Midmarket security teams need architecture, not enterprise hand-me-downs

At a glance

What this is: This is a midmarket security analysis arguing that stretched teams need a different access architecture because enterprise platforms and layered point tools are leaving visibility and control gaps.

Why it matters: It matters to IAM practitioners because access architecture now shapes human, NHI, and AI agent governance, especially where teams cannot support heavy platform complexity.

By the numbers:

• 42% of midmarket security teams are stretched thin while enterprise tools do not fit.
• 94% of leaders express confidence in their ability to catch critical risks before attackers exploit them.
• 50% say it would take approximately a week to assess their exposure to a critical zero-day.
• 44% of teams describe their security stack as either outgrown or fragmented.

👉 Read Pomerium’s analysis of midmarket access architecture and zero trust gaps

Context

Midmarket security teams are not failing because they lack intent or budget. They are failing because the access and visibility model they inherited was built for either small environments or enterprise staffing levels, and neither assumption fits a lean team trying to control internal applications, exposed assets, and expanding AI-driven access.

The primary governance problem is simple: who and what can reach internal systems, under what conditions, and with what verification. Once identity becomes the control plane for people, workloads, and AI agents, broad network trust and manual review processes stop being enough for midmarket operations.

Key questions

Q: How should security teams reduce access risk when their stack is already fragmented?

A: Security teams should reduce access risk by consolidating trust decisions at the application layer instead of layering more tools on top of a fragmented stack. The practical goal is to limit broad network reach, apply continuous checks, and remove duplicate approval paths. That approach reduces operational noise and makes access easier to audit and govern.

Q: Why do midmarket teams struggle with enterprise access platforms?

A: Midmarket teams often struggle because enterprise access platforms assume more staff, more integration work, and more tolerance for operational overhead than lean teams can support. When the stack becomes too complex, visibility drops and manual work increases. The result is a control environment that looks mature on paper but performs inconsistently in practice.

Q: How can organisations tell whether their access controls are actually working?

A: Organisations can tell access controls are working when they can answer who has access, to what, under which conditions, and how quickly they can verify that answer after a change or exposure event. If exposure assessment takes days and teams still rely on manual tracking, the control model is not keeping pace with operational reality.

Q: What should security teams do when AI agents start accessing internal systems?

A: Security teams should place AI agents under the same identity and policy discipline used for humans, but with tighter scoping and explicit audit trails. Agents that query data or call APIs need request-level authorization, logged actions, and clear delegation boundaries. Treating them as unmanaged automation creates a new access class outside governance.

Technical breakdown

Why broad network access breaks midmarket zero trust

Traditional VPN-centric designs assume that a successful login is enough to trust the session. That model was tolerable when internal systems were fewer and access patterns were predictable, but it fails when teams need to verify identity, device posture, group membership, and context on every request. A zero trust reverse proxy changes the decision point from the network edge to the application request, which reduces blast radius and narrows exposure. For midmarket teams, that shift matters because it replaces broad connectivity with per-request policy enforcement rather than adding another perimeter tool.

Practical implication: retire broad network tunnels in favor of request-level access controls for internal applications.

How identity-aware reverse proxies support human and machine access

An identity-aware reverse proxy sits in front of internal applications and evaluates each request before it reaches the resource. For human users, that means browser-based access without network-wide reach. For non-human identities, the same pattern can extend policy checks to service-like access paths and AI agents that need scoped, auditable permissions. The architecture matters because it gives security teams one enforcement layer instead of separate exceptions for VPN users, application logins, and agentic workflows. In practice, this is less about adding a new tool and more about consolidating authorization logic where it belongs.

Practical implication: unify human, workload, and agent access behind one policy decision point.

Why policy-as-code is the operational advantage

Policy-as-code turns access rules into version-controlled, repeatable controls that can be audited and tested like software. That is especially useful for midmarket teams that cannot afford manual recertification at scale or a dedicated platform team to manage bespoke access exceptions. It also creates a cleaner foundation for continuous verification because the policy is applied consistently on every request, not when someone remembers to review it. In a fragmented stack, governance is often procedural. In a policy-driven model, governance becomes enforceable.

Practical implication: move access rules into version control so review, change control, and enforcement stay aligned.

Breaches seen in the wild

• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Midmarket security is experiencing an access architecture mismatch, not simply a tooling shortage. The report shows that budgets are rising while visibility and response remain slow, which means the operating model is out of step with the team size. Enterprise hand-me-downs tend to assume more staff, more orchestration, and more tolerance for integration overhead than midmarket teams can sustain. Practitioners should read this as an architectural warning, not a procurement problem.

Continuous verification is becoming the baseline for access governance across human users, NHIs, and AI agents. Once internal access must be evaluated per request, one-time authentication loses its value as a control boundary. That affects human IAM, NHI governance, and emerging agentic workflows in the same way: the system must know who is asking, what they are allowed to do, and whether the context still supports that access. Practitioners should treat request-time authorization as the governance anchor.

Identity-aware reverse proxying is a named control pattern worth adopting as a midmarket reference architecture. It gives lean teams a way to replace broad network trust with application-level policy without forcing a heavyweight SASE or sprawling point-solution stack. That matters because the real constraint is operational capacity, not just security ambition. Practitioners should use this pattern when access must be narrowed and auditability improved without adding more administrative load.

The hidden issue is access sprawl disguised as confidence. The article surfaces a familiar programme failure mode: leaders feel prepared while the people closest to operations see fragmented tooling, manual exposure tracking, and slow incident comprehension. That is the same class of governance drift that undermines NHI control environments when visibility, policy consistency, and accountability are split across tools. Practitioners should challenge confidence claims with evidence of actual request-level control.

As AI agents enter midmarket environments, access governance must extend beyond human-centric assumptions. The article’s MCP discussion signals that agent access cannot be treated as a special exception bolted onto legacy controls. If agents query data, call APIs, and touch internal tools, they need the same identity, policy, and audit structure that humans do, but with tighter scope and clearer delegation. Practitioners should plan for that expansion before agent sprawl creates unmanaged access.

From our research:

• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
• From our research: Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• From our research: Read the Ultimate Guide to NHIs for a broader view of governance, rotation, offboarding, and zero trust controls across machine identities.

What this signals

Identity-aware access will become the practical middle ground between brittle VPNs and heavyweight enterprise platforms. Midmarket teams need a control layer that narrows access without multiplying administrative overhead, especially as internal applications and AI-assisted workflows expand. The operational signal is clear: architecture that reduces policy sprawl will outperform architecture that merely adds another tool.

Only 5.7% of organisations have full visibility into their service accounts, according to our Ultimate Guide to NHIs, which is why request-level enforcement matters. If teams cannot reliably see machine access, they cannot govern it through manual review alone. The programme response is to move identity checks closer to the resource and away from assumptions about network trust.

Continuous verification is the governance pattern that can scale from human users to NHIs and AI agents. The reader should prepare for a world where every access path needs an auditable decision point, not just a login event. That makes policy consistency and control-plane simplification the two programme priorities most likely to survive growth.

For practitioners

• Replace broad network trust with request-level policy Put internal applications behind an identity-aware reverse proxy so every request is checked against identity, device posture, group membership, and context before access is granted.
• Consolidate fragmented access controls into one policy layer Map where VPN access, application logins, and manual approvals overlap, then remove duplicate pathways that force teams to maintain separate trust decisions for the same resource.
• Version-control access policy changes Treat access rules as code so changes are reviewed, auditable, and repeatable rather than buried in ad hoc administrative work.
• Extend governance to AI agent access paths Define scoped permissions, request logging, and policy checks for any internal AI agent that queries systems or calls APIs, so agent access is governed through the same control plane as human access.

Key takeaways

• Midmarket security teams are running into an architecture problem, not a motivation problem.
• The evidence points to slow exposure assessment, fragmented tooling, and misplaced confidence in enterprise-style controls.
• The practical response is to centralise request-time access decisions and extend governance to people, workloads, and AI agents.

Key terms

• Identity-aware reverse proxy: An identity-aware reverse proxy is an access control layer that sits in front of internal applications and evaluates each request before it reaches the resource. It verifies identity and context at the point of use, which narrows exposure compared with network-wide trust and helps teams enforce consistent policy.
• Policy-as-code: Policy-as-code means writing access rules in a version-controlled format so they can be reviewed, tested, and audited like software. It reduces ad hoc exceptions, improves repeatability, and gives security teams a clearer change record for access governance across human and non-human identities.
• Continuous verification: Continuous verification is the practice of rechecking access conditions every time a request is made, rather than trusting a one-time login event. For lean teams, it is a more durable control than manual review because it aligns enforcement with the actual moment of access.
• Agentic access: Agentic access is the access path used by AI agents that query data, call APIs, or interact with internal systems under their own runtime actions. It requires the same governance discipline as other identities, but with tighter scope, explicit logging, and clear delegation boundaries.

Deepen your knowledge

Identity-aware access architecture and continuous verification are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is replacing broad trust with request-level control, the course is a useful next step.

This post draws on content published by Pomerium: Midmarket security teams deserve better than enterprise hand-me-downs. Read the original.