Zero trust identity governance gaps in hybrid workplaces

At a glance

What this is: This is an RSA Security blog update arguing that hybrid work makes post-authentication identity governance the critical control point, with access sprawl and dormant accounts creating breach-ready conditions.

Why it matters: IAM and NHI practitioners need to treat access reviews, de-provisioning, and contextual enforcement as core security controls, not administrative follow-up.

👉 Read RSA Security’s analysis of zero trust identity governance in hybrid workplaces

Context

Hybrid work changed the access problem from perimeter defense to continuous entitlement control. Once users connect from many locations and devices, the key question becomes whether access should still exist for this identity, this resource, and this context. For IAM and NHI governance teams, that is a lifecycle question, not just an authentication question.

RSA Security’s updated analysis uses dormant accounts, third-party access, and lateral movement to show why post-authentication controls matter more than ever. The underlying pattern is familiar to anyone managing service accounts, API credentials, or human identities in distributed environments: access gets granted quickly, then outlives its purpose unless governance is automated and continuously enforced.

Key questions

Q: How should security teams manage dormant access in hybrid environments?

A: Security teams should tie access removal to role change, leave events, and inactivity thresholds, then verify that revocation reaches every connected system. Dormant access is dangerous because it remains valid long after business need ends. The control objective is to shorten the time between identity change and privilege removal across all platforms.

Q: Why do over-provisioned accounts increase lateral movement risk?

A: Over-provisioned accounts give attackers more legitimate paths after a single compromise. Once one credential is valid, broad permissions let the attacker move deeper without needing to escalate through obvious exploit chains. Least privilege matters because it limits how far valid access can travel before it hits a boundary.

Q: What do organisations get wrong about zero trust in hybrid work?

A: Many teams treat zero trust as a network access project instead of an identity governance model. That mistake leaves stale permissions, unmanaged contractors, and weak revocation processes in place. Zero trust only reduces risk when access is continuously verified and the identity lifecycle is actively managed.

Q: How can teams tell whether access governance is actually working?

A: Look for short revocation times, low rates of stale entitlements, and repeatable access review outcomes across systems. If accounts remain active after role changes or offboarding, governance is not effective. Good measurement focuses on whether access is removed when it stops being justified.

Technical breakdown

Why post-authentication governance fails in hybrid environments

Authentication answers who is at the door. Identity governance answers whether the person, workload, or partner should still be allowed in after the door opens. In hybrid environments, that distinction matters because access is spread across VPNs, SaaS, cloud consoles, and on-premises systems, each with different policy and review cycles. When those systems are not unified, entitlement drift becomes invisible and dormant access persists. The technical failure is not just weak login security. It is the absence of a control plane that can continuously reconcile identity, role, context, and resource entitlement across environments.

Practical implication: Practitioners should treat post-authentication controls as a separate governance layer and measure whether access decisions are continuously revalidated.

How entitlement drift and dormant accounts expand blast radius

Entitlement drift occurs when users accumulate permissions they no longer need. Dormant accounts persist when identities are not revoked promptly after role changes or departure. Both problems turn valid credentials into standing trust, which attackers can abuse without breaking authentication. In practice, the blast radius grows because legitimate access is more credible than malicious login attempts, and revocation gaps are rarely visible until after an incident. The Colonial Pipeline case is a clear example of how unused access can become a foothold. For NHI environments, the same pattern appears in orphaned service accounts and stale API credentials.

Practical implication: Inventory, classify, and revoke unused identities quickly, then tie de-provisioning to role change and offboarding events.

RBAC, ZTNA, and continuous access reviews as control layers

RBAC reduces variance by assigning permissions through roles instead of individual exceptions. Continuous access reviews test whether those roles still match business need. ZTNA adds contextual verification so access is not granted simply because a user is on a trusted network. Used together, these controls reduce implicit trust and make lateral movement harder even if one account is compromised. The architecture only works when policy is enforced consistently across users, contractors, and technical identities. Without that consistency, zero trust becomes a label rather than a control model.

Practical implication: Align RBAC, review cadence, and ZTNA policy so no identity type can bypass least-privilege enforcement.

Threat narrative

Attacker objective: The attacker’s objective is to turn stale or overbroad access into broader network reach while appearing to use legitimate credentials.

1. Entry via a dormant VPN account or other stale credential that was left active after a role change or departure.
2. Escalation through over-provisioned permissions and weak access boundaries that let a valid account reach additional systems.
3. Impact through lateral movement into internal resources, where legitimate access can be used to deepen compromise without triggering obvious login failures.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Post-authentication governance is the real control gap in hybrid work. Identity proof at login is necessary but insufficient once access is granted across cloud, SaaS, VPN, and on-premises systems. When entitlement decisions are disconnected from role changes and resource context, the control failure compounds silently. Practitioners should treat access governance as a continuous security function, not a periodic admin task.

Hybrid work turns dormant access into a durable attack surface. The article’s Colonial Pipeline example is not an outlier, it is a pattern that appears whenever revocation lags behind role change or offboarding. In NHI terms, the same risk applies to service accounts and API keys that remain valid after their business purpose has expired. The practical conclusion is straightforward: stale access is standing privilege by another name.

Zero trust only works when identity governance is operationally enforceable. ZTNA, RBAC, and access reviews matter only if they are backed by authoritative identity data and automated revocation. Without that backbone, zero trust becomes a network slogan instead of a governance model. For security teams, the discipline is to make least privilege measurable across every identity type and every access path.

Visibility determines whether governance is real or performative. The article correctly notes that organizations cannot govern what they cannot see, and that remains true for non-human identities that often sit outside human-centric IAM workflows. Our position is that hybrid access problems and NHI sprawl are converging into the same operational issue: unmanaged trust across too many identities. Teams should build one governance model that can account for both human and machine access.

Identity blast radius is now the most useful way to think about hybrid risk. The question is no longer just who authenticated successfully, but how far that identity can move once authenticated. That shift should influence policy design, audit scope, and containment planning. Practitioners should optimise for smaller blast radius, faster revocation, and fewer standing entitlements.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing how revocation delays can outlast detection.
• Use NHI Lifecycle Management Guide to align provisioning, rotation, and offboarding so access does not outlive its purpose.

What this signals

Identity blast radius is now the metric that matters most. Hybrid work has made the reach of a compromised identity more important than the location of the login. If revocation is slow and entitlements are broad, the attack surface expands even when authentication is strong. Teams should measure how far each identity can move before a boundary stops it, then reduce that distance by design.

The governance lesson extends directly to non-human identities, because service accounts and API keys often inherit the same lifecycle weakness as dormant human accounts. With 97% of NHIs carrying excessive privileges, entitlement drift is not an edge case, it is the default condition in many environments. Practitioners should fold technical identities into the same review, revocation, and audit workflows used for users.

If your zero trust programme still depends on periodic human review alone, it will lag behind hybrid access reality. Align policy enforcement with authoritative identity data, then use NIST Cybersecurity Framework 2.0 and NIST SP 800-207 Zero Trust Architecture to anchor continuous verification, least privilege, and recovery planning.

For practitioners

• Map post-authentication control ownership Assign a named owner for access governance across human and non-human identities, then define which team approves, reviews, and revokes access in each system. The goal is a single accountable path for access lifecycle decisions, not a ticket queue that hides drift.
• Automate offboarding and role-change revocation Trigger de-provisioning from HR, directory, and workflow events so access is removed when identity purpose changes. Prioritise dormant VPN accounts, contractor access, and service credentials that can survive beyond the work they were created for.
• Run quarterly entitlement recertification Review all privileged and cross-system entitlements on a fixed cadence, with special attention to accounts that span SaaS, cloud, and remote access tools. Tie exceptions to expiration dates so temporary access does not become standing trust.
• Constrain lateral movement with contextual policy Combine role-based access control with device, location, and session context so a valid login does not automatically open every downstream resource. Use this to reduce the reach of any compromised account across the environment.
• Extend governance to technical identities Include service accounts, API keys, and automation credentials in the same review and revocation process used for human identities. If an identity can access production resources, it needs lifecycle management, logging, and an owner.

Key takeaways

• Hybrid work exposes the post-authentication gap, where access lives on after identity has changed.
• Dormant accounts and excessive entitlements make legitimate credentials a practical attack path, not a theoretical one.
• Security teams need continuous access governance, rapid revocation, and tighter blast-radius controls across both human and non-human identities.

Key terms

• Identity Governance And Administration: Identity governance and administration is the control layer that decides who or what should have access, then proves that access is still justified over time. It combines provisioning, de-provisioning, access reviews, and audit evidence so identity changes do not become lingering risk.
• Entitlement Drift: Entitlement drift is the gradual accumulation of permissions that no longer match the identity’s current job, function, or purpose. It usually appears after rapid onboarding, role changes, or temporary exceptions, and it creates hidden excess access that attackers can exploit if not corrected.
• Lateral Movement: Lateral movement is the use of valid access to move from one system to another after an initial compromise. In identity-led environments, it often succeeds because an account has more reach than it should, not because an attacker discovered a new vulnerability.
• Zero Trust Network Access: Zero trust network access is a policy approach that grants access only after identity, device, and context are continuously verified. It replaces broad network trust with narrower, session-specific access decisions, which is useful when users connect from many locations and devices.

Deepen your knowledge

Identity governance, access lifecycle control, and zero trust enforcement are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are extending hybrid-work controls to non-human identities, it is a practical next step.

This post draws on content published by RSA Security: Zero Trust Identity Governance and Zero Trust: How to Secure Hybrid Workplaces. Read the original.