By NHI Mgmt Group Editorial TeamPublished 2026-03-04Domain: Governance & RiskSource: Soffid

TL;DR: Zero Trust fails in practice when organisations cannot answer who can access what, when that access should end, and how to govern human and non-human identities with the same rigor, according to Soffid. Identity governance is the control layer that turns Zero Trust from policy language into enforceable access decisions.


At a glance

What this is: This is a Zero Trust identity governance article arguing that identity governance is the operational core of modern security, especially as organisations manage human users, NHIs, and AI agents together.

Why it matters: It matters because IAM teams need a single governance model for least privilege, access review, and revocation across every identity type, or Zero Trust becomes an assertion rather than a control.

By the numbers:

👉 Read Soffid's article on why identity governance is the core of Zero Trust security


Context

Zero Trust identity governance is the discipline of deciding who and what can access a resource, under what conditions, and when that access must be revoked. The article’s core point is that Zero Trust only works when identity governance can keep pace with the real mix of employees, service accounts, bots, and AI agents now present in enterprise environments.

The gap is operational, not theoretical. Most organisations can describe least privilege, but far fewer can enforce it consistently across provisioning, review, monitoring, and offboarding. That is where identity governance becomes the practical control plane for Zero Trust, rather than a separate administrative layer.

For programmes already stretched by cloud expansion and third-party access, the issue is no longer whether access needs to be verified. The issue is whether the organisation has a governable identity inventory and a revocation model that keeps pace with change.


Key questions

Q: What breaks when Zero Trust is applied without identity governance?

A: Zero Trust loses its enforcement layer when identity governance is missing. Authentication may still work, but the organisation cannot reliably answer who should have access, whether the entitlement is still justified, or how quickly it can be removed. The result is policy decisions based on stale or incomplete identity data.

Q: Why do NHIs complicate Zero Trust programmes?

A: NHIs complicate Zero Trust because they are persistent, high-volume, and often managed outside the human access lifecycle. Service accounts, tokens, and bots can retain access long after the original need has passed. That makes lifecycle control, rotation, and inventory accuracy essential to Zero Trust governance.

Q: How do security teams know whether identity governance is actually working?

A: Look for measurable evidence that access is current, reviewed, and revocable. Strong programmes can show complete identity inventories, timely offboarding, low privilege drift, and clear traces of who approved each entitlement. If those signals are missing, governance exists in policy but not in practice.

Q: Who is accountable when stale access remains in place?

A: Accountability should sit with the identity owner, the application owner, and the governance process owner together. If no one owns entitlement freshness, stale access will persist across human users and NHIs. Zero Trust programmes need explicit ownership for review, revocation, and audit response.


Technical breakdown

Why Zero Trust depends on identity governance

Zero Trust is often described as a verification model, but its enforcement depends on identity governance underneath it. Every access decision requires a reliable identity record, a current entitlement model, and a revocation path when the business relationship changes. Without that, authentication proves only that a credential was presented, not that the access should still exist. In mixed environments, identity governance also has to account for human users, service accounts, and machine-to-machine access separately because each behaves differently over time. The technical challenge is not just proving identity at the perimeter, but maintaining authoritative control over the full identity lifecycle.

Practical implication: Map Zero Trust controls to authoritative identity sources, entitlement reviews, and offboarding workflows before expanding policy enforcement.

Why non-human identities break human-centric access models

NHIs such as bots, service accounts, API keys, and automation tokens do not fit human access patterns. They are provisioned for workloads, not people, and they often persist far longer than the job they were created to do. That creates a governance mismatch: human-centric review cadences, password assumptions, and manual approvals do not scale to machine identities that operate continuously and at volume. In practice, NHI security depends on lifecycle control, least privilege, rotation, and visibility into where credentials are used. Zero Trust only remains credible when NHIs are treated as first-class identities rather than exceptions hidden in infrastructure workflows.

Practical implication: Inventory NHIs separately, then govern them with lifecycle controls and review cycles designed for machine identity behaviour.

How continuous verification works when access must be revoked fast

Continuous verification is not just repeated login checking. It combines authentication signals, policy evaluation, and session or entitlement revocation so access can be reduced when risk changes. In Zero Trust environments, this means policy must be able to respond to changes in role, device posture, vendor relationship, or workload state. Identity governance is the engine that keeps those changes current. If the access database lags behind reality, the policy layer makes decisions on stale information, which creates ghost permissions and delayed revocation. That is why governance, logging, and monitoring are inseparable from the technical enforcement path.

Practical implication: Integrate monitoring, entitlement updates, and revocation triggers so policy decisions use current identity state.


Threat narrative

Attacker objective: The objective is to reach and use access that should no longer exist, then convert that governance gap into data exposure, privilege expansion, or operational disruption.

  1. Entry occurs when an attacker, unauthorised insider, or compromised automation uses an access path that was never fully governed or was left active after it should have been removed.
  2. Escalation follows when standing permissions, over-privileged accounts, or third-party OAuth access expand the attacker’s reach across systems and data sets.
  3. Impact lands when the organisation cannot quickly revoke the access, leaving exposed resources, regulatory risk, and potential lateral movement opportunities.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Zero Trust fails when identity governance is treated as paperwork rather than enforcement. The article correctly frames identity as the control point, but the deeper issue is that Zero Trust cannot operate on static assumptions about access. If provisioning, review, and revocation do not stay aligned with real identity state, the policy layer is only simulating control. Practitioners should treat governance accuracy as the condition for Zero Trust viability.

Non-human identities are now a governance class, not an edge case. Bots, service accounts, and automation tokens are no longer peripheral to identity architecture. They are often the most persistent and least visible access paths in the environment, which means the old assumption that identity management is mostly about people is no longer defensible. The practitioner implication is that NHI inventory, review, and lifecycle control must sit inside the same governance model as human access.

Continuous verification without continuous entitlement hygiene produces false confidence. Organisations can verify a session and still fail to govern the entitlement behind it. That gap is where ghost permissions accumulate, especially across cloud, SaaS, and delegated vendor access. The field needs to stop treating verification and governance as separate controls and start treating them as one operational loop.

Identity blast radius is now the real Zero Trust metric. The meaningful question is not whether access was authenticated, but how far an identity can move once it exists in the environment. Least privilege, lifecycle controls, and revocation speed define blast radius far more than policy language does. Practitioners should measure how much damage a single identity can do before it is constrained or removed.

Zero Trust Identity makes the governance layer the security layer. In modern enterprise environments, access control is no longer just a downstream IAM function. It is the mechanism that determines whether the security programme can keep pace with users, workloads, and delegated systems. The implication is clear: if governance is weak, Zero Trust is weak.

From our research:

  • 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which leaves a large delegated-access surface outside routine identity review.
  • That visibility problem links directly to Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs, where provisioning, review, and offboarding must stay aligned across every non-human identity.

What this signals

Identity governance will increasingly be judged by revocation speed, not policy volume. Zero Trust programmes are moving toward operational proof points such as how quickly access can be removed when a role changes, a vendor relationship ends, or a workload is retired. That shift makes lifecycle hygiene a board-relevant security signal, not an administrative detail.

With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security, delegated access is becoming one of the hardest parts of Zero Trust to govern. The practical implication is that many organisations will need to reconcile SaaS, cloud, and vendor access records before policy enforcement can be trusted. The governance question is no longer whether access exists, but whether it is still justified.

The next maturity step is integrating identity governance with continuous monitoring so entitlement changes trigger security action before they become incident response problems. Programmes that can correlate identity state, access scope, and revocation evidence will be better placed to support Zero Trust in cloud and hybrid estates.


For practitioners

  • Create a unified identity inventory Build one authoritative view of employees, contractors, service accounts, bots, API keys, and AI-adjacent access paths so Zero Trust decisions are not made from fragmented records.
  • Tie revocation to lifecycle events Connect joiner, mover, leaver, vendor-offboarding, and workload decommissioning events to automatic access removal so dormant permissions do not survive the business need.
  • Review NHIs on their own cadence Do not reuse human access review schedules for machine identities. Set review triggers based on credential age, privilege scope, and deployment change events.
  • Measure privilege drift continuously Track how often entitlements exceed current job, workload, or vendor scope, and escalate any identity that accumulates permissions faster than it is recertified.
  • Align Zero Trust policy to current identity state Ensure authentication, authorization, and monitoring use the same live source of truth, otherwise policy decisions will continue to rely on stale access data.

Key takeaways

  • Zero Trust is only as strong as the identity governance beneath it, because verification without revocation still leaves access risk in place.
  • NHIs are now central to access control strategy, and human-centric governance models miss the persistence and scale of machine identity access.
  • Practitioners should focus on inventory accuracy, lifecycle enforcement, and revocation speed if they want Zero Trust to work operationally.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Credential rotation and lifecycle control are central to the article's NHI governance argument.
NIST CSF 2.0PR.AC-4Least-privilege access management maps directly to the article's Zero Trust governance model.
NIST SP 800-53 Rev 5IA-5Authenticator management supports the article's emphasis on credential control and revocation.
NIST Zero Trust (SP 800-207)The article is fundamentally about Zero Trust architecture and identity verification.
CIS Controls v8CIS-5 , Account ManagementThe article repeatedly focuses on account creation, modification, deletion, and revocation.

Review NHI lifecycle processes against NHI-03 and remove standing access that no longer has a business owner.


Key terms

  • Zero Trust Identity: A security model that makes identity governance the enforcement layer for Zero Trust decisions. Access is continuously validated against current identity state, entitlement scope, and lifecycle status rather than assumed to remain valid after initial authentication.
  • Non-Human Identity: Any digital identity that is not a person, including service accounts, bots, API keys, tokens, certificates, workloads, and AI agents. In practice, NHIs require lifecycle control, visibility, and revocation discipline because they often persist and operate at machine speed.
  • Identity Governance: The process of defining, approving, reviewing, and revoking access across an organisation’s identities. It becomes operationally critical in Zero Trust because policy decisions depend on accurate identity records, current entitlements, and a reliable offboarding path.
  • Ghost Permissions: Access rights that remain active after the business need has ended. They are a governance failure, not just an administrative nuisance, because they expand the attack surface and undermine Zero Trust by preserving access that should already have been removed.

What's in the full article

Soffid's full article covers the operational detail this post intentionally leaves for the source:

  • How Soffid describes its unified IAM, AM, PAM, and IGA operating model for Zero Trust enforcement.
  • The article's practical examples of automated account creation, modification, and deletion across the identity lifecycle.
  • Its discussion of access in minutes, zero ghost permissions, and audit-readiness as implementation outcomes.
  • The vendor's own view of how Zero Trust and least privilege fit together in a single control architecture.

👉 The full Soffid article covers automated lifecycle control, revocation, and unified IAM architecture in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-03-04.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org