TL;DR: User-centric ZTNA can simplify remote access, but it does not solve the deeper identity problem of how databases, servers, Kubernetes, and privileged credentials are governed at scale, according to StrongDM. The real issue is whether access, observability, and offboarding are unified across human and non-human workflows, not whether the VPN disappears.
At a glance
What this is: This is a vendor comparison of Proofpoint alternatives that finds user-centric ZTNA alone does not address privileged access governance across servers, databases, and Kubernetes.
Why it matters: It matters because IAM teams need to govern human access, NHI credentials, and privileged workflows together, or they will keep solving remote access while leaving lifecycle and audit gaps behind.
👉 Read StrongDM's comparison of Proofpoint alternatives for secure access
Context
Proofpoint-style ZTNA solves a real problem, but only at the remote access layer. It reduces reliance on VPNs and centralises user access, yet the identity question remains broader: who or what is allowed to reach databases, servers, and Kubernetes, and how is that access revoked, logged, and reviewed.
The practical gap is governance, not connectivity. In environments where human users, service credentials, and infrastructure access all intersect, a perimeter model built around the user session leaves privileged pathways fragmented. That is where NHI controls, PAM discipline, and lifecycle governance need to line up with zero trust access design.
Key questions
Q: How should security teams govern privileged access in user-centric ZTNA environments?
A: Treat ZTNA as the entry layer, not the governance layer. Users may authenticate centrally, but databases, servers, and Kubernetes still need scoped entitlement, session oversight, and explicit offboarding. The goal is to make sure the control plane brokers access without leaving standing credentials, hidden exceptions, or unmanaged privilege behind.
Q: Why do hidden credentials change the NHI risk model?
A: Hidden credentials still exist as identities even when users never see them. That means they need ownership, rotation, monitoring, and revocation just like any other non-human identity. If the control plane can broker access but cannot govern the credential lifecycle, the organisation has shifted risk rather than reduced it.
Q: What do security teams get wrong about session recording?
A: They often treat recording as proof of control when it is only proof of activity. Session logs help with investigation and audit, but they do not narrow privilege on their own. To govern access properly, organisations must link recordings to entitlement review, expiry, and revocation so audit evidence leads to actual reduction in exposure.
Q: Should organisations replace VPNs before fixing privileged access governance?
A: Not usually. Replacing VPNs may improve user experience and reduce network exposure, but it does not fix overbroad access, unmanaged credentials, or weak offboarding. Organisations should first define how privileged access is brokered, logged, and removed across human and non-human workflows, then decide where ZTNA fits.
Technical breakdown
User-centric ZTNA versus privileged access control
User-centric zero trust network access is designed to authenticate a person, establish trust, and broker access to resources without exposing the network. That model works well when the main problem is remote login, but it is not the same as governing privileged paths into databases, servers, and Kubernetes. Stronger control planes separate the authentication event from the underlying credential, hide secrets from users, and log activity at the protocol layer. The architectural difference matters because access management is not just about entry. It is also about what is actually reachable, what is recorded, and what can be revoked without rebuilding the whole access path.
Practical implication: map ZTNA to user ingress, then verify whether privileged resource access is still controlled by separate secrets, SSH keys, or ad hoc exceptions.
Why hidden credentials change the governance model
When underlying credentials stay hidden from end users, the access model shifts from distributed secrets to mediated privilege. That reduces the number of places where credentials can leak, but it also centralises responsibility in the control plane. The key technical issue is whether the platform can broker access for databases, servers, and shells while preserving auditability and revocation. This is where NHI governance becomes part of the architecture, because every hidden credential is still an identity that must be governed across its lifecycle. If the platform only wraps access without managing entitlement scope, the organisation has simply moved the problem, not removed it.
Practical implication: ensure hidden credentials are treated as governed NHI assets with explicit ownership, rotation, and offboarding rules.
Session logging is not the same as least privilege
Recording SSH, RDP, SQL, and kubectl activity gives teams visibility, but visibility alone does not equal least privilege. A control plane can capture every command and still leave users over-entitled if access scope is broad or persistent. Least privilege requires that permissions are narrow, task-based, and revocable, while session logs provide evidence after the fact. The best practice is to connect session telemetry to entitlement review and access expiry, so that logging supports governance rather than substituting for it. That distinction is especially important in hybrid environments where the same person may touch cloud, on-prem, and Kubernetes resources.
Practical implication: pair session recording with periodic entitlement review so audit evidence and privilege scope are governed together.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
User-centric ZTNA is only one layer of access governance. The article shows that replacing VPN access with browser or client-based zero trust does not by itself solve privileged access management. Databases, servers, and Kubernetes still require identity-mediated control that is separate from the remote entry point. Practitioners should treat ZTNA as ingress control, not as a complete governance model.
Hidden credentials create an NHI governance obligation, not just an access convenience. When credentials stay out of user hands, they do not disappear from the risk model. They become managed non-human identities that must be owned, rotated, monitored, and offboarded with the same discipline as other privileged assets. The implication is that lifecycle governance has to move into the control plane, not sit beside it.
Session replay does not close the least-privilege gap. Logging queries, commands, and shell activity improves auditability, but it does not correct overbroad standing access. That is a familiar failure mode in identity programmes: teams mistake observability for entitlement precision. The practitioner conclusion is that audit trails must be coupled to scoped access and expiry, or they become evidence of a persistent privilege problem.
Privilege sprawl is the real comparison point, not VPN replacement. The article’s strongest signal is that organisations need one place to mediate access across human users and the machine identities that support infrastructure work. That is where ZT-NIST-207 and OWASP-NHI intersect operationally. The conclusion for identity teams is simple: if the control model cannot govern the credential behind the session, it is not yet governing privilege.
Control planes are becoming identity systems in practice. A platform that brokers access, hides secrets, records sessions, and supports offboarding is no longer just an access tool. It is part of the identity stack, with responsibilities that overlap PAM, NHI governance, and zero trust architecture. Practitioners should evaluate these tools as governance infrastructure, not just as remote access alternatives.
From our research:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- From our research: Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- For deeper context on the governance gap behind this pattern, see Top 10 NHI Issues.
What this signals
Privilege mediation is becoming a core identity control, not a sidecar feature. As organisations move away from VPN-centric access, the next governance question is whether the control plane can also manage ownership, expiry, and revocation for the credentials it brokers. That is where user access, NHI governance, and PAM begin to converge in practice.
Identity teams should watch for control-plane drift. The more a platform mediates entry, session logging, and credential hiding, the more it behaves like part of the identity fabric. Practitioners should align those tools with NIST SP 800-207 Zero Trust Architecture and the NHI controls in the Ultimate Guide to NHIs , Key Challenges and Risks so ingress and privilege governance do not diverge.
With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, per the State of Non-Human Identity Security, the same visibility gap can reappear inside access brokering platforms if hidden credentials are not explicitly governed. That is why the practical standard should be reviewable privilege scope, not just monitored sessions.
For practitioners
- Separate ingress control from privilege governance Use ZTNA for user entry, but keep privileged database, server, and Kubernetes access under explicit entitlement and review workflows. If the resource can still be reached through standing credentials or unmanaged keys, the access model is incomplete.
- Inventory hidden credentials as NHI assets Track every credential the control plane brokers on behalf of users, including SSH keys, database logins, and service tokens. Assign ownership, rotation cadence, and revocation criteria so mediated access does not become unmanaged privilege.
- Tie session logs to access expiry Use query, shell, and command recordings as evidence for review, then connect that evidence to entitlement expiry and recertification. Session visibility is useful only when it supports removal of access that is no longer justified.
- Test offboarding against real resources Suspend a user and confirm that access disappears across databases, servers, Kubernetes, and remote support paths in one workflow. If any path survives the offboarding event, the identity programme still relies on residual privilege.
Key takeaways
- Proofpoint-style ZTNA improves remote access, but it does not by itself solve privileged governance across databases, servers, and Kubernetes.
- Hidden credentials, session logging, and offboarding are the real control questions, because each one shapes whether access is actually governed or merely observed.
- Identity teams should evaluate access platforms as part of the governance stack, then verify that entitlement scope and revocation work across both human and non-human pathways.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST Zero Trust (SP 800-207) | PR.AC-1 | ZTNA is the article's core access model and must be separated from privilege governance. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Hidden credentials and access brokering create NHI lifecycle obligations. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access and entitlement review are central to the article's governance gap. |
Use zero trust to broker entry, then verify every privileged path still has scoped access and revocation.
Key terms
- User-centric ZTNA: A remote access model that authenticates a person and brokers access to applications or network resources without exposing the full network. In practice, it reduces VPN dependence, but it does not automatically govern the credentials or privileges that sit behind the session.
- Hidden credential: A secret, key, token, or login that users do not handle directly because a control plane brokers it on their behalf. The risk shifts from user possession to platform governance, so ownership, rotation, and revocation still matter even when the secret is abstracted away.
- Session replay: A recording of user activity within an access session, such as shell commands, database queries, or remote desktop actions. It is useful for audit and investigation, but it is not a substitute for least privilege because it shows what happened after access was already granted.
- Privileged access brokering: The mediation of elevated access through a control plane rather than direct credential distribution. This model can improve visibility and reduce secret sprawl, but only if it also enforces scope, expiry, and offboarding across the resources being accessed.
Deepen your knowledge
Access brokering, hidden credentials, and privileged session governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a model that has to cover both human users and managed non-human access, it is worth exploring.
This post draws on content published by StrongDM: competitors and alternatives to Proofpoint 2026. Read the original.
Published by the NHIMG editorial team on 2025-10-15.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
