TL;DR: Legacy VPN, firewall-centric segmentation, and cloud-routed access models are creating compliance, resilience, and performance friction for financial services organisations that must prove least privilege continuously while adapting to acquisitions, cloud migrations, and third-party integrations, according to Appgate. The core issue is not tooling volume but an access architecture built for static networks rather than regulated speed.
At a glance
What this is: This analysis argues that legacy access models are too static for financial services, where compliance, growth, and resilience now depend on continuously enforced, auditable, identity-aware access.
Why it matters: It matters because IAM and PAM teams in regulated environments need access controls that prove least privilege, support rapid change, and reduce audit exposure without turning every business change into a network project.
👉 Read Appgate's analysis of regulated access control for financial services
Context
Financial services access control is under pressure because regulated organisations must move quickly while still proving who can access what, when, and under what conditions. In practice, that means security teams are trying to replace static perimeter logic with access models that can keep pace with acquisitions, cloud migrations, and partner integrations.
The article is really about the governance gap between policy and enforcement. When access is still mediated through VPNs, firewalls, and cloud routing layers, identity and privilege decisions become slow, brittle, and difficult to audit, which is exactly where regulated IAM and PAM programmes start to fail.
Key questions
Q: How should security teams modernise access control in regulated financial environments?
A: They should move from perimeter-centric enforcement to identity-aware policy that can be applied continuously across users, devices, and sessions. The priority is to reduce dependence on manual firewall changes and broad VPN reach, because those mechanisms are slow to audit and hard to adapt during acquisitions, migrations, or third-party onboarding.
Q: Why do VPNs and firewall segmentation create compliance risk in financial services?
A: They create risk because they often turn access governance into a manual change process that lags behind business change. When exceptions pile up, the documented policy and the actual enforcement path drift apart, which weakens least privilege and makes it harder to prove continuous control to auditors.
Q: What do organisations get wrong about Zero Trust in regulated networks?
A: They often assume Zero Trust is a product layer rather than an operating model. In regulated environments, the test is whether access decisions still hold after the network changes, the organisation acquires another business, or traffic is rerouted through another control plane. If enforcement cannot survive change, the model is incomplete.
Q: Who is accountable when access controls fail to meet audit expectations?
A: Accountability sits with the teams that own access policy, identity governance, and the network paths used to enforce it. In practice, that means IAM, PAM, infrastructure, and security leaders need a shared evidence model for least privilege, segmentation, and session-level control, especially in regulated financial services.
Technical breakdown
Why perimeter access control breaks under regulatory pressure
Firewall-based segmentation and VPNs were built around static trust zones, not continuous verification. They can enforce policy only after long rule changes, brittle exception handling, and manual coordination across infrastructure teams. In regulated environments, that creates a gap between the documented control and the control that is actually active. Auditability suffers because the system may have a policy on paper while the real access path remains over-permissioned or inconsistently enforced.
Practical implication: replace network-centric exceptions with access policies that can be evaluated and enforced continuously.
How identity-centric access changes the control plane
Identity-centric access shifts the enforcement point away from broad network reach and toward user, device, and session context. That makes least privilege a live decision rather than a one-time login event. In financial services, this is especially important because acquisitions and third-party access expand the number of identities and paths that must be governed. The control objective is not only to authenticate a user, but to ensure the authorised path stays narrow enough to satisfy compliance and limit lateral movement.
Practical implication: tie access decisions to identity and session context, not just network location or a successful VPN connection.
Why cloud-routed access can weaken resilience and audit confidence
Cloud-brokered routing can solve some perimeter problems, but it also introduces new dependencies in latency, availability, and data path control. For regulated institutions, that matters because the access plane itself becomes part of the resilience story. If a third-party path fails or obscures traffic handling, security teams lose not only performance but also the ability to demonstrate direct control. The governance issue is not cloud use itself, but whether the routing model preserves provable oversight.
Practical implication: review whether your access architecture preserves control evidence and failure isolation, not just connectivity.
NHI Mgmt Group analysis
Legacy access debt is a governance problem, not a network inconvenience. The article shows how firewall rework, VPN dependency, and routing bottlenecks turn policy into a slow manual exercise. In regulated financial environments, that delay becomes control drift because access expands faster than enforcement can be updated. Practitioners should treat access architecture as an auditability issue, not just an operations issue.
Identity-centric access is now the practical bridge between compliance and business change. Financial services organisations do not have the luxury of choosing between growth and control. Identity-aware enforcement lets teams reduce network blast radius while still supporting acquisitions, office expansion, and cloud change. The discipline here is to make access decisions portable across environments instead of hard-wired into perimeter infrastructure.
Zero Trust for financial services only works when the policy plane survives organisational change. The article correctly points to continuous least privilege, but the real test is whether that control still functions after mergers, new integrations, and rapid re-segmentation. If the policy cannot adapt without months of manual work, the architecture is not fit for regulated speed. Practitioners should measure how quickly enforcement changes can be proven, not just deployed.
Auditability must be designed into the access path, not reconstructed after the fact. Regulators ask for evidence that access is enforced continuously, which means security teams need session-level proof and clear entitlement boundaries. That is where IAM, PAM, and access governance intersect with network design. The practical conclusion is to treat proof of control as a first-class requirement, not an audit-season scramble.
What this signals
Access architecture is becoming a board-level resilience issue. Financial services teams will be expected to show that access controls can survive organisational churn without creating audit debt or performance regressions. The practical signal is that identity governance and network architecture can no longer be managed as separate change streams.
The most effective programmes will treat session-level enforcement, evidence capture, and change agility as linked outcomes. That shift aligns with broader Zero Trust thinking, but the decisive factor is whether teams can demonstrate control continuity when the environment changes faster than the change window.
For practitioners
- Map access paths to control owners Inventory which teams own VPN policy, firewall segmentation, cloud routing, and identity policy so exceptions do not disappear into shared accountability gaps.
- Replace static network exceptions with identity-aware policy Move high-risk access decisions to rules that use user, device, and session context rather than broad network reach.
- Test audit evidence before the next change event Validate that least privilege, segmentation, and access enforcement can be demonstrated after an acquisition, cloud migration, or third-party onboarding.
- Assess resilience of the access plane Check whether cloud-routed or brokered access paths create single points of failure, latency spikes, or opaque traffic handling that would complicate recovery and compliance evidence.
Key takeaways
- Legacy access models fail in regulated environments when policy enforcement cannot keep pace with business change.
- The main risk is not only over-permissioning, but the growing gap between documented controls and the access path regulators actually test.
- Financial services teams need identity-aware, continuously auditable access architectures that preserve control evidence during growth and migration.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-53 Rev 5 set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | The article centres on least-privilege access enforcement across regulated environments. |
| NIST Zero Trust (SP 800-207) | The article argues for identity-centric access in place of perimeter trust. | |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is the control most directly challenged by legacy access sprawl. |
| ISO/IEC 27001:2022 | A.5.15 | Access control governance is central to the article's compliance argument. |
Use PR.AC-4 to validate that access pathways stay narrow and continuously governed during business change.
Key terms
- Identity-Centric Access: An access model that makes user, device, and session identity the primary basis for deciding reach. It replaces broad network trust with narrower, continuously evaluated permissions, which helps regulated organisations maintain least privilege while business conditions change.
- Firewall Segmentation: A network control approach that divides environments into zones and uses firewall rules to regulate traffic between them. It can support compliance, but it becomes brittle when every business change requires rule changes, exception handling, and heavy operational coordination.
- Cloud-Routed Access: An access pattern where traffic is brokered or redirected through cloud infrastructure before reaching a target resource. It can simplify remote access, but it also introduces dependency on the brokered path for latency, availability, and control evidence.
What's in the full article
Appgate's full analysis covers the operational detail this post intentionally leaves for the source:
- The article's full discussion of direct-routed access architecture and how it differs from perimeter-based VPN design.
- The source's framing of compliance obligations across PCI-DSS, SOX, GLBA, NYDFS 23 NYCRR Part 500, and the FTC Safeguards Rule.
- The vendor's explanation of how latency, centralised routing, and single points of failure affect regulated workloads.
- The specific Appgate ZTNA positioning that maps identity-centric access to financial services performance and audit requirements.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, identity lifecycle, and secrets management for practitioners building stronger access governance. It is a useful fit for security and identity teams that need to connect policy design with operational control.
Published by the NHIMG editorial team on 2026-02-05.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org