the gateway alone, they usually centralise authentication at ingress but leave internal authorisation weak, inconsistent, or absent. That creates a pattern where the front door is guarded while the hallways are open. A stronger model treats every workload as an identity-bearing entity and evaluates access at request time, not just at the boundary.
In practice, that means combining workload identity, short-lived credentials, and policy evaluation across services. A gateway may still issue or broker tokens, but downstream services should verify who or what is calling, what it is allowed to do, and whether the request context matches the intended task. Standards and implementation guidance such as NIST Cybersecurity Framework 2.0 support this shift toward continuous control, while the NHI Management Group’s Ultimate Guide to NHIs highlights how often organisations lose visibility once traffic moves inside the perimeter.
- Use workload identity for service-to-service authentication rather than shared static secrets.
- Issue ephemeral credentials with narrow scope and short TTLs for each task or session.
- Enforce service-level policy checks so internal calls are not automatically trusted because they originated behind the gateway.
- Log and correlate east-west activity so unusual call chains, privilege jumps, and secrets reuse can be detected.
This is especially important for microservices, automation pipelines, and third-party integrations where one compromised component can reach many others. These controls tend to break down when legacy internal systems only support shared passwords, IP allowlists, or coarse network ACLs because the services cannot reliably distinguish legitimate workload identity from reused access material.
Common Variations and Edge Cases
Tighter internal authentication often increases operational overhead, requiring organisations to balance stronger containment against deployment complexity and service compatibility. That tradeoff is real, especially where older applications were never built for zero trust or per-request authorisation.
One common edge case is a hybrid environment where the gateway fronts modern services but still brokers requests into legacy backends. In that setup, gateway-only control can create a false sense of security if the backend trusts the gateway implicitly. Another is internal service mesh adoption, where teams assume mTLS alone solves the problem; current guidance suggests mTLS is necessary but not sufficient, because identity, policy, and revocation still need to be explicit.
Another nuance is observability. Some teams add logging after a breach, but logs alone do not prevent trust collapse if credentials remain long-lived or widely reusable. The broader NHI data set shows why this matters: 80% of identity breaches involved compromised non-human identities, and only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs. The practical takeaway is simple: a gateway should be one control, not the control.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Gateway-only trust leaves NHI identities and secrets overly broad. |
| NIST CSF 2.0 | PR.AC-4 | Internal calls need authenticated, least-privilege access beyond the gateway. |
| NIST Zero Trust (SP 800-207) | Zero Trust rejects implicit trust inside the network boundary. |
Treat each workload as a distinct NHI and remove shared or perimeter-only trust.
