TL;DR: Most organisations that claim to have “done” Zero Trust still leave major gaps in identity, device, network, privileged access, and visibility, according to JumpCloud. The gap is not the framework itself but the tendency to stop after MFA and conditional access, leaving governance incomplete and client risk unresolved.
At a glance
What this is: A Zero Trust gap analysis walkthrough showing how to identify incomplete coverage across core control areas and turn that into a practical conversation about security maturity.
Why it matters: For IAM and security teams, it reinforces that Zero Trust only works when identity, privileged access, device posture, network access, and visibility are assessed together rather than as isolated projects.
By the numbers:
- The majority of IT professionals expect their engagements to dive more into strategic IT planning (58%) and expand into new service areas (53%).
👉 Read JumpCloud's guide to using the Zero Trust gap analysis map
Context
Zero Trust is not a single control or product. It is an operating model built on continuous verification, least privilege, and explicit governance across identity, devices, access, and visibility. The problem in most programmes is not adoption of the label, but stopping after the easiest front-end controls and leaving the rest of the control plane unevenly applied.
That gap matters because identity security does not live in one layer. Human access, privileged access, and non-human access all shape whether Zero Trust is real or performative. A checklist that scores only partial implementation can expose where the programme has drifted from architecture into marketing language.
Key questions
Q: How should organisations use a Zero Trust gap analysis in practice?
A: Use it as a governance tool to identify which control families are incomplete, who owns them, and what to remediate first. The value is not in the score itself but in making identity, privileged access, device posture, network, and visibility measurable in one view.
Q: Why do MFA and conditional access not equal Zero Trust?
A: Because they only address the first trust decision at sign-in. Zero Trust also requires entitlement control, device trust, privilege restriction, and ongoing visibility, otherwise a successful login can still lead to excessive access and weak accountability.
Q: What breaks when Zero Trust stops at the authentication layer?
A: The organisation loses the ability to prove that access was appropriate, bounded, and still valid after context changes. That leaves unmanaged devices, shadow IT, and over-privilege outside the protection model even when the front door is strongly secured.
Q: Which identity controls matter most in a Zero Trust programme?
A: Identity governance, privileged access, and runtime visibility are the controls that determine whether Zero Trust is real or just sign-in hardening. If those controls are not aligned, the programme can authenticate users while still failing to constrain what they can do.
Technical breakdown
Identity, device, network, privileged access, and visibility as a control set
Zero Trust only functions when these five areas are treated as interdependent controls rather than separate workstreams. Identity establishes who or what is requesting access, device posture tells you whether the endpoint can be trusted, network controls constrain reach, privileged access limits blast radius, and visibility provides the evidence needed to verify decisions over time. If one of these is missing, the model degrades into partial trust with no consistent enforcement. The practical value of a gap map is that it shows where the architecture is structurally incomplete, not just where one team has a backlog.
Practical implication: Use a shared control map to find the weakest link before expanding policy enforcement.
Why MFA and conditional access are not Zero Trust by themselves
MFA and conditional access are useful entry controls, but they do not solve privilege scope, unmanaged devices, shadow IT, or blind spots in monitoring. In practice, many organisations interpret successful login as successful security, which confuses authentication with authorisation and continuous validation. Zero Trust requires that trust be re-evaluated across the session and across the control plane, not only at the point of sign-in. The gap analysis approach is useful because it makes that distinction visible to business stakeholders who may otherwise assume the programme is finished.
Practical implication: Do not treat login hardening as proof that the rest of the access model is sound.
Readiness scoring as a governance tool, not a technical audit
A readiness score is only useful if it drives decisions about investment, sequencing, and accountability. The technical value is in turning qualitative answers such as fully implemented, partially in progress, or not in place into an actionable view of where risk concentrates. That makes the tool less about configuration and more about governance maturity. For MSPs and internal teams alike, the score becomes a way to prioritise the next control family that needs attention rather than arguing over whether Zero Trust is already 'done'.
Practical implication: Use the score to prioritise remediation and budget conversations, not as a compliance badge.
Threat narrative
Attacker objective: Exploit the organisation's false sense of Zero Trust maturity to reach sensitive systems through ungoverned gaps.
- Entry occurs when users or organisations assume MFA and conditional access mean the environment is already protected, allowing unresolved control gaps to persist unnoticed.
- Escalation follows when unmanaged devices, shadow IT, or missing monitoring leave access paths and privilege boundaries weakly governed.
- Impact is broader exposure and reduced resilience because the programme lacks complete verification across identity, access, and visibility.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Zero Trust gap analysis is really identity governance triage. The useful part of the map is not the worksheet itself but the way it forces organisations to confront whether identity, privileged access, device trust, network control, and visibility are being governed as one system. Programmes that only harden login are not operating Zero Trust, they are operating partial trust with better branding. The practitioner implication is to treat the gap map as an inventory of governance debt, not a maturity score.
Zero Trust stalls when teams mistake authentication for authorisation. MFA can reduce account takeover risk, but it does not answer whether the identity should have had access in the first place or whether that access should persist after context changes. That is why the control discussion must extend beyond sign-in to entitlement scope, privileged pathways, and runtime visibility. The practitioner implication is to re-evaluate access governance wherever the programme stops at the login layer.
Identity, privileged access, and device posture need to be measured together or the model fractures. Separating them into different projects creates assurance gaps because each control assumes the others are doing compensating work. That assumption is weak in real environments where unmanaged devices, shadow IT, and uneven access review cycles all coexist. The practitioner implication is to use one cross-domain governance view for human, NHI, and privileged access rather than three disconnected checklists.
Readiness scoring is valuable only when it drives the next control decision. A dashboard that highlights gaps but does not change sequencing, ownership, or funding is theatre. The article’s strongest contribution is that it frames Zero Trust as an ongoing business conversation about risk concentration, not a binary implementation status. The practitioner implication is to anchor the programme in measurable control coverage and explicit remediation ownership.
From our research:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- 59.8% of organisations see value in a solution that simplifies non-human access management and introduces dynamic ephemeral credentials.
- For the adjacent governance model, read Ultimate Guide to NHIs , Key Challenges and Risks for the access sprawl patterns that often sit behind incomplete Zero Trust programmes.
What this signals
Zero Trust programmes are increasingly being judged on whether they cover non-human access as thoroughly as human access. When 88.5% of organisations already say their non-human IAM lags human IAM, the gap is no longer theoretical. The practical signal is that any Zero Trust roadmap that ignores service accounts, API keys, and workload identities will leave the most automated parts of the environment outside the control model.
Gap analysis will matter more as buyers shift from tool deployment to governance proof. The real question is not whether MFA or conditional access exists, but whether access can be justified, reviewed, and continuously constrained across identity classes. That is why Zero Trust maturity increasingly needs evidence from lifecycle controls, privileged access reviews, and workload identity governance rather than only authentication telemetry.
Identity blast radius: the next phase of Zero Trust maturity will be measured by how tightly access is bounded when a control fails, not by how many controls are enabled. Teams that can show constrained privilege, scoped access, and high-fidelity visibility will be able to defend their architecture with evidence instead of claims.
For practitioners
- Map Zero Trust controls to one governance view Score identity, device, network, privileged access, and visibility in the same worksheet so gaps are visible as a system problem rather than isolated tickets.
- Separate authentication from authorisation Review every area where MFA is being treated as evidence of complete Zero Trust and check whether access scope, entitlement review, and runtime monitoring are actually in place.
- Use readiness scoring to sequence remediation Turn the gap analysis into a list of owners, deadlines, and next control decisions so the score drives investment rather than becoming a static report.
- Extend the conversation to privileged and non-human access Apply the same Zero Trust lens to service accounts, API keys, and other machine identities because their access paths often bypass the controls that human users see.
Key takeaways
- Zero Trust fails in practice when organisations stop at MFA and conditional access and leave deeper governance gaps unresolved.
- The strongest evidence here is not technical complexity but programme incompleteness across identity, privilege, device trust, network control, and visibility.
- Teams should use gap analysis to prioritise remediation, assign ownership, and extend Zero Trust to human, NHI, and privileged access paths.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Zero Trust depends on continuous access validation across identity and privilege. |
| NIST CSF 2.0 | PR.AA-01 | The article is about proving identity and access governance across control areas. |
| OWASP Non-Human Identity Top 10 | NHI-03 | The post's gaps include privileged and non-human access that often stay unreviewed. |
Validate access continuously and align entitlements to least privilege across sessions.
Key terms
- Zero Trust gap analysis: A structured review of where a Zero Trust programme is incomplete, inconsistent, or only partially enforced. It looks across identity, device, network, privileged access, and visibility to show where trust is still being granted implicitly instead of continuously validated.
- Privilege boundary: The point at which access should stop, narrow, or require additional verification. In a mature identity programme, privilege boundaries are defined by role, context, and task scope rather than by convenience or historic access patterns.
- Visibility control: A control that shows who or what accessed which resource, when, and under what conditions. Visibility is not the same as logging volume. It is the evidence layer that lets teams verify policy enforcement and investigate whether access was appropriate.
- Non-human identity: A digital identity used by software, workloads, services, or automated systems rather than a person. These identities often operate with long-lived secrets or broad permissions, which makes lifecycle management, scope control, and monitoring essential to Zero Trust.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by JumpCloud: Zero Trust gap analysis map for identifying programme blind spots. Read the original.
Published by the NHIMG editorial team on 2025-09-22.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
