TL;DR: CISA’s updated Zero Trust Maturity Model now places Identity first, linking least privilege, continuous visibility, and policy automation to practical maturity rather than a destination, according to SentinelOne. That shift makes identity governance the control plane for NHI, human access, and emerging autonomous behaviour, not a side effect of network segmentation.
At a glance
What this is: This analysis argues that the updated CISA Zero Trust Maturity Model makes identity the first pillar of zero trust and ties maturity to continuous visibility, automation, and least privilege.
Why it matters: It matters because IAM, NHI, and PAM teams now have a stronger benchmark for measuring whether identity controls are truly enforcing zero trust across users, devices, workloads, and secrets.
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
👉 Read SentinelOne's analysis of identity-first zero trust and least privilege maturity
Context
Zero trust works only when identity is treated as a control plane rather than a label. The updated CISA model reflects that reality by putting Identity first and by tying maturity to visibility, continuous verification, and policy enforcement across human and machine access.
For identity programmes, that shift matters because the old boundary-based model assumed trust could be inherited from network location or device posture. Modern environments now mix users, service accounts, workload identities, and AI systems, so maturity depends on whether access is provable, reviewable, and revocable across all of them.
The practical question is no longer whether an organisation says it follows zero trust. It is whether its IAM, PAM, and NHI controls can actually enforce least privilege at runtime without breaking operations or leaving standing access in place.
Key questions
Q: Why do service accounts and other NHIs complicate GRC implementation?
A: NHIs complicate GRC because they often outnumber human accounts, change outside normal HR-driven lifecycle processes, and carry access that is easy to overlook in reviews. If inventory, ownership, and expiry are incomplete, the GRC programme will miss the most material access risks. That makes NHI governance a core compliance issue, not a niche security task.
Q: Why do static policies undermine zero trust maturity?
A: Static policies assume access conditions stay stable long enough for a one-time decision to remain valid. In modern environments, identity context changes quickly across cloud, endpoints, and workloads. Zero trust only works when policy can be reevaluated as conditions change, especially for privileged and machine identities.
Q: What breaks when Zero Trust is implemented without identity governance?
A: Zero Trust breaks when the policy engine is enforcing stale or incomplete identity data. If access approvals, ownership, and revocation are not governed, the organisation keeps validating entitlements that no longer match business intent. The result is technically strong enforcement built on weak identity records, which still leaves over-privileged accounts and hidden exceptions in place.
Q: Who is accountable when identity-based access fails in a Zero Trust programme?
A: Accountability sits with the identity, security, and platform owners who control entitlement design, lifecycle governance, and response automation. If service accounts, tokens, or human credentials are outside a clear ownership model, the programme cannot enforce revocation or prove that least privilege is being maintained.
Technical breakdown
Identity as the first zero trust pillar
CISA’s updated maturity model places Identity ahead of Device, Network Environment, Application/Workload, and Data because access decisions begin with who or what is requesting entry. In practice, identity is the point where authentication, entitlement, and policy enforcement intersect. That matters for both human users and NHIs because the same access layer often governs SSO, API tokens, service accounts, and workload credentials. When identity is weakly governed, every later control inherits that weakness. The model’s emphasis on identity also signals that maturity is not just about stronger login methods, but about controlling authorisation continuously across the access lifecycle.
Practical implication: Treat identity governance as the first zero trust dependency and measure whether every access path is enforceable, observable, and revocable.
Why static policies break zero trust maturity
The article contrasts traditional maturity with optimal maturity by showing a move from static security policies and manual configuration toward automated attribute assignment and dynamic policy decisions. That shift is fundamental because zero trust cannot rely on one-time trust decisions. If access is granted once and then left untouched, the architecture is still behaving like a perimeter model. The real technical change is that policy must respond to context, entitlement drift, and observed signals across identities and workloads. Without that, zero trust becomes a branding layer over the same standing access patterns that attackers already exploit.
Practical implication: Audit where policy is still static and remove any access path that cannot be reevaluated during the session or transaction.
Identity threat detection and response in zero trust
The article links identity maturity with visibility, analytics, and identity threat detection and response, which is where zero trust becomes operational rather than theoretical. ITDR looks for signs that an identity is being abused, such as unusual queries, suspicious privilege use, or credential theft indicators. This is especially relevant across AD, cloud, and endpoint environments because identity compromise now moves laterally through valid credentials rather than obvious malware alone. In a mature model, identity telemetry is not a separate SOC feed. It is part of the control loop that validates whether trust remains justified.
Practical implication: Integrate identity telemetry into detection and response so that access anomalies trigger action before privilege can be reused elsewhere.
Threat narrative
Attacker objective: The attacker aims to turn valid identity access into persistent, high-value control over systems and data while avoiding conventional perimeter detection.
- entry via compromised identities that already have valid access to the environment, often bypassing perimeter defenses entirely.
- escalation through overprovisioned entitlements, stale permissions, or credential theft that turns legitimate access into broader control.
- impact through identity-driven lateral movement, policy drift, and unauthorized access to sensitive systems, cloud resources, or data.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Meta AI Instagram Account Takeover — 20,225 Instagram accounts hijacked via compromised Meta AI support chatbot with overprivileged access.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Identity-first zero trust is a governance shift, not a tooling preference. CISA’s updated model is useful because it makes identity the organising principle for least privilege, visibility, and continuous verification. That matters across human IAM, NHI governance, and PAM because access is now the common failure point across all three. Practitioners should read the model as a maturity benchmark for whether identity controls actually govern trust, not as another architecture diagram.
Static access assumptions are the real maturity gap. Traditional maturity presumes that access can be assigned, reviewed, and managed as a stable state. That assumption fails when access is dynamic across endpoints, clouds, service accounts, and entitlements that change faster than review cycles. The implication is that programmes built around periodic review alone will miss the operational reality of modern identity exposure.
Identity visibility is still the limiting factor in zero trust programmes. The control stack cannot enforce what it cannot see, and the article’s emphasis on visibility and analytics reflects that limitation. In enterprise identity programmes, hidden service accounts, orphaned credentials, and overprovisioned entitlements undermine zero trust faster than perimeter gaps do. Practitioners should treat identity inventory quality as a maturity gate, not a reporting metric.
Identity blast radius: when identity is the first pillar, every ungoverned credential becomes a direct path to broader compromise. This concept captures why identity compromise now scales faster than device or network compromise. It also explains why least privilege must be measured by effective access, not by policy language. The conclusion for teams is simple: if you cannot bound identity blast radius, you do not have mature zero trust.
Zero trust maturity now depends on cross-domain governance across human, machine, and workload identities. The article’s identity-first framing is important because it collapses the old separation between IAM, NHI, and workload security. Those controls now need shared visibility and shared enforcement logic. Practitioners should align ownership across teams that still manage identities in silos.
From our research:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- For a broader control baseline, see Ultimate Guide to NHIs , Standards for the frameworks that anchor least privilege and zero trust governance.
What this signals
Identity-first zero trust will push more organisations to measure access quality before they measure tooling coverage. As programmes mature, the practical question will be whether access can be continuously verified across users, service accounts, and workloads, not whether a policy exists on paper. The organisations that keep treating identity as a directory problem will keep finding that their zero trust posture is mostly declarative.
Identity blast radius: when access is overbroad or poorly inventoried, every later control inherits that weakness. With 97% of NHIs carrying excessive privileges, per the Ultimate Guide to NHIs, the next phase of zero trust maturity will be about shrinking effective privilege rather than adding more policy layers.
Programmes that want credible zero trust outcomes should align to the framework language in NIST SP 800-207 Zero Trust Architecture and map those controls into identity, entitlement, and telemetry ownership. That alignment makes it easier to separate maturity claims from operational reality and to spot where human IAM, NHI governance, and workload access still drift apart.
For practitioners
- Map identity first in your zero trust roadmap Inventory all identity types, including users, service accounts, API keys, certificates, and workload identities, then map each to the zero trust pillar it affects most directly.
- Remove static access assumptions from policy design Identify where access is still granted once and trusted indefinitely, then replace that with conditional, continuously evaluated authorization for high-risk paths.
- Tie IAM, PAM, and NHI telemetry together Correlate login events, entitlement changes, token use, and privileged activity so identity abuse can be detected as a control failure rather than a separate alert class.
- Use identity inventory quality as a maturity metric Measure how many service accounts, orphaned credentials, and overprovisioned entitlements remain undocumented, because missing inventory is a zero trust gap.
Key takeaways
- CISA’s updated model makes identity the primary zero trust control point, which shifts maturity discussions from network design to access governance.
- Weak visibility, static policies, and overprovisioned entitlements are the recurring failure modes that keep zero trust from becoming operational.
- Teams should judge zero trust maturity by whether identity can be continuously verified, constrained, and revoked across human, machine, and workload access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207), NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST Zero Trust (SP 800-207) | Section 2.1 | The article is explicitly framed around zero trust maturity and identity-first control design. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access and entitlement governance are central to the article. |
| NIST SP 800-53 Rev 5 | IA-5 | Credential and authenticator management underpins the identity controls discussed here. |
| OWASP Non-Human Identity Top 10 | NHI-01 | The article’s identity-first framing directly overlaps with non-human identity governance. |
Review identity entitlements against PR.AC-4 and remove access that exceeds operational need.
Key terms
- Zero Trust Maturity Model: A maturity framework that measures how far an organisation has moved from implicit trust to continuous verification. In identity terms, it shows whether access decisions are static, contextual, and enforceable across users, service accounts, workloads, and devices.
- Identity Threat Detection and Response: A detection and response approach focused on signs that identity is being abused rather than only on malware or network indicators. It watches for suspicious authentication, privilege use, and entitlement drift so teams can respond to identity compromise before it spreads.
- Identity Blast Radius: The amount of damage an identity can cause if it is misused or compromised. For mature programmes, the goal is to shrink effective blast radius by reducing privilege, improving visibility, and ensuring access can be revoked quickly across every identity type.
What's in the full article
SentinelOne's full analysis covers the operational detail this post intentionally leaves for the source:
- Ranger Identity Assessor for AD coverage of vulnerabilities in Active Directory and Azure AD.
- Attack path visualization details for stored or orphaned credentials and misconfigurations at the endpoint layer.
- CIEM-focused entitlement analysis for cloud identities, resources, and overprovisioned access.
- ITDR and endpoint identity detection examples for unauthorized queries and privilege escalation attempts.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org