Zero Trust for mixed infrastructure needs identity-aware access

At a glance

What this is: This is Pomerium's argument that zero trust for mixed infrastructure must shift enforcement from network location to identity- and context-based application access.

Why it matters: It matters because IAM, PAM, and NHI programmes still have to govern users, services, and agents across legacy systems, Kubernetes, cloud workloads, and SaaS with one consistent access model.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Pomerium's analysis of zero trust access across legacy, hybrid, and cloud-native environments

Context

Mixed infrastructure creates an identity governance problem, not just a network design problem. When access decisions still depend on where a request comes from, teams end up compensating with VPNs, jump hosts, and static exceptions instead of enforcing policy against the actual identity and context behind the request.

Pomerium's thesis is that zero trust becomes workable across legacy, hybrid, and cloud-native environments only when access is evaluated per request at the application layer. That framing is directly relevant to IAM, PAM, and NHI governance because it treats users, service accounts, and agents as subjects of the same access-control discipline.

The issue is increasingly common in enterprises that run data centers, Kubernetes, cloud workloads, and SaaS side by side. In that environment, the real question is not whether access tools are modern enough, but whether the organisation can enforce consistent policy without relying on network trust shortcuts.

Key questions

Q: How should security teams apply zero trust in mixed infrastructure environments?

A: Security teams should enforce access at the application layer, using identity, context, and session conditions rather than network location. The practical goal is to reduce dependence on VPNs, bastions, and static firewall exceptions so that each request is evaluated consistently across legacy, hybrid, and cloud-native systems.

Q: Why do VPNs and jump hosts create governance problems in hybrid estates?

A: VPNs and jump hosts often encode location-based trust, which is too coarse for modern estates. They hide the real identity decision behind a network path, making auditability weaker and exceptions harder to govern when the same user or workload must access systems in multiple environments.

Q: What do teams get wrong about zero trust for service accounts and agents?

A: Teams often treat non-human access as an infrastructure exception instead of an identity governance problem. Service accounts and agents still need scoped, time-bound, and auditable authorisation. If their access is permanent or reused across systems, the organisation is preserving standing privilege in a new form.

Q: Who should own zero trust policy when access spans users, workloads, and agents?

A: Ownership should sit with identity, IAM, and PAM stakeholders working with platform teams, because the policy must be consistent across human and non-human subjects. If infrastructure teams own ad hoc exceptions in isolation, the organisation will keep reintroducing gaps in access governance.

Technical breakdown

Why network-bound access controls fail in mixed infrastructure

Traditional perimeter controls were designed for environments where trust could be inferred from network location. In mixed infrastructure, that assumption breaks because the same user, service, or agent may need access from a browser, a container, or a legacy host. VPNs, jump hosts, and firewall rules can still move traffic, but they do not consistently express identity, context, or purpose. The result is policy fragmentation, manual exception handling, and weak auditability. In identity terms, the control plane is detached from the actual access decision.

Practical implication: replace location-based gating with request-level identity policy for every high-risk application path.

Identity-aware gateways as an application-layer control point

An identity-aware gateway moves the enforcement point closer to the application rather than the network edge. That allows the access decision to combine identity, role, device posture, and session context before traffic reaches the target system. This pattern is especially useful in hybrid estates because it can normalize policy across Kubernetes, cloud applications, and legacy services without rewriting each application. It also creates a durable audit trail for who accessed what, when, and under which conditions, which matters for both access reviews and incident reconstruction.

Practical implication: put the policy decision at the application boundary so access remains consistent across environments.

Short-lived access for users, services, and agents

Zero trust in mixed environments works best when access is temporary and task-scoped. Short-lived SSH certificates, just-in-time access, and per-request authorisation reduce the persistence of standing privilege, which is the main driver of lateral movement in compromised environments. The same pattern can apply to backend services and AI agents that need to call internal APIs. The important point is not the transport mechanism but the lifecycle of the credential or session: if it outlives the task, the risk surface expands beyond the intended purpose.

Practical implication: prefer time-bounded access artefacts over reusable credentials wherever the workload can support it.

NHI Mgmt Group analysis

Location-based trust is the wrong abstraction for mixed infrastructure. VPNs, jump hosts, and perimeter firewalls still reflect an older model in which the network edge was the main security boundary. That model fails once applications and identities are distributed across cloud, data center, Kubernetes, and SaaS. The practical conclusion is that zero trust has to be enforced where the request is made, not where the traffic enters the network.

Identity-aware access is becoming the only workable control plane for hybrid estates. Per-request policy lets teams evaluate user, service, or agent identity alongside context such as role, device posture, and session state. That matters because access decisions are no longer uniform across environments. The discipline shift is from network administration to identity governance, and that is where IAM and PAM teams need to own the architecture.

Standing privilege is the hidden debt mixed infrastructure keeps accumulating. Every exception needed to keep old systems reachable tends to become persistent access. Over time, that creates audit gaps, inconsistent enforcement, and easier lateral movement paths. The named concept here is identity blast radius: the amount of access exposed when one request path, credential, or session is overbroad. Practitioners need to reduce it before it becomes the default operating condition.

Agent and service access should be governed by the same policy logic as human access. Pomerium's framing is useful because it does not treat non-human access as a separate security island. When services or agents reach internal APIs, the question is still who or what is requesting access, under what conditions, and for how long. The implication is that identity governance can no longer stop at employee access reviews.

Zero trust is not a migration project, it is a control-model correction. Organisations do not need to replace every environment at once to begin changing the trust model. They need to stop treating mixed infrastructure as an excuse for exceptions. The lasting benefit is not just stronger control, but clearer accountability across environments that were previously managed with incompatible assumptions.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
• Only 13% of organisations feel extremely prepared for the reality of agentic AI, according to The 2026 Infrastructure Identity Survey.
• For the control-model side of the problem, read Ultimate Guide to NHIs , Standards for the framework backdrop behind least privilege and zero trust in NHI governance.

What this signals

Identity blast radius: mixed infrastructure programmes now need to measure how many permanent access paths remain after each exception is added. If the answer keeps growing, the organisation is modernising connectivity while preserving old trust assumptions.

The practical pressure point is not whether zero trust is endorsed in principle, but whether identity and PAM teams can remove network-based shortcuts without breaking legacy operations. That makes phased migration, policy consistency, and auditability the real operating metrics.

With 97% of NHIs carrying excessive privileges, per Ultimate Guide to NHIs, hybrid access models that tolerate standing privilege are carrying inherited risk into every environment they touch.

For practitioners

• Replace network trust shortcuts with request-level policy Map the applications that still depend on VPNs, bastions, or firewall exceptions and move their access decisions to an identity-aware control point. Start with the systems that create the most manual approval work or the weakest audit trail.
• Scope temporary access to the task, not the environment Use short-lived access for SSH, admin portals, and sensitive internal tools so that credentials expire when the work ends. Where services or agents need repeat access, separate authentication from authorisation and keep the authorisation window narrow.
• Unify policy for users, services, and agents Apply the same decision model to human users and non-human identities that reach internal APIs or dashboards. That means defining identity, context, and session conditions consistently instead of giving each infrastructure layer its own exception process.
• Measure how many exceptions remain standing privilege Track the number of persistent access paths required to keep legacy applications usable. If every migration creates a new permanent exception, the organisation is rebuilding the old perimeter in a different form.

Key takeaways

• Mixed infrastructure exposes the weakness of network-based trust models because identity, context, and location are no longer aligned.
• Hybrid zero trust succeeds when access is evaluated per request at the application layer, not when teams preserve perimeter-era exceptions.
• IAM, PAM, and NHI governance need the same policy logic across users, services, and agents if organisations want consistent auditability and reduced lateral movement.

Key terms

• Identity-Aware Access Gateway: An identity-aware access gateway is a control point that evaluates who is requesting access, under what context, before traffic reaches the target application. In mixed environments, it replaces coarse network trust with request-level policy and produces auditable access decisions across legacy and cloud systems.
• Standing Privilege: Standing privilege is access that remains continuously available instead of being granted only when needed for a specific task. In hybrid infrastructure, it often appears as permanent VPN access, long-lived SSH rights, or reusable service credentials that expand the attack surface and complicate reviews.
• Identity Blast Radius: Identity blast radius is the amount of access exposed when a single identity, session, or credential is overbroad. The term is useful for understanding how quickly a misplaced permission or persistent exception can spread risk across multiple applications and environments.
• Per-Request Authorisation: Per-request authorisation means each access attempt is evaluated individually against identity, context, and policy rather than being accepted once and reused. This model is central to zero trust because it keeps access decisions current and limits the lifetime of trust.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Pomerium: How Pomerium Brings Zero Trust to Legacy, Hybrid, and Cloud-Native Environments. Read the original.