Zero Trust identity continuity when the network goes dark

At a glance

What this is: This is an analysis of how Zero Trust assumptions fail in disconnected, denied, intermittent, and low-bandwidth environments, with identity continuity framed as the missing control.

Why it matters: It matters because IAM, NHI, and access governance programmes often assume constant connectivity, yet operations in the field, at the edge, or during outages still need secure authentication and authorization.

By the numbers:

• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
• Only 5.7% of organisations have full visibility into their service accounts.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

👉 Read Strata Identity's analysis of Zero Trust identity continuity in DDIL environments

Context

Zero Trust assumes that identity services are reachable when authentication and authorization decisions are needed. In DDIL environments, that assumption breaks because the identity provider may be unreachable, degraded, or intermittently available, which leaves users unable to verify access in the moment it is required.

For identity programmes, the issue is not just uptime. It is continuity of trust decisions across human, NHI, and operational workflows when the network cannot support a live round trip to the central identity stack. That is why continuity at the identity layer matters for field operations, edge environments, and outage recovery.

The article’s starting position is typical for organisations that have built Zero Trust around cloud connectivity first and resilience second. The gap appears when access must continue under failure conditions rather than ideal network conditions.

Key questions

Q: How should teams keep Zero Trust working when identity services are unreachable?

A: Teams should design continuity paths that preserve authentication and authorization when the primary identity provider is down. That usually means defining failover behaviour for critical sessions, pre-approved edge controls, and lifecycle processes that still enforce accountability during degraded connectivity. If users can only stay productive by bypassing identity controls, Zero Trust has failed at the moment it is needed most.

Q: Why do DDIL conditions create so much identity risk?

A: DDIL conditions create identity risk because they remove the live verification loop that many Zero Trust programmes depend on. When authentication cannot complete, users and administrators often improvise with shared accounts, delayed approvals, or exception-based access. That behaviour widens the attack surface and turns an outage into a governance failure, not just an availability issue.

Q: What breaks when access decisions require constant cloud connectivity?

A: What breaks is the assumption that every access event can be verified in real time. In disconnected or low-bandwidth conditions, the access decision chain can stall, forcing teams to choose between blocking work entirely or allowing unsafe workarounds. Either outcome weakens the security model unless continuity has been designed into the identity fabric.

Q: Who is accountable when users bypass identity controls during an outage?

A: Accountability stays with the organisation that designed the control model, not with the outage itself. If teams expect users in the field, on the edge, or in recovery operations to improvise, then the governance gap is architectural. Frameworks such as Zero Trust and lifecycle governance should define who approves continuity exceptions, how they are logged, and when they are revoked.

Technical breakdown

Why Zero Trust breaks in DDIL environments

Zero Trust depends on continuous verification, but DDIL conditions interrupt the identity transaction itself. If the identity provider cannot be reached, the access control engine cannot complete the normal authenticate, authorize, and enforce sequence. That means policies may still exist on paper while enforcement becomes inconsistent in practice. The problem is especially visible in field operations, remote industrial sites, and disaster response scenarios where users need to keep working despite degraded connectivity. In those cases, authentication availability becomes part of the security model, not just an infrastructure concern.

Practical implication: map which access decisions fail when the identity provider is unreachable, and define continuity paths for those exact workflows.

Identity continuity and session persistence

Identity continuity is the ability to preserve trusted access decisions even when the primary identity service is unavailable. That can include session handoff, alternate identity paths, or edge-based authorization logic that keeps controls intact without forcing users to reauthenticate mid-mission. The goal is not to bypass Zero Trust, but to keep verification and authorization from collapsing under network loss. Without continuity, teams compensate manually, and those workarounds often create the very risk Zero Trust was meant to remove.

Practical implication: test whether critical sessions survive provider failover without falling back to shared credentials or ad hoc access exceptions.

Joiner, mover, and leaver processes at the edge

Lifecycle governance does not stop in disconnected conditions. New users, temporary responders, contractors, and allies still need controlled onboarding, and departures still need access removal even if the network is unstable. DDIL makes lifecycle gaps more dangerous because administrators may delay changes until connectivity returns, extending the window of exposure. That is a classic governance failure, not a technology inconvenience, because identity state and operational state drift apart.

Practical implication: maintain an offboarding and access-change process that can execute when central connectivity is degraded, not only when the environment is fully online.

Threat narrative

Attacker objective: The attacker aims to use outage conditions to bypass identity checks, widen access, and move into sensitive systems while controls are degraded.

1. Entry occurs when normal access depends on live connectivity to the identity provider and that connectivity is lost or degraded in a DDIL environment.
2. Escalation follows when users improvise with shared credentials, manual workarounds, or delayed enforcement that weakens separation of duties.
3. Impact appears as privilege escalation, credential theft, or insider abuse during the outage window, while Zero Trust controls are temporarily absent.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity continuity is now a Zero Trust requirement, not an optional resilience feature. Zero Trust that only works when cloud identity is reachable is not continuous Zero Trust. In DDIL conditions, the control plane itself becomes part of the attack surface because authentication availability determines whether policy can execute. Practitioners should treat continuity as a core design criterion, not a backup concern.

Zero Trust assumptions built on live round trips to the identity provider fail in disconnected operations. Those assumptions were designed for stable networks and human-paced login flows. They fail when the operating environment is intermittent because access decisions cannot depend on a deterministic return path to the IdP. The implication is that identity governance must be designed around degraded-state execution, not just steady-state policy.

Identity continuity should be treated as a governance pattern across human, NHI, and operational access. The same failure mode appears when a service account, operator, or responder loses the ability to complete an access transaction during a network outage. That makes continuity a cross-domain identity issue, not only a field-mobility issue. Practitioners should align resilience planning with identity governance, access control, and lifecycle state.

DDIL exposes a procedural weakness as much as a technical one. When users cannot authenticate cleanly, they improvise with shared accounts, delayed approvals, or informal exception handling. Those behaviours are not edge cases, they are predictable responses to broken access continuity. The practical conclusion is that governance must absorb outage conditions before users invent their own controls.

Identity continuity is the named control gap this article exposes. The gap is the inability to preserve secure authentication and authorization when the network is down. That gap matters because organisations often treat availability as infrastructure and trust as identity, when DDIL proves they are the same control problem. Practitioners should rethink access assurance as a continuity discipline.

From our research:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• 52 NHI Breaches Analysis shows how exposure windows persist when identity governance cannot keep pace with operational change.

What this signals

DDIL should be treated as a governance stress test for Zero Trust, not a niche military edge case. The organisations most exposed are the ones that have built identity assurance around uninterrupted connectivity and assume the access transaction will always complete before the user needs to act.

Identity continuity: the ability to preserve trusted access decisions during degraded connectivity is becoming a board-level resilience issue. For programmes that depend on cloud identity, continuity planning now sits alongside access policy, failover design, and incident response.

The next maturity step is to connect resilience engineering with identity lifecycle governance. If joiner, mover, and leaver actions cannot be enforced when the network is impaired, the organisation is not operating Zero Trust continuously, only conditionally.

For practitioners

• Define critical DDIL access paths Identify the roles, applications, and mission workflows that must keep operating when the identity provider is unreachable, then document the minimum trusted access model for each one.
• Test session continuity under failover Run exercises that switch identity services mid-session and verify whether users remain authenticated without falling back to shared credentials or manual overrides.
• Harden lifecycle changes for degraded states Ensure joiner, mover, and leaver actions can still be approved, recorded, and enforced when connectivity is intermittent, including temporary responders and contractors.
• Eliminate informal outage workarounds Replace handwritten passwords, shared logins, and delayed revocation habits with documented continuity procedures that preserve accountability during outages.

Key takeaways

• Zero Trust that depends on always-on connectivity is not resilient enough for DDIL operations.
• Outage conditions push users toward workarounds that weaken authentication, authorization, and accountability.
• Identity continuity must be designed as a core governance capability across field, edge, and recovery scenarios.

Key terms

• Identity continuity: Identity continuity is the ability to preserve authentication, authorization, and session state when the primary identity service is unavailable. In practice, it keeps trust decisions intact during outages, edge operations, and disconnected conditions so users do not revert to unsafe workarounds.
• DDIL environment: A DDIL environment is one that is disconnected, denied, intermittent, or low-bandwidth. These conditions break the normal dependency on real-time identity provider access, so security teams must design for degraded connectivity rather than assume a stable network path.
• Session persistence: Session persistence is the control that keeps a user or workload authenticated across service failover or temporary network loss. For identity governance, it is not a convenience feature. It is the mechanism that prevents users from losing access and improvising with weaker controls.
• Zero Trust continuity: Zero Trust continuity is the operational pattern of enforcing verify and authorize principles even when the network cannot support normal cloud-based checks. It extends Zero Trust from an ideal-state policy model into a degraded-state control model that still preserves accountability.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Strata Identity: Identity Continuity Zero Trust in the dark, securing missions when the network goes down. Read the original.