Identity governance is the strongest path to zero trust today

At a glance

What this is: This is a zero trust analysis that argues identity governance and IAM now do more of the security work than perimeter-based controls.

Why it matters: It matters because IAM, NHI, and human identity programmes all inherit the same problem: access is increasingly judged by context, not network location.

By the numbers:

• According to the 2021 and 2025 editions of the Verizon Data Breach Investigations Report, 80% of breaches were linked to external actors in 2021 and 81% in 2025.
• According to the 2021 and 2025 editions of the Verizon Data Breach Investigations Report, 20% of breaches came from internal sources in 2021 and 18% in 2025.

👉 Read Bravura Security's analysis of identity governance and Zero Trust Architecture

Context

Zero Trust Architecture is an access model that assumes no user, device, or network location is trusted by default. In practice, that means security teams have to decide access using context, identity, and policy rather than simply placing confidence in the internal network.

The article’s core argument is that perimeter-based approaches such as micro-segmentation and software-defined perimeters still have a role, but they are no longer enough on their own. For IAM programmes, the more durable control plane is identity governance, because it can enforce least privilege, automation, and lifecycle decisions across on-premises, cloud, and SaaS environments.

This is a familiar direction for teams that have already moved away from static perimeter thinking and toward the Ultimate Guide to NHIs. The practical question is no longer whether to use identity in Zero Trust, but how far identity governance must extend across human and non-human access paths.

Key questions

Q: How should security teams build Zero Trust around identity rather than the network perimeter?

A: Start by making identity governance the decision layer for access, then use segmentation and software-defined perimeters only to reduce blast radius. That means automated provisioning, deprovisioning, approval workflows, and just-in-time access should determine who can reach a resource, while the network controls contain what happens if an identity is misused.

Q: Why do micro-segmentation and software-defined perimeters fall short on their own?

A: They still depend on boundaries, policy engines, and trust assumptions that weaken as workloads shift into cloud and SaaS environments. They can limit lateral movement, but they do not solve the core problem of valid credential abuse, which is why identity-based authorisation must sit above the network layer.

Q: What should Zero Trust programmes measure to know whether identity governance is working?

A: Measure how quickly access is provisioned, reviewed, and revoked, and whether privilege is actually reduced over time. If entitlements remain static while environments change, the programme may look modern but still behaves like a perimeter model with extra layers.

Q: Who should own Zero Trust decisions when IAM, networking, and cloud teams all touch the same controls?

A: IAM should own the access policy and lifecycle rules, while networking and cloud teams provide the enforcement points and telemetry. The accountability line matters because Zero Trust fails when no single team owns the end-to-end access decision.

Technical breakdown

Micro-segmentation and why it still has limits

Micro-segmentation divides the network into smaller protected zones so a compromise in one area does not automatically expose everything else. It works best in stable environments where assets, traffic flows, and trust boundaries change slowly. The problem is that modern cloud and SaaS architectures move faster than those boundaries, so the operational burden rises while the security gain narrows. In that setting, segmentation can reduce blast radius, but it does not solve identity misuse, valid credential abuse, or policy decisions that happen above the network layer.

Practical implication: use micro-segmentation to contain high-value systems, but do not treat it as the primary control for access governance.

Software-defined perimeters and identity-based access

A software-defined perimeter hides resources until identity, device posture, and policy conditions are satisfied. That makes it closer to a contextual access layer than a traditional firewall model. However, it still depends on policy engines, trust decisions, and environmental boundaries that are harder to maintain as workloads move across cloud services and third-party platforms. When access is granted through compromised valid credentials, the perimeter is often already bypassed because the system sees an apparently legitimate request.

Practical implication: pair software-defined perimeters with strong identity controls, because perimeter logic alone cannot distinguish legitimate users from stolen credentials.

Identity governance as the durable control plane for Zero Trust

Identity governance adds the missing discipline that network-centric controls cannot provide: automated provisioning, deprovisioning, workflow approval, just-in-time access, and least privilege across the full access lifecycle. In Zero Trust terms, it turns access from a network problem into a continuous authorisation problem. That matters because most real-world intrusion paths use valid credentials, not exotic exploits. Identity governance therefore becomes the mechanism that makes Zero Trust operationally sustainable across human users, service accounts, and other non-human identities.

Practical implication: build Zero Trust around lifecycle-aware identity governance so access decisions remain consistent across environments and identity types.

Threat narrative

Attacker objective: The attacker’s objective is to turn stolen but valid identity into broad internal access without triggering controls that only watch the edge.

1. Entry occurs when attackers obtain valid credentials through phishing, credential reuse, or dark web acquisition rather than by attacking the network perimeter directly.
2. Escalation happens when those legitimate-looking credentials are accepted inside the environment, allowing the attacker to move beyond perimeter controls and reach resources that trust identity claims.
3. Impact follows when internal access is used to reach data, services, or administrative functions that perimeter-only controls were never designed to govern.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Perimeter control is now a containment layer, not a trust model. Micro-segmentation and software-defined perimeters can still reduce exposure, but they do not answer the harder question of who or what should receive access in the first place. Once attackers arrive with valid credentials, the network boundary has already failed as a governance mechanism. Practitioners should treat these controls as blast-radius reducers, not as the foundation of Zero Trust.

Identity governance is the control plane Zero Trust actually needs. Automated provisioning, deprovisioning, just-in-time access, and approval workflows create the continuous decision loop that Zero Trust depends on. That loop is what makes least privilege enforceable across cloud, SaaS, and hybrid environments. For IAM teams, the architectural priority is not perimeter preservation but lifecycle-aware authorisation.

Standing access assumptions break as soon as access becomes dynamic. Access models designed for stable internal users assume a clear boundary, a durable session, and a predictable review cycle. Those assumptions are increasingly weak in environments where users, services, and non-human identities move fluidly across systems. The implication is that governance must shift from static boundary enforcement to policy decisions that follow the identity everywhere it operates.

Zero Trust without identity discipline creates a false sense of modernisation. Organisations can deploy segmentation, overlays, and policy engines while still leaving their highest-risk access paths governed by manual approvals or stale entitlements. That produces a surface-level Zero Trust posture without the operational control needed to sustain it. Security leaders should judge maturity by access lifecycle control, not by how many perimeter alternatives are in place.

Reduced Trust is a more realistic on-ramp than perimeter replacement. The article’s gradual framing matters because many enterprises cannot replace every boundary control at once. A staged transition that reduces trust in legacy assumptions while expanding identity governance is more practical than a wholesale architectural reset. Practitioners should use that sequencing to modernise access control without freezing delivery.

From our research:

• 68% of organisations do not know how to fully address NHI risks, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• For the governance model behind that remediation gap, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.

What this signals

Identity governance is becoming the practical control plane for Zero Trust. Teams that still treat segmentation as the main answer are likely to overinvest in containment and underinvest in lifecycle decisions. The next maturity step is to make access decisions follow the identity across human, non-human, and workload contexts, using the NIST Cybersecurity Framework 2.0 as the governance backdrop.

Reduced Trust is a useful transition state, not the end state. Many enterprises cannot remove perimeter thinking overnight, but they can stop treating it as the source of authority. That shift is especially important where valid credentials, federated access, and third-party connectivity blur the line between internal and external traffic.

Access lifecycle discipline will separate real Zero Trust from marketing language. If provisioning, revocation, and review still lag behind operational change, the programme remains vulnerable even when network controls look modern. Practitioners should align the access model with the Ultimate Guide to NHIs , Standards and the NIST SP 800-207 Zero Trust Architecture baseline.

For practitioners

• Map trust decisions to the identity lifecycle Inventory where access is still granted by network location, then replace those decisions with identity, device, and policy checks that can be audited across joiner, mover, and leaver events.
• Use segmentation as containment, not governance Keep micro-segmentation for high-value assets and legacy isolation, but define it as a blast-radius control while identity governance owns the access decision.
• Adopt just-in-time access for high-risk privileges Reserve standing access only for the rare cases that truly require it, and make elevated access expire automatically after the task is complete.
• Automate deprovisioning and entitlement review Remove the manual lag between role change and access removal by linking provisioning, review, and revocation to the same governance workflow.

Key takeaways

• Micro-segmentation and software-defined perimeters still help contain attacks, but they do not replace identity governance as the primary Zero Trust control.
• The strongest evidence for a governance-first model is that most real intrusions use valid credentials rather than direct perimeter attacks.
• Teams should measure Zero Trust maturity by access lifecycle control, not by how much of the network perimeter they have re-created.

Key terms

• Zero Trust Architecture: A security model that assumes no implicit trust based on network location, device location, or internal status. Access is decided continuously using identity, context, and policy. In practice, it shifts security from perimeter reliance to ongoing verification and least-privilege enforcement.
• Micro-segmentation: A network containment strategy that breaks environments into smaller isolated zones so compromise does not spread easily. It is useful for limiting blast radius, especially in legacy or high-value systems, but it does not by itself solve identity misuse or credential abuse.
• Software-Defined Perimeter: A policy-driven access layer that hides resources until identity and other conditions are verified. It acts as a controlled gateway to resources, but it still relies on trust decisions and boundary logic that can weaken when valid credentials are already compromised.
• Identity Governance: The set of processes that controls how identities receive, use, review, and lose access across their lifecycle. It covers provisioning, approval, access review, and deprovisioning, and it becomes the practical enforcement layer when Zero Trust must work across many environments.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Bravura Security: identity governance as a Zero Trust architecture approach. Read the original.