By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: AppgatePublished November 20, 2025

TL;DR: A $11.6 million net present value and a payback period of under six months over three years were reported in Forrester’s TEI study of AppGate ZTNA, with identity-centric segmentation also reducing lateral movement and administrative overhead, according to Appgate. The larger signal is that zero trust access decisions now hinge on control of the connection path, not just policy intent.


At a glance

What this is: This is Appgate’s summary of a Forrester TEI study on direct-routed ZTNA, with quantified ROI and operational gains tied to identity-centric access design.

Why it matters: It matters because IAM and Zero Trust teams have to evaluate whether access controls are merely authenticating users or also constraining network path, lateral movement, and operational dependence.

By the numbers:

👉 Read Appgate's analysis of the Forrester TEI study on direct-routed ZTNA


Context

Identity-centric Zero Trust Network Access is about controlling who can reach which resource, under what context, while also limiting how far that access can move through the environment. In this case, the governance gap is not authentication alone but whether access is tied to direct, constrained paths that reduce reliance on intermediary infrastructure.

That distinction matters to IAM and NHI programmes because access policy, session trust, and network routing are converging controls. When access tools sit between users and protected resources, they can either reinforce least privilege or create new operational choke points that hide entitlement risk.


Key questions

Q: How should security teams evaluate direct-routed ZTNA for Zero Trust access?

A: Security teams should evaluate direct-routed ZTNA by checking whether it narrows the access path as well as the application entitlement. The key test is whether authenticated users can only reach the resources they need without shared relays, broad internal traversal, or hidden lateral movement paths. If those conditions remain, the control is only partially constraining risk.

Q: Why do identity-centric access models matter when lateral movement is the main risk?

A: Identity-centric access models matter because most compromise paths become dangerous after authentication succeeds. If the access layer does not limit which applications, segments, and services a session can touch, stolen credentials still provide useful movement. Strong identity policy has to be paired with narrow routing and segmentation if it is meant to reduce blast radius.

Q: What do organisations get wrong about Zero Trust network access in practice?

A: Organisations often treat Zero Trust Network Access as a connectivity project instead of a containment project. That mistake leaves access broad enough to preserve lateral movement, even when user authentication is strong. The better question is whether the architecture limits where a valid session can go once access has been granted.

Q: Who is accountable when access architecture still permits excessive internal reach?

A: Accountability usually sits across IAM, network, and platform teams, but the failure is architectural rather than procedural. If internal reach remains excessive, ownership must cover entitlement design, segmentation, and enforcement together. Zero Trust frameworks require that access decisions and containment controls are aligned, not handed off between silos.


Technical breakdown

How direct-routed ZTNA changes the access path

Direct-routed ZTNA establishes an encrypted connection between the user and the authorized resource without backhauling traffic through a shared cloud relay. That reduces the number of intermediary trust points and can improve latency, but the security value comes from keeping the access path tightly bound to policy. In practice, this is a transport and authorization problem at the same time. If the control plane grants access but the routing layer remains broad, the environment still carries unnecessary exposure.

Practical implication: validate whether your ZTNA design constrains the session path as tightly as it constrains the entitlement.

Why identity-centric segmentation matters for lateral movement

Identity-centric segmentation links access decisions to user context, application scope, and policy rather than to flat network reach. That matters because many compromise scenarios succeed after initial authentication, when an attacker moves laterally through over-permitted paths. Segmentation does not replace identity governance, but it can compress the blast radius when an account or session is abused. For teams running hybrid estates, the control question is whether network access is narrowed enough to make stolen credentials materially less useful.

Practical implication: map the applications and segments where a valid session would still allow sideways movement, then shrink that pathway first.

What the TEI lens does and does not prove

A Total Economic Impact study measures business outcomes such as payback, operating effort, and risk-adjusted value. It is useful for budgeting and prioritisation, but it does not by itself prove universal security superiority or architectural completeness. For IAM leaders, the important reading is narrower: if a direct-routed model reduces operational friction while preserving policy enforcement, it may be easier to sustain than more complex access designs. The decision then becomes about control durability, not just feature preference.

Practical implication: treat economic evidence as input to architecture selection, then validate control effectiveness with your own access and risk tests.


NHI Mgmt Group analysis

Identity-centric access is becoming a routing and governance problem, not just a login problem. The study’s real signal is that Zero Trust access is judged by how tightly it binds identity, session, and path control together. If users can authenticate but still traverse broad intermediary layers, the access model remains more permissive than most boards assume. Practitioners should treat routing architecture as part of the identity control surface.

Direct-routed designs reduce dependency risk, but they also expose whether policy is actually doing the work. When a secure access layer removes cloud relays and backhaul, there is less architectural cover for weak segmentation or sloppy entitlement design. That forces a clearer answer to the question of what is being trusted and where. The practical conclusion is that architecture can either conceal or expose governance quality.

Session containment: the key concept here is whether a valid access session can be kept narrow enough to limit reach, even after authentication succeeds. That concept matters because many modern breaches do not start with broken authentication, they start with over-broad access that remains useful after login. Direct routing may make that containment easier to observe, but only entitlement scope and segmentation make it real. Practitioners should evaluate whether their sessions are truly task-bound.

The market is moving toward access models that must justify themselves operationally, not only conceptually. Cost savings, management overhead, and user experience are now part of the architecture conversation because they determine whether a control survives real deployment. That does not make business value a proxy for security efficacy, but it does mean difficult controls that create friction will lose to simpler ones. The implication for teams is to select access architectures that can be governed continuously.

For IAM and NHI programmes, Zero Trust only works when access policy, service exposure, and lateral movement control are aligned. This is where the identity angle becomes material. If human sessions can still cross too many internal boundaries, the same design weaknesses will also affect service accounts, tokens, and API-driven access paths. Practitioners should align human and non-human access governance around the same containment principles.

What this signals

Direct-routed access architectures will increasingly be judged against whether they materially reduce blast radius, not whether they simply replace a VPN. That shifts programme design toward measurable containment outcomes, especially where hybrid estates mix human users, service accounts, and API-driven workloads.

Session containment debt: organisations accumulate it when access tooling can authenticate correctly but still leaves too much internal reach available to a valid session. That debt shows up later as incident response complexity, policy exceptions, and hidden trust paths.

The practical next step for readers is to align Zero Trust roadmaps with identity governance data, including service account visibility, entitlement scope, and offboarding discipline. The strongest access model is the one that remains governable after the initial rollout.


For practitioners

  • Audit session path exposure Map where authenticated users still traverse shared relays, hub-and-spoke backhaul, or broad internal segments before reaching applications. Then remove unnecessary path dependencies for high-value workloads and compare the result with your least-privilege policy model.
  • Test lateral movement containment Run controlled breach simulations to see how far a valid session can move after access is granted. Focus on whether segmentation and application scoping actually stop movement between adjacent resources rather than only blocking unauthorised logins.
  • Review identity and network control ownership Assign clear owners for entitlement policy, session enforcement, and routing architecture so no team assumes another layer is handling containment. Include service accounts and machine-driven access paths in the same review.
  • Benchmark operational drag against control value Measure policy changes, support load, and exception handling alongside security outcomes so architecture choices are judged by durability as well as protection. Controls that are difficult to operate often decay into exceptions.

Key takeaways

  • The central issue is not whether users can log in, but whether the access path remains tightly contained after authentication succeeds.
  • The study’s economic results show that architecture choices are now being judged on operability, not just security theory.
  • Teams should assess whether their Zero Trust design reduces lateral movement for both human and machine access, or simply relocates it.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST Zero Trust (SP 800-207), NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST Zero Trust (SP 800-207)The article centres on Zero Trust access path design and containment.
NIST CSF 2.0PR.AC-4Identity-based access restriction is core to the article's ZTNA model.
NIST SP 800-53 Rev 5AC-6Least privilege is the governing control for identity-centric segmentation.
CIS Controls v8CIS-6 , Access Control ManagementThe access control and segmentation discussion maps to CIS access governance.

Use Zero Trust principles to verify access, narrow routing, and reduce implicit trust in internal paths.


Key terms

  • Direct-routed ZTNA: A Zero Trust access model that connects users directly to authorised resources through encrypted paths instead of sending traffic through a shared cloud relay. The architecture aims to reduce latency, limit intermediary trust points, and make policy enforcement more tightly coupled to the session.
  • Identity-centric segmentation: A segmentation approach that uses user identity, context, and policy to determine what resources a session may reach. It shifts the control point from broad network location to narrower, identity-bound access boundaries that are easier to align with least privilege.
  • Session containment: The practical ability to keep a valid session narrowly scoped after authentication succeeds. It matters because many attacks exploit authorised access rather than bypassing it, so containment determines how much damage a compromised account can cause.

What's in the full report

Appgate's full study covers the operational detail this post intentionally leaves for the source:

  • The underlying Forrester TEI methodology used to calculate NPV, payback, and risk-adjusted value.
  • The specific cost and productivity categories that contributed to the six-month payback result.
  • The customer interview excerpts that explain why direct-routed connectivity was preferred over cloud-routed alternatives.
  • The performance and administrative efficiency assumptions behind the composite organisation model.

👉 Appgate's full study includes the TEI model, cost assumptions, and customer interview detail behind the ROI case.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and identity lifecycle controls. It is designed for practitioners who need to align access governance with broader identity and security programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org