Identity is the perimeter: what Zero Trust means for every identity

At a glance

What this is: This podcast recap argues that identity is the modern perimeter and that Zero Trust only works when governance reaches humans, machine identities, and AI agents alike.

Why it matters: It matters because IAM teams cannot separate human access, service account control, and emerging agent identities without creating blind spots that attackers can exploit with valid credentials.

👉 Read SPHERE Technology Solutions' recap of Zero Trust and Cowboy Boots

Context

Zero Trust becomes hollow when organisations protect the network boundary but leave identity ownership, lifecycle control, and access review inconsistent. The article argues that the real security perimeter is the identity that can reach data, whether that identity is a person, a service account, or an AI agent.

That framing matters for IAM, IGA, PAM, and NHI governance because the same control failures recur across all three identity classes: orphaned access, excessive privilege, and unclear ownership. In practice, the question is no longer whether access is authenticated, but whether the identity behind it is governed well enough to be trusted at runtime.

Key questions

Q: How should security teams govern access when bots and AI agents act like non-human identities?

A: Security teams should classify bots and AI agents as governed identities, not as informal automation. That means assigning ownership, recording purpose, limiting scope, and reviewing access as part of the lifecycle. If an agent or bot can reach sensitive data, it needs the same accountability chain as any other identity, even if its behaviour is more dynamic.

Q: Why do valid credentials still create risk in a Zero Trust model?

A: Valid credentials still create risk when the identity behind them is over-privileged, poorly owned, or no longer aligned to business need. Zero Trust does not eliminate trust decisions. It shifts them closer to the data, which means stale access, orphaned accounts, and weak lifecycle controls remain exploitable even when authentication succeeds.

Q: What do teams get wrong when treating identity governance as an IT task?

A: They lose security accountability. When identity is owned only by IT or application teams, access reviews, offboarding, and exception handling become fragmented. That fragmentation creates blind spots that attackers can exploit with valid access, especially in environments where human, machine, and agent identities all reach the same data.

Q: How do organisations make Zero Trust work across human and machine identities?

A: They map access controls to identity type and data sensitivity instead of relying on a single perimeter model. Human users need strong authentication and review. Service accounts and agents need ownership, scope limits, and lifecycle governance. The common requirement is continuous verification at the point where data is actually touched.

Technical breakdown

Identity as the security perimeter

Identity-as-perimeter shifts the control point from networks and devices to the identity that requests or holds access. In modern environments, data moves across applications, cloud services, and shared platforms, so the decisive question is not where the request came from but whether the identity is known, owned, and scoped correctly. This is why valid credentials can bypass otherwise strong perimeter controls. Once access is granted, downstream protections matter less if the identity itself is over-privileged or poorly governed.

Practical implication: treat identity ownership and privilege scope as first-class security controls, not administrative afterthoughts.

Zero Trust at the data layer

Data-layer Zero Trust means validating who or what can touch sensitive information at the point of access, not just at the network edge. That requires continuous verification, current entitlements, and enough context to distinguish a legitimate human workflow from a machine or agent session. In NHI terms, stale service accounts and dormant API keys are especially dangerous because they often retain access long after the business need has changed. If the identity can still touch the data, the trust decision has not been closed.

Practical implication: map Zero Trust policy to data access paths and review every identity that can reach sensitive data.

Bots and AI agents as a third identity category

The article highlights a middle category between human users and classic machine accounts: bots, automation scripts, and AI agents that act independently but still require credentials. That category matters because traditional IAM often assumes a stable operator and a stable purpose, while these identities may be created quickly and used in fluid workflows. Their risk profile looks like NHI, but their behaviour can change faster than conventional lifecycle processes are designed to track. That creates governance pressure on ownership, approval, and offboarding.

Practical implication: classify bots and AI agents explicitly in identity inventories and apply lifecycle controls before they accumulate standing access.

NHI Mgmt Group analysis

Identity perimeter thinking is now the correct baseline for governance, but only if the identity itself is governed. The article correctly rejects perimeter-only security, yet the bigger lesson is that identity has become the enforcement plane for human, NHI, and emerging agent access. When identity ownership is fragmented across IT, application teams, and security, the organisation loses the ability to prove who is allowed to touch data. Practitioners should treat identity governance as the control layer that makes Zero Trust operational.

Orphaned access is the named failure mode behind most identity-perimeter breakdowns. The episode points to outdated permissions and unmanaged accounts as the hidden risk, which is exactly where NHI governance usually fails first. Long-lived access without current ownership is not a tooling problem, it is a lifecycle problem that creates a standing trust debt. Practitioners should read this as a governance warning: access that outlives its business purpose becomes exploitable surface.

Bot and AI agent access exposes a lifecycle assumption that no longer holds. Human IAM assumes a stable person, stable role, and observable workflow, but bots and agents can be created, repurposed, and retired much faster than review cycles detect. That assumption fails when the identity is non-human and operationally elastic. The implication is that lifecycle governance must stop treating these identities as exceptional accounts and instead model them as first-class governed subjects.

Runtime identity ownership: The article points to a control gap where nobody can clearly answer who owns an identity after it is provisioned. That gap matters because ownership is what turns access review from a paperwork exercise into a security decision. Without named ownership, every other control weakens, including recertification, offboarding, and exception handling. Practitioners should make ownership traceable before access is granted, not after problems appear.

Zero Trust must extend to machine and agent identities or it remains partial. The episode makes clear that data access does not care whether the requester is a human, a service account, or an AI agent. NIST SP 800-207 is still relevant here, but only if continuous verification includes every identity class with data access. Practitioners should align Zero Trust design to identity type, not just to network location.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• The governance response starts with Ultimate Guide to NHIs , Standards, which maps identity controls to Zero Trust and NHI lifecycle requirements.

What this signals

Identity perimeter programmes will fail if service accounts remain partially visible. With only 5.7% of organisations reporting full visibility into service accounts, according to the Ultimate Guide to NHIs, the control gap is structural rather than tactical. Teams should expect the same visibility problem to extend to bots and AI agents unless identity inventory, ownership, and review processes are redesigned together.

Runtime identity ownership is the concept to sharpen now. If nobody can name the business owner of a service account, bot, or agent, the organisation cannot credibly claim Zero Trust at the data layer. That is where IGA, PAM, and NHI governance converge: each identity needs an accountable owner before it needs another policy exception.

The practical next step is to align identity governance with NIST SP 800-207 Zero Trust Architecture while treating non-human identities as governed subjects, not convenience accounts. When the perimeter becomes identity, your programme has to verify ownership, purpose, and privilege at the same time.

For practitioners

• Inventory every identity that can touch data Build a single inventory covering employees, contractors, service accounts, bots, and AI agents. Record business owner, technical owner, system of use, and last verified purpose so access decisions can be tied to accountability.
• Assign named ownership before granting access Do not approve new access unless the identity has a documented owner who can approve changes, review exceptions, and confirm offboarding. Use ownership as a gating field in IAM and IGA workflows.
• Review orphaned and dormant access on a fixed cadence Prioritise accounts with no clear owner, no recent activity, or permissions that no longer match business use. Cross-check these identities against data access paths, not just directory records.
• Extend Zero Trust policy to non-human identities Apply continuous verification to service accounts, API keys, and agent credentials that can reach sensitive data. Tie access to the data layer and remove standing privilege where the access need is intermittent.

Key takeaways

• Identity now functions as the perimeter, which makes governance quality a security control rather than an administrative task.
• Service accounts, bots, and AI agents introduce the same lifecycle and accountability problems when ownership and visibility are weak.
• Zero Trust only works when continuous verification reaches the data layer and covers every identity that can touch it.

Key terms

• Identity as the perimeter: A security model that treats the identity requesting access as the primary control point instead of the network boundary. In practice, this means access decisions depend on ownership, privilege, and context across humans, service accounts, bots, and agents.
• Orphaned access: Access that remains active after the business purpose, owner, or user has changed or disappeared. In identity programmes, orphaned access is dangerous because it preserves standing privilege without a clear accountability chain or a current need-to-use.
• Non-human identity: A non-person account or credential used by software, services, workloads, APIs, bots, or AI agents. These identities often outnumber human users and require the same governance discipline for ownership, lifecycle management, and privilege control.
• Runtime identity ownership: The practice of maintaining a clearly named accountable owner for an identity while it is in use, not only when it is created. For non-human identities, runtime ownership is what makes access review, exception handling, and offboarding operationally enforceable.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by SPHERE Technology Solutions: Podcast highlights from Smells Like Identity Hygiene, Zero Trust and Cowboy Boots. Read the original.