TL;DR: DXC’s CISO argues that Zero Trust and AI should be treated as a paired strategy for reducing risk, improving access control, and accelerating response, while security graphs provide the data model needed to make policy enforcement and anomaly detection work at scale, according to Illumio. The governance shift is clear: resilience now depends on continuous visibility, not compliance theatre.
At a glance
What this is: This is an executive cyber resilience perspective arguing that Zero Trust, AI, and security graphs must work together to protect business growth without slowing operations.
Why it matters: It matters because IAM, PAM, and NHI programmes all depend on the same access, policy, and telemetry foundations that Zero Trust and AI are trying to orchestrate.
👉 Read Illumio's analysis of how DXC is aligning Zero Trust and AI for cyber resilience
Context
Cyber resilience has moved beyond perimeter controls and point tools. The article’s core argument is that organisations now need a governance model that can keep pace with business growth, changing user behaviour, and adversaries that exploit access faster than teams can manually react. For identity programmes, that means the same access decisions that govern people, service accounts, and workload identities must also be continuously evaluated inside broader network and policy layers.
The security challenge here is not just visibility, it is decision speed. Zero Trust supplies the access model, AI supplies the decision support, and security graphs provide the relationship layer that makes those decisions operational. That intersection matters for IAM, PAM, and NHI governance because the same entitlement, segmentation, and anomaly logic increasingly needs to work across human and non-human identities rather than in separate control planes.
Key questions
Q: How should security teams implement Zero Trust for non-human identities?
A: Start by inventorying every machine identity, assigning an owner, and mapping its access to a specific business function. Then apply least privilege, short-lived credentials, and revocation controls so each identity can be verified, limited, and retired on schedule. Zero Trust fails when machine access is treated as permanent infrastructure rather than governed identity.
Q: Why do security graphs matter for IAM and NHI programmes?
A: Security graphs matter because they connect entitlements, behaviours, systems, and data into a single relationship view. That helps teams detect risky access paths, understand blast radius, and automate response decisions with context. Without that relationship layer, identity telemetry stays fragmented and AI has too little structure to make reliable governance decisions.
Q: What breaks when segmentation is not tied to privilege scope?
A: Segmentation becomes a network design exercise instead of an access control. A compromised account may still reach critical assets if the policy does not consider who is connecting and what that identity is allowed to do. That leaves lateral movement possible even when the network looks segmented.
Q: Who is accountable when AI-assisted decisions affect public services?
A: Accountability sits with the agency that approves the workflow, the teams that control access to data and models, and the owners of the business process being automated. If the system cannot produce traceable evidence for a decision, accountability is incomplete. That is why audit logs, policy rules, and data lineage must be part of the operating model.
Technical breakdown
Zero Trust as the access model for dynamic identity environments
Zero Trust is not a product category, it is an operating assumption that access should be continuously verified and limited to the smallest practical scope. In the article’s framing, that matters because modern enterprises move too fast for static trust decisions tied to network location or one-time authentication. For identity teams, the important shift is that policy must follow the subject, whether that subject is a person, service account, workload, or AI-driven workflow. When access decisions are tied to context and behaviour, organisations can reduce the dependence on manual review cycles that always lag reality.
Practical implication: align IAM, PAM, and NHI policy decisions to contextual verification and least privilege rather than fixed network trust.
Security graphs and AI-driven anomaly detection
A security graph is a structured model of relationships between users, devices, applications, data, and infrastructure. Its value is not the graph itself but the way it turns fragmented telemetry into a usable context layer for AI. That allows detection of unusual access paths, suspicious privilege combinations, and lateral movement patterns that would be difficult to spot in isolated logs. For identity governance, this is especially relevant where non-human identities create dense, fast-moving access relationships that traditional review processes cannot interpret in real time.
Practical implication: build telemetry pipelines that make entitlement and behaviour relationships machine-readable before relying on AI for detection or policy automation.
Microsegmentation and role-based access as containment controls
Role-based access control and microsegmentation work together by narrowing what any identity can reach and where it can move if compromised. RBAC limits entitlement scope, while segmentation limits lateral movement paths inside the environment. The article’s broader message is that resilience comes from combining preventive and containment controls, not from assuming detection alone will stop blast radius. For NHI governance, that matters because service accounts and tokens often inherit broad access unless segmenting and entitlement design are enforced together.
Practical implication: map high-risk identities to segmented zones and review whether current RBAC boundaries actually constrain post-compromise movement.
Threat narrative
Attacker objective: The attacker objective is to expand from initial access into broader movement and business-impacting compromise before security teams can contain the activity.
- Entry begins when adversaries exploit identities or access paths that are too broadly trusted for the speed of modern operations.
- Escalation occurs when standing entitlements, weak segmentation, or poor behavioural context allow an attacker to move from one account or workload to broader access.
- Impact follows when the organisation cannot detect or contain the activity quickly enough, turning an access event into business disruption or data loss.
NHI Mgmt Group analysis
Zero Trust is becoming the practical governance layer for identity risk, not just a network strategy. The article frames Zero Trust as the framework that makes faster security decisions possible, which is exactly where many IAM programmes are heading. Once access must be continuously justified, the old boundary between human identity, NHI, and workload access becomes less defensible. Practitioners should treat Zero Trust as an identity governance operating model, not a slogan.
Security graphs are the missing context layer for modern identity control. The value of AI in this article comes from relationship data, not from automation for its own sake. Security graphs turn scattered telemetry into a machine-usable map of who touched what, when, and through which dependencies. That matters because NHI and agentic AI programmes fail when access decisions cannot be correlated across systems; the practitioner conclusion is to invest in data quality before automation.
Microsegmentation exposes whether privilege design is actually resilient. The article’s strongest operational point is that containment must be designed into the environment, not hoped for after detection. Where RBAC is too broad or too flat, segmentation becomes the control that limits damage after compromise. For identity teams, that means segmenting around sensitive workflows and privileged paths, then testing whether non-human and human access can still move too freely.
Compliance-only security programmes are now structurally inadequate. The article argues that organisations should move beyond checking boxes and toward repeatable risk reduction. That position aligns with the reality that identity governance cannot be driven by audit cadence alone when attack speed is measured in minutes. The field should treat resilience metrics, not compliance artefacts, as the primary measure of control effectiveness.
Trust has become an identity governance metric, not a brand sentiment. The article links growth, customer confidence, and security outcomes in the same operating model. That is analytically important because modern identity programmes are judged on whether they keep the business moving without widening attack paths. The practitioner conclusion is simple: if access control slows legitimate work or fails to contain abuse, it is not fit for growth.
What this signals
Security graphs will become a stronger requirement for identity programmes that want AI to make defensible decisions. The immediate signal for practitioners is that access, entitlement, and telemetry data quality now sits inside the control plane, not outside it. Where identity and network relationships are incomplete, AI will only accelerate bad decisions. The practical move is to invest in relationship integrity before expanding automation.
Zero Trust programmes should now be judged by containment, not by architecture diagrams. If a compromised identity can still traverse too much of the environment, the model is not delivering resilience. Identity, PAM, and NHI teams should watch for whether their policies actually reduce lateral movement and blast radius in the environments that matter most.
The article also signals a wider shift in governance language. Boards are more likely to respond to resilience, exposure reduction, and business continuity than to technical control inventories. That means security leaders should be prepared to translate identity controls into operational outcomes such as less privilege reach, faster detection, and smaller compromise windows.
For practitioners
- Map Zero Trust to identity decisions Define where continuous verification must replace static trust for users, service accounts, workloads, and AI-driven workflows. Document which access paths can be time-bound, context-bound, or segmented so policy follows the identity rather than the network zone.
- Make security graphs operational Normalise identity, entitlement, device, and application telemetry into a relationship model that security teams can query. Prioritise graph completeness for privileged paths and high-value systems before introducing automated policy changes.
- Test containment with microsegmentation exercises Run movement simulations against segmented zones to see whether a compromised identity can still reach crown-jewel assets. Use the results to tighten RBAC boundaries and segment privileged workflows that remain too open.
- Reframe board reporting around resilience outcomes Report how access policy, segmentation, and AI-assisted detection reduce dwell time, constrain blast radius, and protect revenue-critical services. Replace control counts with measurable reductions in exposure across key identity pathways.
Key takeaways
- Zero Trust only works as a resilience model when it is tied to identity decisions, segmentation, and continuous verification.
- AI adds value when it can reason over a security graph that connects users, devices, applications, and access relationships.
- Identity programmes should measure containment and business impact, not just compliance coverage or tool deployment counts.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | The article centers on access control, continuous verification, and least privilege. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is central to the role-based access and containment discussion. |
| NIST Zero Trust (SP 800-207) | The article explicitly relies on Zero Trust as the operating model. | |
| CIS Controls v8 | CIS-6 , Access Control Management | The article emphasises access governance and segmentation as resilience controls. |
Map identity policy and segmentation to PR.AC-4 and verify that access is limited by context and role.
Key terms
- Zero Trust: A security model that assumes no implicit trust and requires continuous verification before access is granted. In practice, it combines identity, device, context, and policy signals so access decisions remain dynamic rather than fixed at sign-in.
- Security Graph: A structured relationship model that connects identities, devices, applications, permissions, and data flows. It helps security teams and AI systems reason about how access moves through the environment, where anomalies appear, and where containment should begin.
- Microsegmentation: The practice of dividing an environment into smaller security zones so access can be tightly controlled between workloads, users, and services. It reduces lateral movement by limiting how far a compromised identity or system can travel inside the network.
- Role-Based Access Control: An access control method that grants permissions through roles rather than one-off individual assignments. It is useful for scale, but it must be paired with review, context, and segmentation to avoid over-broad reach in complex environments.
What's in the full article
Illumio's full blog covers the operational detail this post intentionally leaves for the source:
- The article expands on how DXC frames Zero Trust as a business strategy rather than a tooling conversation.
- It includes the boardroom messaging approach Baker uses to link security investments to business outcomes.
- It describes how AI is used to automate policy enforcement and anomaly flagging inside a real enterprise environment.
- It outlines the security graph view that supports faster response and cross-platform visibility.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management for practitioners building resilient access programmes. It helps security leaders connect identity controls to broader operational risk and governance decisions.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org