Zero trust authentication still fails when NHI trust is implicit

At a glance

What this is: This is a zero trust authentication best-practices post arguing that continuous verification, passwordless MFA, device posture checks, and risk signals are needed to reduce trust in identity decisions.

Why it matters: It matters because NHI and IAM programs must extend zero trust beyond human sign-in events to service accounts, tokens, and agentic access paths that can persist after initial authentication.

By the numbers:

• Cybercrime is on the rise, with the average number of cyberattacks and data breaches in 2021 up 15.1% from the previous year.

👉 Read Beyond Identity's blog on 5 best practices for zero trust authentication

Context

Zero trust authentication is a control model that treats every access request as untrusted until it is continuously verified. For IAM and NHI governance, the gap is that many environments still rely on one-time authentication events while service accounts, API keys, and AI agents keep acting after the first check.

Beyond Identity's post uses that gap to argue that authentication must move from static login proof to ongoing confidence in user, device, and session state. That framing is typical for zero trust guidance, but it becomes more urgent when machine identities can outlive the human workflow that created them.

Key questions

Q: How should security teams apply zero trust authentication to non-human identities?

A: Treat non-human identities as active subjects of authentication policy, not as static infrastructure artefacts. Use cryptographic credentials, short-lived access, posture checks, and revocation triggers so API keys, certificates, and agents are continuously governed. The key test is whether the identity can still be constrained after the first successful authentication.

Q: Why is passwordless authentication not enough for zero trust by itself?

A: Passwordless authentication removes weak shared secrets, but it does not control session duration, privilege scope, or what happens after the login event. A zero trust programme still needs device checks, behavioural signals, and revocation logic. Without those layers, a stolen device or compromised session can continue to operate with valid trust.

Q: What is the difference between MFA and continuous authentication in zero trust?

A: MFA checks identity at a point in time, usually during login. Continuous authentication keeps evaluating whether the same identity should still be trusted as the session progresses. In practice, that means zero trust can react to changed device health, suspicious location, or abnormal behaviour after access has already been granted.

Q: When should organisations step up authentication during a session?

A: Step up authentication when risk changes enough that the original trust decision is no longer reliable. Common triggers include unusual location, disabled endpoint protections, new device context, privileged action requests, or unexpected behaviour from an NHI or agent. The goal is to interrupt risky activity before it becomes lateral movement or data exposure.

Technical breakdown

Phishing-resistant MFA and passwordless authentication

Passwordless authentication replaces shared secrets with cryptographic proof, usually a public-private key pair or device-bound credential. In a zero trust design, the authenticator signs a server challenge with a private key and the server validates the signature with the public key. That removes password guessing, replay, and most phishing paths. The important distinction is that the trust anchor moves from something a user knows to something a device can prove. For NHI governance, the same principle applies to machine credentials that should not be reusable or human-readable.

Practical implication: prioritize phishing-resistant methods for both human and machine access paths where shared secrets still exist.

Device posture and enforcement points

Device validation is the control that asks whether the endpoint asking for access is both authorised and healthy enough to continue. In zero trust, a managed device is not automatically trusted, and antivirus presence is not treated as proof of safety. Enforcement points evaluate compliance, integrity, and possession before granting or maintaining access. This matters because stolen, borrowed, or partially compromised endpoints can still present valid credentials. In NHI environments, the same logic applies to workloads and agents running on endpoints that may appear compliant while carrying exposed secrets or stale tokens.

Practical implication: tie access decisions to device and workload posture, not just directory membership or network location.

Risk signals and continuous authentication

Continuous authentication extends verification beyond the login event by incorporating behavioural and contextual risk signals. These signals can include unusual location, disabled protections, abnormal session behaviour, or changes in device state after access is granted. Architecturally, that means identity decisions become conditional and revocable in real time rather than fixed at the start of a session. For NHI and agentic AI, that is the crucial shift because autonomous entities can continue acting long after the original access grant. Continuous verification is therefore a control plane requirement, not a user-experience feature.

Practical implication: build revocation triggers and session-level policy responses around real-time risk rather than static authentication status.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Passwordless authentication is necessary, but not sufficient, for zero trust in NHI-heavy environments. Replacing passwords with cryptographic proof reduces one of the easiest intrusion paths, but it does not resolve lifecycle risk, over-privilege, or unmanaged machine credentials. Zero trust only becomes meaningful when identity proof, privilege scope, and credential lifetime are governed together. Practitioners should treat passwordless sign-in as a baseline, not an end state.

Device posture has become an identity control, not just an endpoint control. The article is right to frame device trust as part of authentication because the identity decision now depends on the state of the endpoint as much as the claimant. That matters for NHI because service accounts, bots, and agents often inherit trust from the environment they run in. Security teams should align access policy with runtime context, not directory status alone.

Continuous authentication exposes the identity blast radius concept. Once access is granted, the real question is how far a compromised session, token, or agent can move before policy interrupts it. That is the core governance issue for modern IAM and NHI programs. Teams should map where a single credential can still produce multi-system impact and then narrow that blast radius aggressively.

Zero trust architecture fails when organisations stop at login hardening. The article focuses on authentication, but the discipline of zero trust requires continuous verification across users, devices, services, and sessions. For NHI governance, that means the same control expectations should apply to API keys, certificates, and agent identities. Practitioners should stop treating initial sign-in as the security event that matters most.

Identity governance must now account for post-authentication behaviour. Once sessions become the main attack surface, entitlement reviews alone are insufficient unless they are paired with runtime policy enforcement. That is especially true for non-human identities that may execute dozens of actions after a single grant. Security architects should connect authentication policy to revocation, telemetry, and access review workflows.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
• For the broader control model, see Ultimate Guide to NHIs , Key Challenges and Risks, which frames the visibility and over-privilege problems that zero trust alone does not solve.

What this signals

Identity blast radius: zero trust programmes now need to measure how far a compromised credential can travel after initial authentication. That is especially relevant when AI agents and service accounts can keep executing after the login checkpoint, which is why access reviews must be paired with runtime revocation and session telemetry. The NIST Zero Trust Architecture model remains useful here, but only if teams treat authentication as a continuous control plane, not a one-time event.

With 72% of organisations reporting or suspecting NHI breaches, the governance problem is already operational, not theoretical. Teams should expect more access paths to be judged by device context, behavioural risk, and short-lived trust windows rather than static entitlements. That shift should inform policy design for both human and non-human access.

The practical signal for IAM leaders is that authentication strategy and NHI lifecycle management can no longer be separated. If machine credentials are not bound to strong identity, posture, and revocation logic, zero trust becomes a brand label instead of an operating model. Programmes should prioritise control consistency across users, workloads, and agents.

For practitioners

• Implement phishing-resistant authentication Replace shared secrets and phishable MFA factors with cryptographic, device-bound authentication wherever users or operators access sensitive systems. Extend the same design expectation to machine credentials that are still copied between environments.
• Bind access to device posture Require enforcement points to verify device compliance, integrity, and possession before granting or renewing access. Include unmanaged laptops, contractor devices, and privileged workstations in the same policy model.
• Make sessions revocable on risk signals Define triggers for step-up authentication, session quarantine, or access termination when location, endpoint health, or behaviour changes materially during a session.
• Map where trust persists after login Inventory where tokens, certificates, API keys, and service accounts continue operating after the original sign-in event. Use that map to identify the sessions with the largest identity blast radius.
• Review zero trust policy against NHI workflows Check whether the same authentication logic applied to humans is also applied to bots, workloads, and AI agents that authenticate non-interactively and act across multiple systems.

Key takeaways

• Zero trust authentication fails when organisations treat login as the whole security event instead of the start of continuous verification.
• Machine identities raise the stakes because credentials, sessions, and agents can remain active after the original access check passes.
• IAM teams should pair passwordless proof with posture checks, revocation logic, and NHI lifecycle governance to reduce identity blast radius.

Key terms

• Zero Trust Authentication: An authentication model that does not assume trust after a first check. It requires the user, device, or service to prove identity continuously and to remain within policy as context changes. For NHI programmes, this means access is conditional on posture, telemetry, and revocation capability.
• Continuous Authentication: A control pattern that keeps re-evaluating identity after the initial login event. Rather than trusting a session until logout, the system can challenge, limit, or terminate access when behaviour, device state, or location changes. This is increasingly relevant for agents and workloads that act autonomously.
• Device Posture: The current security condition of a device or runtime at the moment access is requested or renewed. Posture can include patch state, protection status, integrity, and whether the endpoint is managed. In identity governance, posture is part of the trust decision, not a separate endpoint problem.
• Identity Blast Radius: The amount of damage a single compromised identity can cause before controls interrupt it. The concept applies to human sessions, service accounts, API keys, and AI agents, especially when access spans multiple systems. Reducing blast radius means constraining duration, scope, and revocation latency.

Deepen your knowledge

Zero trust authentication and non-human identity governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are aligning authentication policy across users, workloads, and agents, it is worth exploring.

This post draws on content published by Beyond Identity: 5 best practices for authentication in a zero trust strategy. Read the original.