TL;DR: Zero Trust can improve protection by authenticating and authorizing every user, device, and application, but Axiad argues it also adds complexity, cost, performance friction, and a mindset shift for IT and security teams. Those trade-offs matter because the model only works when identity governance, access review, and adaptive controls keep pace with the operational burden.
At a glance
What this is: This is a Zero Trust analysis that argues the model raises implementation and governance challenges, especially around complexity, manpower, performance, cost, and user friction.
Why it matters: It matters because IAM teams have to align Zero Trust with identity governance, access reviews, and adaptive access decisions across human, NHI, and autonomous environments.
By the numbers:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
👉 Read Axiad's analysis of zero trust disadvantages and identity governance
Context
Zero Trust is an access model that assumes no implicit trust, but that design choice shifts the burden onto identity systems, device signals, and policy enforcement. In practice, the model can expose gaps in governance when organisations try to apply it without enough visibility, clear entitlement ownership, or operational capacity across human and non-human identities.
For IAM and security teams, the real issue is not whether Zero Trust is conceptually sound. The issue is whether the organisation can sustain continuous authentication, authorization, and review without creating unacceptable friction, cost, or control drift.
Key questions
Q: How should security teams implement Zero Trust without creating too much user friction?
A: Start with the highest-risk access paths, then use adaptive policies to reduce unnecessary prompts for low-risk sessions. Pair MFA or passwordless controls with clear exception handling and user testing so the experience remains usable. If users consistently bypass controls, the policy is too blunt and the governance model needs tuning.
Q: Why do non-human identities complicate Zero Trust programmes?
A: Because service accounts, API keys, and tokens often operate outside the human access review cycle, but they still carry standing privileges and persistent trust relationships. Zero Trust can verify runtime access while leaving the underlying NHI estate unmanaged, which creates hidden exposure. Lifecycle ownership, rotation, and offboarding have to be part of the model.
Q: What breaks when Zero Trust is rolled out before identity cleanup?
A: Policy decisions become only as good as the stale data underneath them. If roles are duplicated, accounts are over-privileged, or ownership is unclear, teams will enforce inconsistent controls and spend more time handling exceptions than reducing risk. Zero Trust works best after entitlement hygiene has removed obvious noise.
Q: How do teams know whether Zero Trust is actually working?
A: Look for lower exception rates, fewer access-related helpdesk escalations, and tighter control over privileged and non-human accounts. The key signal is whether access decisions are consistent, explainable, and sustainable without creating shadow approvals or manual bypasses. If the organisation needs constant overrides, the model is not yet stable.
Technical breakdown
Why zero trust increases identity governance complexity
Zero Trust expands decision points from a perimeter gate to every access request, which means identity, device posture, policy, and context all have to be evaluated continuously. That turns access control into an operating model, not a one-time configuration. The model also creates dependency on reliable identity data, because bad entitlements, stale roles, or incomplete asset records produce incorrect decisions at scale. In mixed environments, the burden grows further because human users, service accounts, workloads, and AI-driven actors do not share the same lifecycle or risk profile.
Practical implication: map every access decision to a clear owner and data source before expanding Zero Trust policy coverage.
Adaptive access control, MFA, and the friction problem
The article points to adaptive access control, MFA, passwordless methods, and biometrics as ways to reduce Zero Trust friction. Architecturally, those controls try to lower the user burden while still preserving verification. The trade-off is that more context-aware access requires better signal quality and more tuning. If policies are too strict, productivity drops. If they are too loose, the model becomes cosmetic. In identity terms, the challenge is balancing strong assurance with predictable user experience.
Practical implication: tune conditional access policies against real user journeys, not just theoretical risk scores.
Why Zero Trust can strain operational capacity
Zero Trust often increases administrative load because more identities, more endpoints, and more applications have to be governed continuously. That means security teams need process maturity for access reviews, role maintenance, exception handling, and lifecycle enforcement. Without that discipline, the model can simply move risk from the perimeter into the identity layer. For NHIs, the problem is sharper because service accounts and tokens often outnumber people and are harder to review manually. Zero Trust depends on governance automation, but automation still needs accurate policy and oversight.
Practical implication: pair Zero Trust rollout with entitlement cleanup and lifecycle controls before widening policy scope.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Zero Trust is only as strong as the identity governance beneath it. The model assumes organisations can continuously verify who or what is asking for access, but that assumption collapses if entitlements, service accounts, and device identities are poorly governed. In other words, Zero Trust does not remove identity risk, it concentrates it in the quality of access decisions. Practitioners should treat governance maturity as the precondition, not the by-product, of Zero Trust adoption.
The most expensive Zero Trust failures are operational, not architectural. Complexity, staffing pressure, and access friction are not side effects to be tolerated, they are signs that policy design is outrunning execution capacity. When teams cannot maintain access state, rework exception paths, or support users without bypasses, the control model starts leaking through human workarounds. The implication is that Zero Trust programmes need measurable operating thresholds, not just technical intent.
Identity blast radius: when every access request is inspected, the quality of the underlying identity data determines how widely a mistake propagates. A stale role, over-privileged service account, or poorly tuned adaptive policy can affect many more sessions than in a perimeter model. That makes entitlement hygiene and visibility foundational governance controls rather than cleanup tasks. Practitioners should judge Zero Trust readiness by how much trust debt already exists in the identity estate.
For non-human identities, Zero Trust exposes the gap between verification and lifecycle control. Continuous authorization can still leave standing credentials, unrotated secrets, and unmanaged service accounts in place. That means the model may verify access at runtime while still preserving dangerous persistence underneath it. Practitioners should align Zero Trust with NHI lifecycle governance, not treat them as separate programmes.
Zero Trust also shifts the debate from access grant to access usability. If every interaction becomes a policy event, user frustration can drive shadow workarounds that undermine the model. That is why identity teams need to balance enforcement with practical user journeys. The programme succeeds when controls are precise enough to reduce risk without pushing users around them.
From our research:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which explains why Zero Trust programmes often stumble in the identity layer.
- That visibility gap connects directly to 52 NHI Breaches Analysis, where unresolved identity exposure repeatedly turns into operational risk.
What this signals
Identity blast radius: Zero Trust does not shrink the identity problem unless organisations can see and govern the full population of human and non-human actors. When only 5.7% of organisations report full visibility into service accounts, the practical constraint is not policy design but programme reach. Teams should expect the next phase of Zero Trust to be measured by governance coverage, not by slogan adoption.
As access decisions become more continuous, entitlement hygiene becomes a control plane requirement rather than a housekeeping task. That shifts pressure onto IAM, PAM, and NHI teams to maintain accurate ownership, revocation, and exception data across the lifecycle. Organisations that cannot sustain that operating discipline will keep reintroducing friction through manual workarounds.
Zero Trust programmes increasingly need to account for non-human identities as first-class citizens in the identity estate. The organisations that do this well will align runtime enforcement with lifecycle control, not treat them as separate workstreams. Readers should prepare for more emphasis on service account governance, access visibility, and adaptive policy tuning.
For practitioners
- Baseline identity data before broadening policy scope Inventory users, workloads, service accounts, and application identities before expanding Zero Trust enforcement. Clean up stale roles, duplicate entitlements, and unmanaged exceptions so policy decisions are based on current state rather than inherited drift.
- Tune adaptive access to real access patterns Test conditional access, MFA, and passwordless flows against common employee and admin journeys. Measure where friction leads to bypasses, extra helpdesk load, or unsupported access paths, then adjust policy thresholds accordingly.
- Extend Zero Trust governance to NHIs Apply the same verification discipline to service accounts, API keys, tokens, and certificates. Track ownership, rotation, and offboarding so non-human identities do not become a hidden standing-access layer inside a supposedly zero-trust environment.
Key takeaways
- Zero Trust increases security ambition, but it also raises the cost of weak identity governance.
- The biggest implementation gaps are visibility, lifecycle control, and the operational load created by continuous verification.
- Teams should expand Zero Trust only after they can govern human and non-human identities with consistent policy and ownership.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST Zero Trust (SP 800-207) | AC-1 | Zero Trust depends on policy-driven access control and continuous verification. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access and authorization are central to the article's governance theme. |
| OWASP Non-Human Identity Top 10 | NHI-03 | NHI lifecycle and standing access gaps undermine Zero Trust in machine identities. |
Apply NHI lifecycle governance to service accounts, tokens, and certificates before scaling runtime controls.
Key terms
- Zero Trust: A security model that requires explicit verification for every access request instead of relying on a trusted perimeter. In practice, it pushes decision-making into identity, device, and policy layers, which means governance quality determines whether the model reduces risk or simply relocates it.
- Adaptive Access Control: An access approach that changes authorization based on risk signals such as device state, location, user behaviour, or session context. For identity teams, it is useful only when the signals are reliable and the policy logic is tuned enough to reduce friction without creating bypasses.
- Non-Human Identity: A digital identity used by software, workloads, APIs, or other machine actors rather than people. These identities often carry persistent credentials and elevated privileges, so they require lifecycle ownership, rotation, visibility, and offboarding controls that are as disciplined as human IAM processes.
Deepen your knowledge
Zero Trust governance, identity visibility, and access lifecycle control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a zero-trust programme that must work across human and non-human identities, it is worth exploring.
This post draws on content published by Axiad: What Are the Disadvantages of Zero Trust? (And How to Overcome Them). Read the original.
Published by the NHIMG editorial team on 2025-08-07.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
