Federal zero trust execution is stalling on NHI governance gaps

At a glance

What this is: This is Delinea’s analysis of why federal zero trust is stalling, with identity visibility, legacy infrastructure, and mission velocity emerging as the main execution blockers.

Why it matters: For IAM and NHI practitioners, it shows that zero trust fails when privileged access and machine identities cannot be governed continuously without disrupting operations.

By the numbers:

• The rapid growth of NHIs compounds this problem, as service accounts, application credentials, machine-to-machine tokens, scheduled task credentials, and database connection strings outnumber human identities by at least 10 to 1 in most environments.
• Only 5.7% of organisations have full visibility into their service accounts.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

👉 Read Delinea's analysis of why federal zero trust is stalling on execution

Context

Federal zero trust is a governance problem as much as a technical one. The architecture assumes continuous verification, but federal environments often contain privileged accounts and non-human identities that are poorly inventoried, overprivileged, and difficult to govern without adding operational friction. That makes identity visibility and lifecycle control central to NHI governance, not a side issue.

Delinea’s article argues that the real blocker is execution, not strategy. That framing fits a broader pattern in IAM programmes: policies exist, but the controls needed to manage service accounts, machine credentials, and legacy access paths are incomplete. For practitioners, the question is how to enforce least privilege and rotation without creating workarounds in mission-critical workflows.

In zero trust discussions, the federal use case is usually the most unforgiving environment because older systems, disconnected networks, and administrative exceptions are common. That makes it a useful stress test for NHI governance maturity, and it is typical rather than exceptional when visibility and velocity constraints derail implementation.

Key questions

Q: How should security teams implement zero trust for non-human identities in federal environments?

A: Start with an inventory of all privileged NHIs, then assign owners, remove standing access where possible, and enforce short-lived credentials with automated rotation. Federal environments also need compensating controls for legacy systems that cannot support modern authentication, plus monitoring that detects when privileged access is used outside intended scope. The goal is continuous governance, not one-time approval.

Q: Why do non-human identities complicate zero trust architectures?

A: NHIs complicate zero trust because they multiply faster than human identities, are often overprivileged, and are frequently ignored in access reviews. If service accounts, tokens, and machine credentials are not inventoried and governed, the architecture cannot verify trust continuously. Zero trust depends on identity assurance and privilege scoping, and NHIs often break both assumptions.

Q: What breaks when privileged access is not continuously governed?

A: When privileged access is not continuously governed, standing privilege persists, dormant accounts remain usable, and the attack surface expands across human and machine identities. In practice, that creates a larger blast radius for credential theft and a weaker ability to prove who had access, when, and why. The result is operational drift, not just security exposure.

Q: How do organisations know if zero trust controls are actually working?

A: They know the controls are working when they can inventory privileged identities, prove access is time-bound, and show that rotation and revocation happen on schedule. A healthy programme also has few manual exceptions and low workflow friction, because recurring bypasses are a sign that policy and operations are out of sync.

Technical breakdown

Why federal zero trust breaks down at the identity layer

Zero trust is designed to replace implicit trust with continuous verification, but that only works when identity is the stable control plane. In federal environments, privileged access often sits across humans, service accounts, machine tokens, and legacy local admin paths. If the organisation cannot inventory those identities, scope privileges precisely, and expire access cleanly, the model degrades into policy on paper. The technical failure is not authentication alone. It is the inability to connect identity proof, privilege scope, and session duration across systems that were never designed for dynamic access.

Practical implication: Treat identity inventory, access scoping, and expiry as the core control set, not optional supporting measures.

How legacy infrastructure creates zero trust exceptions

Legacy systems often assume persistent credentials, static trust boundaries, and local administrative access. Those assumptions conflict with zero trust, which expects policy enforcement, short-lived access, and repeated validation. Retrofitting older platforms is hard because many cannot support modern protocols or agents, and replacement is often unrealistic. As a result, agencies end up carving out exceptions or wrapping controls around the edges. The technical issue is not that legacy systems are insecure by definition. It is that they force a mismatch between modern identity policy and old operational design.

Practical implication: Map every legacy dependency to a compensating control rather than letting it become a permanent trust exception.

Why privileged access becomes a velocity problem

Privileged access management can fail operationally when it adds delay to routine tasks. In mission-driven environments, even small delays encourage users to bypass controls, cache credentials, or keep standing privilege longer than intended. That is why continuous governance must be lightweight, predictable, and embedded in workflow. Zero trust cannot rely on controls that only work when the environment is calm and connected. It must account for disconnected systems, time-sensitive operations, and role changes that happen faster than manual approvals can track.

Practical implication: Design privileged access workflows around the fastest realistic mission path, then remove manual steps that cause workarounds.

Threat narrative

Attacker objective: The attacker objective is to convert weakly governed privileged access into durable control over mission-critical systems and sensitive identity paths.

1. Entry begins with overly broad or stale privileged access, especially where service accounts and machine credentials were never fully inventoried.
2. Escalation occurs when standing privilege or reused credentials let an operator or attacker move from limited access to administrative control.
3. Impact follows when federal zero trust controls cannot distinguish legitimate mission access from overextended privilege, allowing sensitive systems or identities to be governed inconsistently.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Federal zero trust is collapsing at the point where identity governance meets operational reality. Policy can define the target state, but it cannot compensate for missing inventory, unmanaged machine credentials, or legacy systems that resist modern access patterns. Agencies that treat implementation as a documentation exercise will keep producing paper compliance without real control.

Visibility is the decisive precondition for zero trust in NHI-heavy environments. If an agency cannot tell how many privileged accounts exist, which are active, and which retain access beyond purpose, it cannot govern access continuously. The practical conclusion is blunt: without identity visibility, zero trust becomes an aspiration rather than an operating model.

Velocity friction is a control failure, not a usability complaint. When privileged workflows slow mission work, users create exceptions and shadow paths that weaken the programme. That means security teams must measure control latency as part of zero trust readiness and remove any approval or authentication step that predictably drives circumvention.

Legacy infrastructure should be treated as a governed exception class, not a reason to dilute the model. Older systems may not support modern identity controls, but they still require compensating measures, tighter privilege scoping, and explicit ownership. Practitioners should stop asking whether zero trust can fit legacy systems perfectly and start asking how much residual trust they are willing to document and monitor.

Identity blast radius is the concept federal teams need to manage explicitly. The real question is not whether access exists, but how far a compromised identity can move before the organisation notices. Reducing that blast radius requires shorter credential lifetimes, clearer ownership, and tighter boundaries around machine and privileged accounts.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• For a broader control map, see Ultimate Guide to NHIs , Key Challenges and Risks, which connects visibility gaps to overprivilege and remediation failures.

What this signals

Identity visibility will become the gating factor for federal zero trust budgets. Agencies that cannot account for privileged humans and NHIs will keep spending on control layers that sit on top of an incomplete foundation. The next funding cycle should favor inventory, ownership, and rotation capabilities before additional policy orchestration.

Control latency is becoming a security metric, not just an operations metric. If access workflows push operators toward manual workarounds, the programme is already losing the trust battle. Teams should start measuring how long privileged tasks take under real mission conditions and use that data to redesign approval paths.

With 71% of NHIs not rotated within recommended time frames, the governance gap is structural rather than procedural. That is why the operational response should focus on automated lifecycle enforcement and explicit ownership, supported by guidance from the OWASP Non-Human Identity Top 10.

For practitioners

• Inventory every privileged identity Build a current register of human and non-human privileged accounts, including service accounts, scheduled tasks, tokens, and local admin paths. Separate active, dormant, shared, and overprivileged entries so the programme can target the identities that actually widen the attack surface.
• Wrap legacy systems with compensating controls Map systems that cannot support modern authentication or policy enforcement, then apply compensating controls such as tighter segmentation, narrower privileges, and monitored jump paths. Use the NIST Cybersecurity Framework 2.0 to structure ownership and control gaps.
• Automate rotation and revocation for machine credentials Move NHIs onto explicit lifecycle processes for issuance, rotation, and offboarding. Prioritise credentials stored in code, config files, and CI/CD tools, and establish expiry rules that prevent long-lived secrets from becoming permanent trust anchors. Review the guidance in the Ultimate Guide to NHIs.
• Measure control latency in privileged workflows Track how long it takes users to complete high-risk access tasks under normal operating conditions, including disconnected or time-sensitive scenarios. If the control path adds seconds that routinely trigger workarounds, redesign the workflow before scaling zero trust further.
• Align NHI governance to zero trust execution Tie service-account ownership, access review cadence, and session expiry to the same governance model used for privileged human access. The NIST SP 800-207 Zero Trust Architecture model is useful here because it centers continuous verification rather than one-time trust decisions.

Key takeaways

• Federal zero trust fails when identity governance cannot keep pace with operational reality, especially for privileged NHIs and legacy systems.
• Visibility gaps and long-lived credentials make the control problem measurable, and the current data shows those gaps are widespread.
• The practical path forward is to inventory, scope, rotate, and monitor privileged access continuously, not treat zero trust as a checkbox programme.

Key terms

• Non-Human Identity: A non-human identity is any digital identity used by software, services, workloads, bots, or AI agents to access systems and data. These identities often rely on secrets, certificates, or tokens, and they require lifecycle controls similar to human accounts, but at machine speed and scale.
• Standing Privilege: Standing privilege is persistent access that remains available beyond the immediate task or approval window. In NHI environments, it is especially risky because service accounts and machine credentials can accumulate broad access without regular review, making compromise easier to scale.
• Identity Blast Radius: Identity blast radius is the amount of access, systems, and data that can be reached if one identity is compromised. It is shaped by privilege scope, credential lifetime, segmentation, and monitoring, and it is a practical way to measure how far a failure can spread.
• Zero Trust Architecture: Zero Trust Architecture is a security model that assumes no implicit trust and requires continuous verification of identity, context, and privilege before access is granted. For NHI governance, it means machine identities must be inventoried, scoped, and monitored like any other high-risk actor.

Deepen your knowledge

Federal zero trust execution, privileged access, and NHI lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a programme from a similar federal starting point, it is worth exploring.

This post draws on content published by Delinea: Federal zero trust: Turn stalled strategy into execution. Read the original.