TL;DR: Many organisations say they have implemented Zero Trust, but JumpCloud argues that partial coverage across IAM, device trust, network access, PAM, and visibility leaves material gaps. The deeper issue is not whether Zero Trust is adopted, but whether it is enforced consistently across the full access surface.
At a glance
What this is: This is a Zero Trust analysis arguing that surface-level adoption leaves major access-control gaps across identity, devices, privileged access, and monitoring.
Why it matters: It matters because IAM, NHI, and human identity programmes all fail when access control is applied selectively instead of across the full environment.
👉 Read JumpCloud's analysis of where Zero Trust programs fall short
Context
Zero Trust is a governance model built on continuous verification, least privilege, and explicit access decisions. The article argues that many organisations stop at partial controls, which leaves identity, device, and privileged access gaps open even after a Zero Trust rollout.
For IAM teams, the central problem is scope, not branding. If MFA, conditional access, PAM, and monitoring only cover a small subset of users or systems, the programme creates a false sense of assurance while attackers still retain paths for lateral movement and privilege abuse.
Key questions
Q: How should security teams implement Zero Trust without creating too many exceptions?
A: Start by mapping where the current programme still trusts users, devices, or services by default. Then remove broad access paths first, especially around admin rights, shared accounts, and network-wide reach. A Zero Trust programme becomes credible only when the same policy logic applies across the full access surface, not just the highest-risk segment.
Q: Why do verified users on unmanaged devices still create serious risk?
A: A verified user on an unmanaged device can still expose the organisation to malware, session theft, or data loss because identity assurance does not guarantee endpoint integrity. Zero Trust assumes every access request must be evaluated in context, so device posture is a core security signal, not an optional extra.
Q: What do teams get wrong about Zero Trust and privileged access?
A: They often treat PAM as a separate admin control instead of a central Zero Trust function. Standing privilege, shared credentials, and weak session visibility all preserve high-impact pathways for attackers. PAM has to be integrated into the access model, not bolted on after the fact.
Q: Who is accountable when Zero Trust only covers part of the environment?
A: Accountability sits with the security and identity owners who accepted exceptions without defining how risk would be contained, monitored, and reviewed. Framework alignment is strongest when access governance, telemetry, and privileged controls are managed as one programme rather than disconnected tools.
Technical breakdown
Identity and access management as the first trust gate
Zero Trust starts with identity because every downstream access decision depends on who or what is requesting entry. In practice, that means MFA everywhere, not only for administrators or remote access, plus conditional access that evaluates context such as device, location, and time. The model only works when authentication is paired with policy enforcement at each request rather than treated as a one-time login event. This is the difference between identity verification and durable trust. Practical implication: treat access policy coverage as a control-surface problem, not a login feature problem.
Practical implication: treat access policy coverage as a control-surface problem, not a login feature problem.
Device trust and why verified users can still be risky
Device trust extends Zero Trust beyond the human identity by checking whether the endpoint itself meets security standards before access is granted. OS version, patch status, encryption state, and MDM enrollment are common signals because a valid user on a compromised device can still become the entry point for data theft or session hijacking. This matters because identity assurance without device assurance leaves a major blind spot. Practical implication: require endpoint posture checks for sensitive applications, not just for remote access.
Practical implication: require endpoint posture checks for sensitive applications, not just for remote access.
PAM, lateral movement, and visibility gaps
Privileged Access Management is where Zero Trust often becomes most visible in practice, because standing admin rights and shared credentials create persistent high-risk exposure. The article correctly links strict privilege controls, just-in-time access, session monitoring, and auditing to reduced lateral movement. But these controls only matter if logs and monitoring actually cover the full environment, including service accounts and administrative workflows. Practical implication: build PAM and telemetry together so privilege changes are both constrained and observable.
Practical implication: build PAM and telemetry together so privilege changes are both constrained and observable.
NHI Mgmt Group analysis
Surface-level Zero Trust is governance theatre, not risk reduction. The model only changes security posture when identity, device posture, network access, privilege, and monitoring are enforced as a single operating system. If any pillar is only applied to high-risk users or a subset of services, attackers still find broad paths through the remaining trusted surface. Practitioners should measure coverage across the whole access path, not the presence of a Zero Trust label.
Zero Trust is really a coverage problem. The article shows the common failure mode clearly: organisations adopt the language of Zero Trust while leaving broad exceptions in place. That is structurally different from an implementation gap because the programme is not just incomplete, it is selectively trusted. IAM and PAM teams should treat exception rate as a governance metric, because exceptions become the new perimeter.
Device trust and privileged access are the two places where Zero Trust becomes operationally real. Identity checks alone do not stop a compromised endpoint or an over-privileged account from becoming a breach path. Once device posture and privileged sessions are integrated into the same policy model, the programme can actually limit blast radius. Practitioners should prioritise enforcement depth over policy count.
Visibility is the control that keeps Zero Trust from becoming unverifiable policy language. The article’s emphasis on centralized logging, real-time monitoring, and anomaly detection is the right one because Zero Trust without observability cannot be audited or tuned. That matters across human identity and non-human identities alike, where access paths often outlive the original request context. Practitioners should assume that unobserved access is uncontrolled access.
From our research:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
- Use the 52 NHI breaches Report to see how over-privilege and poor lifecycle control translate into real compromise patterns.
What this signals
Coverage drift is the hidden failure mode in many Zero Trust programmes. Once controls stop at a subset of users or systems, the organisation still has a trusted attack surface, just with a better policy label. With 52% of security leaders saying AI decision-making power is shifting toward platform and infrastructure teams, access governance is increasingly being pushed into operational layers rather than kept as a board-level design decision.
The practical signal for practitioners is whether their Zero Trust design can answer a simple question across human and machine identities alike: who can access what, from where, under which conditions, and who can prove it later? If the answer changes by team or tool, the programme is still fragmented rather than governed.
This also reframes Zero Trust as an operating model for identity lifecycle discipline, not just an access policy architecture. Teams that cannot measure exceptions, session visibility, and privilege revocation will struggle to show that their controls are actually reducing blast radius.
For practitioners
- Expand MFA beyond admin accounts Enforce MFA across all access points, including routine user access and remote workflows, so the control is not reserved for the highest-risk accounts only.
- Tie access to device posture Require OS version, patch status, encryption, and MDM enrollment checks before sensitive applications or data can be reached from any endpoint.
- Replace broad internal access with app-level policy Move away from network-wide trust and grant only the specific application or service access needed for the session, which reduces lateral movement opportunities.
- Integrate PAM with session monitoring Use just-in-time access, automatic revocation, and auditing for privileged accounts, then connect those controls to centralized logging so privilege use is continuously visible.
Key takeaways
- Zero Trust fails when it is treated as a partial control set rather than a full access governance model.
- Identity, device posture, privileged access, and visibility have to work together or attackers keep the remaining trusted paths.
- The real test is not whether Zero Trust exists, but whether the programme can prove consistent enforcement across the whole environment.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST Zero Trust (SP 800-207), NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST Zero Trust (SP 800-207) | Core Zero Trust principles align directly with the article's access and trust model. | |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege and access enforcement are central to the article's guidance. |
| NIST CSF 2.0 | DE.CM-7 | Visibility and anomaly monitoring are treated as essential for enforcement. |
Apply zero trust continuously across identity, device, and privilege decisions instead of at login only.
Key terms
- Zero Trust: A security model that assumes no request is trusted by default, even inside the network. Access is granted only after identity, device, and context are verified, and that verification must continue throughout the session rather than ending at sign-in.
- Device trust: The practice of checking whether an endpoint meets security requirements before it is allowed to access systems or data. It commonly uses signals such as patch level, encryption, operating system state, and MDM enrollment to decide whether the device is safe enough for access.
- Privileged Access Management: The controls used to govern elevated accounts and other high-impact access. In practice, it limits standing privilege, enforces just-in-time access, monitors sessions, and records administrative activity so powerful access does not remain permanently available without oversight.
- Conditional access: A policy approach that evaluates the circumstances of an access request before granting entry. It typically uses identity, device, location, and risk signals to decide whether access should be allowed, challenged, or blocked in a specific moment.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by JumpCloud: Where Zero Trust Falls Short and What You Can Do About It. Read the original.
Published by the NHIMG editorial team on 2025-07-22.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
