By NHI Mgmt Group Editorial TeamPublished 2026-02-11Domain: Cyber SecuritySource: Illumio

TL;DR: Zero Trust exposes a familiar weakness: organisations fail less because of novel attacks and more because default credentials, forgotten assets, unmanaged exceptions, and flat networks remain in place, according to Illumio. The decisive control is operational discipline, because containment depends on repeated verification, least privilege, and segmentation at scale.


At a glance

What this is: This is an analysis of why Zero Trust programmes fail when security fundamentals are not maintained consistently across the environment.

Why it matters: It matters because IAM, PAM, and broader security teams need continuous visibility, permission discipline, and segmentation to keep identity-driven access from becoming lateral movement.

👉 Read Illumio's analysis of why Zero Trust depends on security fundamentals


Context

Zero Trust fails when organisations treat it as a design pattern instead of an operating model. The real issue is not that teams lack concepts such as least privilege or segmentation, but that they struggle to keep asset inventories, permissions, and exceptions current as environments change.

That gap has direct identity implications. Standing permissions, forgotten service access, and convenience exceptions all widen the blast radius when a compromise occurs, which means IAM, PAM, and NHI governance have to be sustained disciplines rather than periodic clean-up exercises.


Key questions

Q: What breaks when zero trust is not backed by continuous asset and access hygiene?

A: Zero Trust breaks at the point where policy no longer matches reality. Forgotten assets, stale exceptions, and standing privileges create reachable paths that attackers can use after the initial foothold. Without continuous hygiene, the programme looks disciplined on paper but leaves lateral movement intact in practice.

Q: Why do service accounts and other non-human identities matter in zero trust programmes?

A: Service accounts, API keys, and workload identities often hold standing access that outlives the task they were created for. That makes them ideal movement paths when trust boundaries are weak. If they are not governed like other identities, they can silently widen the blast radius of a breach.

Q: How do security teams know whether segmentation is actually working?

A: Segmentation is working when a compromise in one zone cannot freely reach privileged systems, sensitive data, or administrative interfaces. The best signal is a failed movement attempt that is blocked by policy, not just a diagram that looks segmented. Test it repeatedly, because environments drift.

Q: Who is accountable when Zero Trust controls rely on exceptions and stale access?

A: Accountability sits with the teams that own the control lifecycle, not just the teams that configured the policy once. Security, infrastructure, and application owners all have a role when exceptions persist or permissions drift. Governance works only when ownership, expiry, and review are explicit.


Technical breakdown

Asset visibility and forgotten attack surface

Zero Trust depends on knowing what exists before controls can be applied. In practice, organisations lose track of assets, shadow services, and temporary exceptions, then assume policy coverage is broader than it really is. That creates an incomplete control map, especially in hybrid estates where cloud, on-premises, and third-party systems coexist. Asset discovery is not a one-time inventory exercise. It has to be continuous, because unmanaged assets often become the easiest route into privileged systems and identity stores.

Practical implication: tie asset discovery to control enforcement so unknown systems cannot inherit trusted network or identity paths.

Least privilege and permission drift

Least privilege breaks down when access is granted for speed and never fully revisited. Over time, users, admins, service accounts, and workload identities accumulate standing access that no longer matches operational need. In Zero Trust terms, that turns every credential into a potential movement path. The problem is not only excessive privilege but also the operational habit of treating exceptions as permanent. Without permission review discipline, access control becomes a snapshot of old work rather than current risk.

Practical implication: run recurring entitlement reviews for human and non-human identities, then remove access that is no longer actively justified.

Segmentation as a containment control

Segmentation is the difference between a compromise and a broad incident. Flat networks and weak trust boundaries let attackers move laterally once they obtain any valid access, which is why Zero Trust puts so much weight on limiting reachable resources. The control is not only technical micro-segmentation but also policy that maps who or what should talk to which service, under what condition. When segmentation is treated as an afterthought, it fails to contain the very behaviours Zero Trust is meant to suppress.

Practical implication: segment identity, application, and workload paths so one compromised account cannot traverse the environment freely.


Threat narrative

Attacker objective: The attacker aims to turn a small foothold into broad operational reach by using weak fundamentals to move laterally and expand impact.

  1. Entry often begins with default credentials, an exposed asset, or an unmanaged exception that gives the attacker a valid foothold.
  2. Escalation follows when excessive permissions or flat trust boundaries let that foothold expand into broader system access and lateral movement.
  3. Impact occurs when the attacker reaches data, infrastructure, or identity systems that were supposed to be isolated but were effectively reachable from the initial compromise.

NHI Mgmt Group analysis

Security fundamentals are the real Zero Trust test: the model exposes whether organisations can actually keep inventories, permissions, and boundaries current. The hard part is not concept adoption but operational repetition, because every untracked asset or stale exception becomes a trust leak. In IAM terms, this is where lifecycle hygiene and access governance stop being back-office tasks and become the control plane for resilience. Practitioners should treat control freshness as the metric that matters.

Standing access is the quiet failure mode Zero Trust keeps revealing: policies that look sound on paper often fail because users, admins, service accounts, and workload identities retain access long after the business need has changed. That is the governance gap attackers exploit, especially in hybrid environments where identity paths are more numerous than network boundaries. For NHI programmes, this is a reminder that service accounts and tokens are part of the same containment problem as human credentials. Practitioners should govern standing privilege as an exposure window, not a static entitlement.

Zero Trust is an incentives problem as much as a technical one: engineering, IT, and security teams are optimised for different outcomes, so security controls get diluted into exceptions unless leadership aligns delivery and risk priorities. That explains why “easy” workarounds persist longer than they should. In broader IAM and PAM programmes, the lesson is that governance fails when operational teams are measured on speed alone. Practitioners should make control adherence visible in the same workflow as service delivery.

Containment now matters more than perfect prevention: the article correctly frames modern security around limiting impact, not eliminating every breach. That aligns with identity-led resilience thinking, where the question is how much reach a compromised credential can really obtain. The practical consequence is that Zero Trust succeeds when access paths are short, temporary, and reviewable. Practitioners should optimise for blast-radius reduction, not just policy elegance.

Fundamentals become more urgent as environments intersect: hybrid cloud, SaaS, third-party connectivity, and AI-assisted operations all enlarge the number of places where trust can be assumed incorrectly. The result is not a new class of risk so much as a larger surface for old failures to repeat faster. That makes identity governance, segmentation, and continuous verification the organising controls across modern programmes. Practitioners should expect complexity to amplify weak fundamentals rather than replace them.

What this signals

Control freshness is now a programme-level risk signal: if inventories, permissions, and segmentation rules cannot be updated as fast as the environment changes, Zero Trust becomes a label rather than a containment strategy. For identity teams, that means stale entitlements and unmanaged service access are not background issues, they are the indicators of whether the operating model is still credible.

The identity governance implication is straightforward. Human access reviews, PAM enforcement, and NHI lifecycle controls have to be tied to the same change cadence as cloud and application delivery, otherwise exceptions accumulate faster than policy can absorb them.

Treat standing privilege as a measurable exposure window, not a theoretical weakness. When credentials persist beyond the work they were created for, the organisation inherits a larger blast radius and a slower recovery path, which is exactly the outcome Zero Trust is designed to prevent.


For practitioners

  • Continuous asset discovery Connect discovery tooling to enforcement so unknown hosts, services, and identities cannot inherit trust by default. Reconcile what exists with what is allowed to talk to it, then treat every drift event as a governance issue rather than a housekeeping task.
  • Harden permission review cycles Review human and non-human access on a recurring schedule, focusing on standing privilege, stale exceptions, and dormant service accounts. Remove access that no longer maps to current business need, and require explicit re-approval for any exception that persists.
  • Segment identity and workload paths Map which identities can reach which applications, data stores, and administrative surfaces, then enforce those paths with policy and network controls. Prioritise containment boundaries around privileged services, because flat reachability is what turns a local compromise into a broad one.
  • Align security metrics to control freshness Track whether inventories, entitlements, and segmentation rules are being updated at the same pace as the environment. A Zero Trust programme is slipping when controls are technically present but operationally stale.
  • Treat exceptions as risk decisions Route every new exception through ownership, expiry, and review requirements. If the organisation cannot explain why the exception exists and when it ends, it is already functioning as a standing trust gap.

Key takeaways

  • Zero Trust fails most often because fundamentals are allowed to drift, not because the framework is conceptually weak.
  • For identity programmes, the critical risk is standing access that outlives its business purpose and expands attacker reach.
  • The practical goal is containment through continuous visibility, review, and segmentation, not a one-time policy exercise.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207), NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Least-privilege access and segmentation are central to the article's Zero Trust argument.
NIST Zero Trust (SP 800-207)The article is fundamentally about operationalising Zero Trust in live environments.
NIST SP 800-53 Rev 5AC-6Least privilege is the core control behind the article's containment focus.
CIS Controls v8CIS-5 , Account ManagementAccount governance is central because forgotten accounts and exceptions undermine Zero Trust.
MITRE ATT&CKTA0006 , Credential Access; TA0008 , Lateral MovementThe article focuses on how weak fundamentals enable credential-driven movement after initial compromise.

Map containment controls to credential access and lateral movement tactics, then test whether they are actually blocked.


Key terms

  • Zero Trust: A security model that assumes no implicit trust based on network location or prior access. Every request is evaluated using identity, device, context, and policy so that access remains conditional and reviewable rather than permanent.
  • Standing Privilege: Access that remains active beyond the immediate task or need that justified it. In practice, it is one of the easiest ways for a compromise to expand because the attacker inherits permissions that were never meant to be permanent.
  • Segmentation: The act of limiting which systems, services, or identities can communicate with one another. Effective segmentation constrains lateral movement and reduces blast radius by making compromise in one area less likely to cascade across the environment.
  • Control Freshness: The degree to which inventories, permissions, and enforcement rules reflect the current environment. A control can exist and still be stale, which is why freshness is a better operational measure than policy presence alone.

What's in the full article

Illumio's full blog post covers the operational detail this post intentionally leaves for the source:

  • The podcast-derived discussion of how security fundamentals fail in real enterprise operating models.
  • The argument for measuring Zero Trust by containment and resilience rather than breach prevention alone.
  • The business-case framing around trust, downtime, and compliance as security ROI drivers.
  • The practitioner lens on why incentives across engineering, IT, and security slow control adoption.

👉 Illumio's full post expands on the operational tradeoffs, incentives, and resilience framing behind Zero Trust.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and workload identity. It helps practitioners connect identity controls to broader security and resilience programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-02-11.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org