CISA zero-trust maturity pushes identity controls beyond the perimeter

At a glance

What this is: This is Axiad’s analysis of the White House OMB memo and CISA zero-trust maturity model, with the key finding that identity controls must be strengthened alongside perimeter security.

Why it matters: It matters because zero trust only works in practice when IAM, PAM, and lifecycle controls can verify every user, device, and session across hybrid environments.

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.

👉 Read Axiad’s analysis of the CISA zero-trust maturity model and OMB memo

Context

Zero trust is not a network slogan, it is an identity governance model that assumes every access request must be verified continuously. The article argues that perimeter security and zero trust are complementary, but the real operational burden shifts to authentication, authorisation, and the ability to measure maturity across hybrid and cloud environments.

For federal contractors and public-sector organisations, the governance question is whether existing identity controls can support transparent, policy-driven access decisions without relying on implicit trust. That makes the White House OMB memo relevant beyond government, because many enterprise IAM programmes still treat perimeter controls as the primary defence rather than the outer layer.

Key questions

Q: How should security teams implement zero trust in hybrid environments?

A: Start by making identity policy the primary access decision point and use the network only for containment and monitoring. Then map authentication, device trust, authorisation, and revocation to one governance model so cloud and on-premises resources follow the same verification logic.

Q: Why do hybrid environments weaken perimeter-based security models?

A: Because users, workloads, and contractors no longer live behind a single stable boundary. Access decisions must follow the identity and the session, not the location of the resource, which is why static perimeter assumptions lose reliability in mixed estates.

Q: How do organisations know if zero trust is actually working?

A: They should look for continuous verification, policy-enforced access changes, and rapid revocation when context changes. If access remains valid because the user is already inside the network, the programme is still relying on legacy trust rather than zero trust.

Q: Who is accountable when zero-trust maturity fails in a contractor environment?

A: Accountability should sit with the organisation that owns the access policy and the delegated trust relationship, not just the team operating the perimeter tools. In practice, contractor access needs the same governance, logging, and review discipline as internal access.

Technical breakdown

CISA zero-trust maturity model and identity assurance

The CISA Zero-trust Maturity Model gives organisations a staged way to measure how far identity-centric security has progressed, from awareness to advanced practice. In zero trust, authentication is not a one-time gate. It is part of a continuous authorisation model that expects the environment, the device, and the identity context to be reassessed as access continues. That makes identity assurance the core control, not the by-product of network segmentation. The memo matters because many organisations claim zero trust while still relying on legacy trust zones and static access assumptions.

Practical implication: map your current IAM controls to maturity levels so you can see where continuous verification stops and implicit trust starts.

Perimeter security and zero trust are layered controls

Perimeter security protects the edge of the network through firewalls, segmentation, and boundary monitoring. Zero trust does something different: it removes the assumption that anything inside the boundary is trustworthy. In practice, the two models can coexist, but only if the organisation treats the perimeter as a detection and containment layer rather than a trust decision. This distinction matters in hybrid estates where cloud workloads, contractors, and remote access all operate outside a clean network edge. Zero trust fails when teams confuse boundary control with identity control.

Practical implication: keep perimeter controls, but stop using them as a substitute for identity-based access decisions and session validation.

Hybrid and cloud environments shift governance to identity

Hybrid and cloud deployments weaken the old idea that security can be enforced entirely at a physical or network boundary. Access now depends on federated identity, device posture, role assignment, and policy evaluation across multiple systems. That is why the article links zero trust to cloud-based and on-premises systems that organisations do not fully control. The technical challenge is not just exposure, but fragmented enforcement. When identities span SaaS, cloud infrastructure, and on-premise systems, governance has to track who or what is authorised, for how long, and under which policy context.

Practical implication: inventory cross-boundary identities and define which control owns authorisation, logging, and revocation at each trust point.

Threat narrative

Attacker objective: The attacker objective is to gain durable access to sensitive resources by exploiting trust assumptions that are stronger than the identity controls actually in place.

1. Entry begins when users or devices access cloud, on-premises, or hybrid resources that cannot be assumed trustworthy by location alone.
2. Escalation occurs when legacy perimeter assumptions allow access decisions to be made without continuous identity revalidation or policy context.
3. Impact follows when attackers or unauthorised actors can move through systems that treat internal placement as a proxy for trust, weakening containment and detection.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Codefinger AWS S3 ransomware attack — Codefinger used compromised AWS credentials to encrypt S3 buckets via SSE-C.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity controls, not perimeter controls, are the real enforcement point in zero trust. The article correctly treats perimeter security as compatible with zero trust, but that only works when identity policy decides access and the network merely contains risk. In hybrid estates, trust must be evaluated at the identity layer because network location no longer tells you whether access is legitimate. Practitioners should treat identity governance as the operational centre of zero trust.

Zero-trust maturity is a governance model before it is a technology model. CISA’s four-stage maturity framing is useful because it forces organisations to measure progress rather than declare it. The control problem is not whether the tools exist, but whether the programme can prove continuous verification, policy enforcement, and accountable ownership across the access lifecycle. Practitioners should use maturity to identify where trust assumptions still survive.

Hybrid access breaks the old boundary between authentication and authorisation. The article’s focus on cloud and on-premises environments reflects a wider reality: access decisions now depend on context, federation, and ongoing policy evaluation rather than a single login event. That means IAM teams must govern the whole decision chain, not just the front door. Practitioners should align access policy, logging, and revocation across every control plane.

Zero trust only becomes credible when contractors and public-sector dependencies are governed the same way as internal users. The memo’s relevance to federal contractors shows that trust boundaries now extend beyond the enterprise, into partners and delegated access paths. The risk is not just exposure, but inconsistent enforcement across identities that cross organisational lines. Practitioners should apply the same governance expectations to external access as to internal access.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• That same research found that enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
• For a broader breach lens, see 52 NHI Breaches Analysis for the recurring governance patterns behind identity-driven incidents.

What this signals

Zero trust will keep failing if organisations treat it as a network architecture project instead of an identity governance programme. The maturity model only becomes useful when teams can prove continuous verification across hybrid estates and delegated access paths, not merely document that the perimeter is segmented.

Boundary trust debt: the longer an organisation delays moving access decisions into identity policy, the more legacy assumptions accumulate across cloud, on-premises, and contractor access. That debt shows up as inconsistent authorisation, weak revocation, and fragmented audit evidence.

The practical signal for programme leaders is straightforward: if access still depends on where a user or workload sits rather than who or what it is and what policy allows, the zero-trust transition is incomplete. The control gap is architectural, but the remediation path is governance-led.

For practitioners

• Define zero-trust maturity targets for identity controls Map authentication, authorisation, device trust, and revocation processes to the CISA maturity stages so teams can see where policy is still implicit rather than enforced.
• Separate perimeter containment from access decisioning Keep firewalls and segmentation as containment layers, but move access approval, session validation, and revocation into identity policy and control workflows.
• Inventory hybrid identities and delegated access paths Identify users, contractors, service accounts, and federated sessions that cross cloud and on-premises boundaries, then assign a single control owner for each trust point.
• Audit continuous verification gaps Test whether access is re-evaluated during the session, after device changes, and after policy changes, rather than only at login.

Key takeaways

• Zero trust only works when identity becomes the control point for authorisation, not the network boundary.
• The White House OMB memo and CISA maturity model matter because they turn zero trust into something organisations must measure, not just claim.
• Hybrid and contractor access make continuous verification and delegated-access governance the controls that determine whether zero trust is real.

Key terms

• Zero Trust Architecture: A security model that refuses to grant implicit trust based on network location or asset ownership. Access is evaluated continuously using identity, device, context, and policy so organisations can limit exposure when environments are cloud-based, hybrid, or heavily delegated.
• Zero-trust maturity model: A staged framework for measuring how far an organisation has progressed in implementing zero trust. It helps security teams compare current controls against defined capability levels, identify where implicit trust remains, and plan the transition from awareness to enforceable identity-centric governance.
• Perimeter security: A control approach that protects the edge of a network through boundary tools such as firewalls, segmentation, and intrusion detection. It still has value, but it cannot be the main trust decision when users and workloads move across cloud, remote, and contractor environments.
• Continuous verification: The practice of rechecking identity, device, and policy conditions after initial authentication rather than trusting the session indefinitely. In zero-trust programmes, this is the mechanism that keeps access aligned to current risk instead of historical login success.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Axiad: CISA Zero-trust Maturity Model takeaways from the White House OMB memo. Read the original.