Identity-centric zero trust needs inline enforcement, not just governance

At a glance

What this is: This is Saviynt's announcement about an expanded partnership with Zscaler to connect identity governance and inline Zero Trust enforcement, with just-in-time access at the center.

Why it matters: It matters because IAM, PAM, and NHI programmes often decide access in one system and enforce it in another, leaving standing privilege and third-party access exposed across human, machine, and AI-driven environments.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

👉 Read Saviynt's statement on its expanded partnership with Zscaler

Context

Identity-centric Zero Trust works only when identity decisions and enforcement happen together. In practice, many enterprises still approve access in one layer and rely on separate network or session controls to make that decision real, which leaves a gap between policy and enforcement that standing privilege can exploit.

The article is about that gap across human users, third-party access, and non-human identities. For IAM, PAM, and NHI teams, the issue is not whether access can be approved, but whether it is time-bound, validated at the moment of use, and revoked when the task ends.

Key questions

Q: How should security teams enforce just-in-time access in Zero Trust environments?

A: Security teams should enforce just-in-time access by binding approval, context validation, and session start enforcement to the same control flow. If access is approved in one system and consumed in another, the entitlement must still expire automatically when the task ends. That is the only way to prevent standing privilege from reappearing under a temporary label.

Q: Why do standing privileges undermine Zero Trust programmes?

A: Standing privileges undermine Zero Trust because they allow access to exist before it is needed and continue after the work is complete. Zero Trust depends on continuous verification, but persistent entitlements create a trust state that never fully resets. That makes revocation, audit, and accountability weaker across human, NHI, and delegated access paths.

Q: What do security teams get wrong about third-party access governance?

A: Teams often treat third-party access as an onboarding issue instead of a lifecycle issue. The real risk is access that is granted quickly, used broadly, and revoked too late. Without explicit expiration and offboarding, external identities become a durable extension of the enterprise environment.

Q: Who is accountable when identity governance and inline enforcement are split?

A: Accountability sits with the organisation that allows governance decisions to diverge from enforcement. If the identity team approves access but the enforcement layer does not apply the same decision at runtime, neither control is complete. Frameworks like NIST SP 800-207 Zero Trust Architecture and the OWASP Non-Human Identity Top 10 both point to this alignment problem.

How it works in practice

Why identity decisions fail without inline enforcement

Zero Trust is often described as continuous verification, but the weak point is not the policy statement. The weak point is the handoff between identity governance and the system that actually allows the session. If a ticket, group membership, or persistent entitlement is approved in one place and not enforced at connection time, the user or workload keeps more access than the policy intended. In mixed environments, that gap matters because the control plane and the enforcement plane can drift apart under load, automation, and third-party delegation.

Practical implication: align access approval and enforcement so the decision is still valid when the session begins.

How just-in-time access changes standing privilege

Just-in-time access reduces the lifetime of privilege by issuing access only for a defined task window and then revoking it. That matters because standing privilege is not just overprovisioning, it is access that exists before anyone needs it and often remains after the work is done. JIT works best when entitlement duration, context, and revocation are all explicit. Without that, teams only create the appearance of temporary access while old credentials, group memberships, or cached entitlements continue to function.

Practical implication: replace persistent privileged access with task-scoped entitlements that expire automatically.

Third-party access needs lifecycle controls, not ad hoc exceptions

Third-party access is where identity programmes often lose discipline first. The technical problem is lifecycle, not only authentication. If onboarding is permissive and offboarding is slow, delegated access outlives the business relationship that justified it. In Zero Trust terms, the trust decision must be continuously revalidated, especially when the identity belongs to a vendor, contractor, or external service. Otherwise, audit visibility becomes retrospective only, which is too late for privileged misuse or stale access.

Practical implication: treat third-party access as a governed identity lifecycle with explicit expiration and offboarding.

NHI Mgmt Group analysis

Identity-centric Zero Trust fails when governance and enforcement live in different systems. The article describes a classic control split: identity decides what should happen, while a separate enforcement layer decides what actually happens. That split creates a governance lag window in which standing privilege, third-party access, or persistent entitlements can remain active after policy has changed. Practitioners should read this as a structural mismatch between decision and execution, not a tooling detail.

Just-in-time access is really a standing privilege removal strategy. The important shift is not temporary access as a feature, but the collapse of persistent privilege as an operating assumption. If access can be issued per task and revoked at the end of use, the blast radius drops sharply for human users, service accounts, and AI-driven workflows. That is why JIT belongs in both PAM and NHI conversations, not only classic user access management.

Third-party identity is where Zero Trust maturity is most often exposed. The article's emphasis on delegated controls and expiration reflects a broader problem: external access is usually granted faster than it is revalidated. Where organisations cannot reliably see who still has access, they cannot prove that Zero Trust is being enforced across the access lifecycle. Practitioners should treat external access as a lifecycle governance problem, not a one-time onboarding task.

Identity-centric enforcement is becoming the default design expectation for modern enterprises. As cloud, AI, and distributed work environments expand, access control cannot remain a static perimeter decision. Inline enforcement, context-aware validation, and time-bounded privilege are increasingly the only workable pattern for reducing excess access without slowing operations. The implication is that identity governance teams must align their controls with the place where access is actually consumed.

Identity decisions are turning into the control plane for human, machine, and AI access. That broadens IAM's remit beyond sign-in and recertification. It pushes governance into runtime authorisation, lifecycle expiry, and session-level enforcement across actor types. Practitioners should plan for a single decision model that can govern users, workloads, and AI-driven access paths without losing auditability.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• That is why practitioners should review NHI Lifecycle Management Guide alongside privileged access controls, because lifecycle failure is where standing access becomes durable risk.

What this signals

Identity-centric Zero Trust is moving from architecture language to operational proof. For practitioners, the question is no longer whether a policy exists, but whether access is enforced at the moment of use and withdrawn when the task ends. Teams that cannot demonstrate that link should expect their Zero Trust programme to remain partial, especially where human admins, contractors, and service identities share the same access paths.

Ephemeral privilege is becoming the practical baseline for modern access governance. That shift matters because persistent access is easier to grant than to justify. Where 97% of NHIs carry excessive privileges, programmes need to assume overreach is the default condition and build controls around expiry, revocation, and session-level validation.

Inline enforcement will increasingly define whether governance is real or decorative. The governance team can no longer stop at approval workflows or periodic review. If the enforcement layer does not reflect the same decision model, especially for third-party and workload access, the organisation will keep inheriting privilege that was never meant to persist.

For practitioners

• Map decision points to enforcement points Identify where access is approved, where it is validated, and where it is actually enforced. If those steps live in different systems, document the gap and require session-start enforcement for privileged requests.
• Replace standing privilege with task-scoped access Define entitlement windows for privileged work and ensure they end automatically when the task completes. Apply this to human admins, third-party operators, and service identities that still rely on persistent access.
• Tighten third-party offboarding controls Require explicit expiration and revocation for every external identity, including delegated access used for support or integration. Offboarding should remove access as a lifecycle step, not as an afterthought during periodic review.
• Audit access that survives beyond its business need Review tickets, group memberships, and cached entitlements that continue to function after a task ends. Prioritise the identities with the broadest reach across applications, infrastructure, and AI-connected systems.

Key takeaways

• Identity-centric Zero Trust breaks down when access decisions and enforcement are separated across different systems.
• Standing privilege remains the core failure mode because it outlives the task, the ticket, and often the business need.
• Practitioners should focus on session-start enforcement, task-scoped expiry, and disciplined third-party offboarding to make governance real.

Key terms

• Standing Privilege: Standing privilege is access that remains available beyond the moment it is needed. In identity programmes, it creates a durable attack surface because the entitlement exists before use and often persists after the task is complete, whether the actor is a user, service account, or AI-driven workflow.
• Just-in-Time Access: Just-in-time access is a provisioning pattern that grants privilege only for a defined task window and removes it automatically afterward. It is used to reduce excess exposure, but it only works when approval, context, and revocation are aligned at runtime, not only in policy.
• Identity-Centric Zero Trust: Identity-centric Zero Trust is a control model in which identity decisions determine access and those decisions are enforced continuously at the point of use. The approach treats identity as the control plane for runtime authorisation, which makes session-level enforcement and lifecycle expiry essential.
• Inline Enforcement: Inline enforcement is the technical act of applying access policy in the live session path, not just at approval time. It matters because identity governance without runtime enforcement can authorize access that the session layer never actually constrains, especially in distributed and third-party environments.

What's in the full announcement

Saviynt's full press release covers the operational detail this post intentionally leaves for the source:

• The exact integration model for aligning identity governance with session-start enforcement across privileged access flows.
• The specific ways the partnership positions just-in-time access for users, applications, and infrastructure.
• The vendor's own description of how third-party access, expiration, and audit visibility are expected to work.
• The funding and partnership context behind the collaboration, including the named investors involved.

👉 Saviynt's full press release covers the joint identity and enforcement model, plus the funding context behind the partnership.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.