TL;DR: Zero Trust often stalls when teams try to secure everything at once, but the Navy and DHS found progress by defining a protect surface and building controls around specific assets, according to Illumio. The shift matters because operational focus, not framework adoption, is what turns Zero Trust into measurable governance.
At a glance
What this is: The article argues that Zero Trust becomes workable only when organisations narrow scope to a protect surface and design controls around the specific data, applications, or services that matter most.
Why it matters: That matters to IAM and PAM teams because access decisions, policy enforcement, and telemetry all become more effective when tied to a bounded set of protected assets instead of an abstract enterprise perimeter.
👉 Read Illumio's analysis of how the U.S. Navy and DHS made Zero Trust operational
Context
Zero Trust fails when it is treated as an enterprise slogan instead of an operating model. The practical problem is not that teams reject the idea of continuous verification, but that they try to enforce it across too much scope at once, which makes policy, telemetry, and access decisions hard to measure or sustain.
The protect surface approach narrows that scope to the assets, services, or data whose compromise would create mission failure. That makes the identity connection explicit: every entity that can reach the protected resource needs defined, reviewable access, whether it is a human, service account, workload identity, or automated agent. For teams building that discipline, the Ultimate Guide to NHIs includes useful lifecycle context on access control and governance.
What this article captures is typical of mature Zero Trust programmes: they start by reducing ambiguity, not by adding another layer of tooling.
Key questions
Q: How should security teams implement Zero Trust around critical business services?
A: Security teams should start by defining the smallest business service, data set, or application whose compromise would create real impact, then map every identity that can reach it. Access policy, verification, and telemetry should be built around that scope, not around a broad enterprise perimeter. That makes Zero Trust measurable and far easier to govern.
Q: Why does Zero Trust fail when teams try to cover the whole enterprise at once?
A: Zero Trust fails when the scope is too large to support clear access rules, accurate telemetry, and consistent enforcement. Broad programmes often become checkbox deployments of MFA or endpoint controls without a strong link to mission risk. Narrowing the scope to a protect surface creates the discipline needed for continuous verification.
Q: What do security teams get wrong about Zero Trust policy design?
A: Teams often treat policy as a one-time configuration instead of an evolving decision model tied to actual use. If access rules are not validated against observed behaviour, they either over-restrict legitimate work or quietly allow unnecessary reach. Effective Zero Trust policy is iterative and evidence-led.
Q: Who is accountable for defining and maintaining a protect surface?
A: Accountability should sit with the business and security owners who understand the service's failure impact, while IAM and security architecture teams translate that impact into access controls. The protect surface is not just a technical boundary. It is a governance boundary that must stay current as services, identities, and dependencies change.
Technical breakdown
Protect surface definition and access scope
The protect surface is the smallest unit of critical value that an organisation chooses to defend. Instead of starting with the full attack surface, teams define the specific data, applications, or services that cannot be compromised without major impact. That makes policy design much more precise because access can be tied to a bounded resource rather than to broad network membership. In practice, the protect surface becomes the anchor for identity, policy, and telemetry decisions. It also reveals where current access models are too coarse, especially when service accounts, workloads, or partner integrations have inherited reach they do not actually need.
Practical implication: define protected assets first, then map every human and non-human identity that can reach them.
Capabilities, policies, and telemetry around the protected resource
Operational Zero Trust is built from capabilities, not products. A capability is the ability to perform a security function consistently, such as verifying access, limiting exposure, or observing traffic patterns around a specific resource. Policy then becomes the mechanism that decides whether access is allowed under current conditions, while telemetry shows whether real usage matches expected usage. This is why Zero Trust programmes fail when they stay at the framework level. Without continuous feedback, policy drifts from actual behaviour, and controls are either too loose to matter or too rigid to operate. The model works only when control, observation, and adjustment happen together.
Practical implication: pair access policy with telemetry so you can refine control decisions against real behaviour.
Protect webs as a way to scale zero trust architecture
A protect web is a set of connected capabilities organised around one protect surface. It is a scaling pattern for complex environments where one uniform policy cannot fit every business unit or system. The point is not to standardise everything equally, but to create repeatable control bundles that can be reused across different critical assets. That matters in large enterprises because Zero Trust often breaks when teams try to convert a whole estate in one pass. Protect webs let organisations make incremental progress while keeping the architecture aligned to mission risk. This is especially relevant where identity sprawl and diverse access paths make blanket controls unreliable.
Practical implication: use protect webs to roll Zero Trust out in bounded, measurable steps instead of broad enterprise rewrites.
NHI Mgmt Group analysis
Operational Zero Trust is really an identity scoping problem. The article shows that broad security frameworks fail when teams cannot define who or what should reach a protected asset. That is true for human access, but it becomes more urgent for NHIs, service accounts, and workload identities that often inherit access without a clear business owner. The field should treat scope definition as a governance control, not a documentation exercise. Practitioner conclusion: if the access boundary is vague, the Zero Trust programme is already underpowered.
Protect surface is a useful concept because it turns abstract risk into governable boundaries. Teams can only write meaningful policy when they know which asset would create mission failure if exposed. This is aligned with NIST SP 800-207 Zero Trust Architecture and the NIST Cybersecurity Framework 2.0, both of which depend on explicit trust decisions and continuous verification. Practitioner conclusion: use protect surface mapping to decide where identity controls must be strictest.
Capability-based security is more durable than tool-led security. The article makes the case that organisations often already own parts of the control stack, but fail to coordinate them into a functioning capability. That is a familiar governance gap in identity programmes as well, where access reviews, policy engines, and telemetry tools exist but do not form a closed loop. Practitioner conclusion: measure whether your controls work together, not whether they exist in isolation.
Incremental Zero Trust reduces programme failure by giving teams a real unit of progress. Large environments do not become secure because a framework is adopted. They become more resilient when each protected asset is wrapped in access, policy, and monitoring controls that can be repeated elsewhere. For identity teams, that means prioritising the most exposed services first and then extending the pattern. Practitioner conclusion: build for repeatability, not for one-time transformation.
Protect surface thinking also sharpens the governance boundary between IAM and operational resilience. Once the critical asset is known, identity controls can be evaluated against mission continuity rather than against generic compliance checklists. That matters because access governance is often asked to prove value after the fact instead of during design. Practitioner conclusion: align access policy reviews to service criticality and failure impact, not only to periodic audit cycles.
What this signals
Protect-surface governance will increasingly become the practical test of Zero Trust maturity. Teams that cannot define bounded, mission-critical access scopes will keep confusing tool deployment with risk reduction. For identity programmes, the real signal is whether human and non-human access is consistently tied to a named asset, not whether a control exists somewhere in the stack.
Zero Trust programmes that ignore non-human identities will leave their most dynamic access paths least governed. Workload identities, service accounts, and automation links often bypass the human-centric assumptions that make traditional access review work. The result is a gap between policy intent and runtime behaviour, which is exactly where governance breaks down.
Protect surface thinking should be extended into lifecycle management. Once a critical resource is defined, organisations need to know which identities were provisioned for it, which have persistent access, and which should be offboarded or time-bound. That is where the NHI Lifecycle Management Guide becomes operationally relevant for teams trying to move from concept to control.
For practitioners
- Map protect surfaces before expanding controls Start with the data, application, or service whose compromise would create mission failure, then list every human and non-human identity that needs access to it. Use that boundary to decide where MFA, session controls, service account restrictions, and monitoring should concentrate.
- Build policy around access conditions, not broad trust zones Write rules that reflect when access is valid, why it is needed, and which identity type is requesting it. For service accounts and workload identities, require explicit ownership and reviewable purpose so privileges do not drift beyond the protected resource.
- Use telemetry to validate the policy model Compare real traffic and access patterns against the expected use of each protected asset, then adjust rules where behaviour and policy diverge. This is especially important for shared services, third-party integrations, and machine identities that are easy to over-permit.
- Sequence Zero Trust by mission-critical asset Avoid enterprise-wide rollouts that measure success only by coverage. Prioritise one high-value protect surface, prove the controls work, and then repeat the pattern across similar assets or business units.
Key takeaways
- The article argues that Zero Trust only becomes operational when organisations shrink the problem to a protect surface.
- The governance value is in precise access scoping, policy enforcement, and telemetry that all revolve around a critical asset.
- For IAM teams, the key lesson is to measure Zero Trust by mission-bound controls, not by enterprise-wide tool coverage.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207), NIST SP 800-53 Rev 5, CIS Controls v8 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Zero Trust around a protect surface depends on least-privilege access decisions. |
| NIST Zero Trust (SP 800-207) | The article is fundamentally about operationalising Zero Trust Architecture. | |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is central to restricting access to the protect surface. |
| CIS Controls v8 | CIS-6 , Access Control Management | The article focuses on controlling access around high-value assets. |
| NIST AI RMF | GOVERN | The governance theme is about accountability for security boundaries and control decisions. |
Use Zero Trust principles to define protected resources, policy points, and continuous verification.
Key terms
- Protect Surface: A protect surface is the smallest set of data, applications, or services whose compromise would create meaningful business or mission impact. It gives Zero Trust a concrete scope so policy, monitoring, and access decisions can be designed around what truly matters.
- Protect Web: A protect web is the collection of controls, processes, and technical capabilities built around one protect surface. It allows organisations to scale Zero Trust by repeating a bounded control pattern across multiple critical assets instead of trying to secure the entire environment uniformly.
- Capability-Based Security: Capability-based security focuses on whether the organisation can consistently perform a security function, such as verifying access or monitoring behaviour, rather than on whether a tool has been deployed. It shifts governance from product ownership to operational outcome.
- Continuous Verification: Continuous verification is the practice of re-checking access conditions as context changes instead of assuming an initial login or policy decision remains valid. In Zero Trust, it is the mechanism that keeps privilege aligned to current need and current risk.
What's in the full article
Illumio's full blog covers the operational detail this post intentionally leaves for the source:
- The webinar discussion of how the U.S. Navy and DHS translated Zero Trust principles into a repeatable operating model.
- The practical framing of protect surfaces and protect webs for complex government environments.
- The dialogue between John Kindervag and Don Yeske on what changes when teams stop measuring coverage and start measuring outcomes.
- The source article's examples of how policy, telemetry, and control placement work together in real deployments.
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, and secrets management. It is designed for practitioners who need to connect identity controls to real operating models across modern security programmes.
Published by the NHIMG editorial team on 2026-04-23.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org