TL;DR: VPNs were built for office-centric access, but in cloud-heavy hybrid environments they create performance bottlenecks, broad trust assumptions, and credential risk, according to eMudhra. Zero Trust shifts access decisions toward continuous verification, least privilege, and device trust, making the old network perimeter less relevant.
At a glance
What this is: This is an analysis of why VPN-centric remote access is breaking down and how Zero Trust changes the access model for distributed enterprises.
Why it matters: It matters because IAM, PAM, and identity architects must govern access across users, devices, and applications without relying on a flat network trust zone.
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
👉 Read eMudhra's analysis of VPN fatigue and Zero Trust adoption in Malaysia
Context
VPNs were designed for a network boundary that no longer matches how enterprises work. In cloud-heavy, mobile, and hybrid environments, the problem is not just connectivity speed. It is that broad network access still assumes the connection itself is trustworthy, even when the user, device, or application behind it may not be.
That is why Zero Trust has become a practical identity problem, not just a network redesign. For IAM and PAM teams, the shift is toward continuous verification, device posture checks, least privilege, and stronger certificate-backed access, especially where remote connectivity depends on service accounts, APIs, and other non-human identities as much as on employees.
For organisations in regulated sectors such as finance, healthcare, and government, the stakes are higher because remote access now spans personal data, internal systems, and third-party integrations. The starting point in this article is typical: many businesses kept extending VPN use until the operational friction and security exposure became impossible to ignore.
Key questions
Q: How should organisations move away from VPN-first remote access without weakening security?
A: Start by treating VPN as a transport mechanism rather than the trust decision itself. Move access control into identity policy, device posture checks, MFA, and least privilege at the point of request. The goal is not to remove remote access, but to make every session prove trust continuously instead of inheriting it from network location.
Q: Why do VPNs create more risk in cloud-heavy environments?
A: Because VPNs assume that connectivity from inside the tunnel implies trust. In cloud-heavy environments, applications are distributed and identities are fragmented, so a stolen credential can open access well beyond the original remote session. That makes flat network trust a poor fit for modern identity governance.
Q: What do security teams get wrong about Zero Trust and remote access?
A: Many teams treat Zero Trust as a product replacement for VPNs, when it is actually an access model. The control shift is from network admission to continuous verification, granular authorisation, and device assurance. If those policy layers are weak, replacing the VPN alone changes the plumbing but not the risk.
Q: How do IAM and PAM teams govern privileged remote access under Zero Trust?
A: They should bind privileged access to session-specific approval, strong authentication, device trust, and narrowly scoped permissions. Privileged accounts should not inherit broad network reach simply because the user connected remotely. The governance objective is to reduce standing exposure before a compromise can move laterally.
Technical breakdown
Why VPN trust models break in cloud-first environments
A VPN extends the internal network boundary to the remote user, but it does not verify every request once the tunnel is established. That creates a wide implicit trust zone. In cloud-first environments, where applications sit across multiple platforms and identities are distributed, that model becomes brittle. A single compromised credential can be enough to pivot from remote access into broader systems. The issue is structural: the access layer was built around location, not identity confidence or continuous session evaluation.
Practical implication: treat VPNs as a transport layer, not an access decision layer, and stop using network reachability as proof of trust.
How Zero Trust changes authentication and device trust
Zero Trust replaces one-time network admission with repeated verification of identity, device posture, and context. In practice, that means MFA, adaptive authentication, digital certificates, and policy checks happen at the point of access and can be revisited during the session. The model is especially relevant where users work from unmanaged networks and endpoints, because the trust decision must follow the request, not the router. This is where identity governance and device assurance start to converge.
Practical implication: align access policies with device compliance and authentication assurance levels, not with whether a user is inside or outside the corporate network.
Least privilege and granular monitoring under zero trust architecture
Zero Trust depends on limiting what a validated user can reach after authentication. Least privilege reduces the blast radius of a stolen credential, while granular monitoring detects abnormal access patterns across users, devices, and applications. For non-human identities, this is where static permissions, long-lived tokens, and broad service access become particularly problematic because a remote access model cannot be trusted to contain them. The architecture only works when entitlements, logging, and review processes are tightly coupled.
Practical implication: pair access minimisation with session monitoring and entitlement review so that valid credentials do not translate into open-ended reach.
Threat narrative
Attacker objective: The attacker aims to turn a single remote access compromise into broad internal access without triggering strong identity-based containment.
- Entry occurs when attackers obtain a valid VPN credential or exploit a weakness in remote access infrastructure, then use the trusted tunnel to appear legitimate.
- Escalation follows when the initial foothold grants broad internal reach, allowing the attacker to move from remote access into systems that were never meant to be directly exposed.
- Impact is achieved when the compromised session or credential is used to access sensitive business systems, disrupt operations, or exfiltrate data at scale.
Breaches seen in the wild
- SonicWall VPN Mass Breach via Stolen Credentials — Stolen credentials enable mass compromise of SonicWall VPN accounts across enterprise environments.
- Meta AI Instagram Account Takeover — 20,225 Instagram accounts hijacked via compromised Meta AI support chatbot with overprivileged access.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
VPN fatigue is really trust-model fatigue. The problem is not only that VPNs are slow or awkward. It is that they preserve a location-based trust assumption in environments where access is now distributed across cloud apps, mobile endpoints, and third-party integrations. The implication is that identity architecture has to become the primary control plane, not the network boundary.
Zero Trust is inseparable from non-human identity governance. Modern remote access does not stop with users and devices. Service accounts, API keys, and certificates also participate in the same access paths, which means broad network access can amplify machine identity risk just as quickly as human identity risk. Practitioners need to treat remote connectivity and NHI governance as one programme, not two separate ones.
Least privilege now has to be enforced where the session is created, not where the network sits. VPN-era thinking assumes access can be safely inherited once the tunnel is open. That assumption fails when applications, data, and workflows are fragmented across multiple clouds and administrative domains. The implication is that entitlement scope, session context, and certificate trust must be evaluated together.
Identity-based access controls are absorbing work that perimeter controls used to do. That shift changes the operating model for IAM and PAM teams. Authentication, device trust, session policy, and monitoring are no longer separate layers that can be managed independently. Practitioners should expect more pressure to unify them into one access governance workflow.
Named concept: remote access trust collapse. The older assumption was that once a user crossed the VPN boundary, the network could be treated as a trusted workspace. That assumption fails in hybrid and cloud-first environments because the boundary no longer maps to risk, privilege, or identity assurance. Practitioners must rethink access design around verified sessions instead of trusted locations.
From our research:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to the Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
- The Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs shows why access review, rotation, and offboarding need to be coordinated rather than handled as separate tasks.
What this signals
VPN replacement projects often stall when teams focus only on user experience or tunnel performance. The real programme change is deeper: access must be governed as a set of verifiable sessions, with identity, device posture, and privilege scope all carrying equal weight. In that model, the network stops being the trust anchor.
Remote access trust collapse: when the network boundary is no longer the control point, the organisation has to know exactly which identities, devices, and workloads are allowed to participate in each session. That becomes more complex when service accounts and API credentials share the same operational pathways as people, especially in hybrid environments where trust spans human and machine access alike.
For practitioners
- Replace perimeter trust with session-level verification Move toward access policies that re-evaluate identity, device posture, and context at the point of use rather than relying on a persistent VPN tunnel.
- Map non-human identities into remote access paths Inventory service accounts, API credentials, and certificates that depend on remote connectivity so you can see where machine identities inherit the same trust assumptions as users.
- Constrain privileged reach after authentication Use least privilege, segmented access, and conditional policy enforcement so a valid login does not become unrestricted lateral movement inside the environment.
- Unify identity and device assurance Require endpoint compliance signals, MFA strength, and certificate validation to be part of the same access decision for remote workers and administrators.
- Review VPN dependence by business function Identify where VPNs still carry critical workloads and assess whether those flows should shift to certificate-based or policy-based access instead.
Key takeaways
- VPN fatigue is a governance problem as much as a performance problem, because broad tunnel trust no longer matches distributed identity risk.
- Zero Trust shifts remote access decisions toward continuous verification, least privilege, and device assurance, which reduces the blast radius of credential compromise.
- IAM, PAM, and NHI governance need to converge around session-level access control, or the organisation will keep extending old trust assumptions into new environments.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack surface, NIST Zero Trust (SP 800-207), NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, and GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST Zero Trust (SP 800-207) | Section 2 | Zero Trust is the central model discussed in the article. |
| NIST CSF 2.0 | PR.AC-1 | Remote access depends on controlling identity and access outcomes. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Machine identities and credentials still travel through remote access paths. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is the core control principle behind the article's Zero Trust framing. |
| GDPR | Art.32 | The article references GDPR in the context of protecting personal data under remote access. |
Inventory non-human credentials that rely on VPN-based paths and reduce standing exposure.
Key terms
- Zero Trust Architecture: A security model that assumes no user, device, or application is trusted by default. Access is granted through continuous verification, explicit policy checks, and least privilege, rather than by placing confidence in a network location or VPN tunnel.
- Least Privilege: A governance principle that gives an identity only the access required to complete its task. In Zero Trust environments, this must be enforced at the session and application level, because broad network access can still expose far more than the task requires.
- Certificate-Based Access: An access approach that uses digital certificates to validate identity and trust, often as part of a Zero Trust design. It is most useful when remote access must be tightly scoped, continuously verifiable, and less dependent on static network trust.
- Device Trustworthiness: The confidence that an endpoint meets defined security requirements before it is allowed to access systems or data. In modern identity programmes, device trust is a critical signal because a valid user credential alone no longer proves safe access.
What's in the full article
eMudhra's full article covers the practical detail this post intentionally leaves for the source:
- How the vendor positions certificate-based access as an alternative to VPN-based remote connectivity.
- Where the article connects Zero Trust to PDPA, ISO, GDPR, and HIPAA compliance expectations.
- The way eMudhra describes its IAM and PKI stack across MFA, SSO, PAM, and adaptive authentication.
- The business framing used to support hybrid-work security and digital transformation messaging.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-02-13.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org