TL;DR: Zero Trust identity applies continuous verification to every authentication and authorisation request, and enterprise surveys show 96 percent of organisations now prefer it over VPN while 65 percent plan to retire VPN within twelve months, according to eMudhra. Perimeter-based IAM is no longer the operating model security teams can rely on, because identity has become the trust boundary.
At a glance
What this is: This is an analysis of Zero Trust identity as the operational model for modern IAM, with the core finding that perimeter-based trust is no longer sufficient.
Why it matters: It matters because IAM teams now have to enforce policy at the request level for human and machine identities, not assume trust based on network location.
By the numbers:
- 96 percent of organisations now prefer Zero Trust to VPN.
- 65 percent plan to retire their VPN within twelve months.
👉 Read eMudhra's analysis of Zero Trust identity and IAM enforcement points
Context
Zero Trust identity is the idea that access should never be granted because a request comes from inside the network. The identity and access management question is no longer who is on the perimeter, but whether each request should be trusted at the moment it is made.
That shift matters because cloud, SaaS, remote work, and service-to-service traffic have broken the old perimeter model. The article is typical of where IAM has been heading for several years: identity, not network location, now carries the trust decision.
Key questions
Q: How should security teams implement Zero Trust identity without relying on VPN trust?
A: Security teams should move access decisions to an identity-aware policy layer that evaluates context every time a request is made. VPNs can still provide transport protection, but they should not determine trust. The core requirement is continuous verification of identity, device, and resource risk before access is allowed.
Q: Why do cloud and SaaS environments weaken perimeter-based IAM?
A: Cloud and SaaS environments weaken perimeter IAM because users, workloads, and APIs no longer sit behind a single trusted boundary. Access requests now originate from distributed locations and services, which makes location-based trust unreliable. IAM must therefore decide based on current identity context, not where traffic came from.
Q: What breaks when machine identities are excluded from Zero Trust policy?
A: Zero Trust breaks when machine identities are excluded because service accounts and workloads often generate the highest-volume internal access. If those identities are governed differently from human users, attackers can exploit the gap through over-privileged service access, weak logging, or unmanaged integrations. The policy model becomes incomplete.
Q: Who is accountable for enforcing Zero Trust across human and non-human identities?
A: IAM, security architecture, and platform owners are jointly accountable for enforcing Zero Trust across human and non-human identities. The control model spans authentication, authorisation, logging, and policy enforcement, so ownership cannot sit in a single tool team. Governance should make that responsibility explicit across the full identity lifecycle.
Technical breakdown
How Zero Trust identity maps to NIST SP 800-207
NIST SP 800-207 describes Zero Trust Architecture as a policy-driven model built around continuous evaluation rather than implicit network trust. In identity terms, that means the policy engine evaluates each request, the policy administrator sets rules, and the enforcement point blocks or allows access in real time. This only works when identity signals are strong enough to support contextual decisions across humans and workloads.
Practical implication: align IAM control points to policy enforcement, not just authentication events.
Why perimeter-based IAM fails in cloud and SaaS environments
Perimeter IAM assumes internal traffic is trustworthy and external traffic is suspicious. Cloud services, SaaS platforms, remote access, and service mesh architectures break that assumption because requests now cross boundaries constantly and from many different locations. The perimeter can still filter traffic, but it cannot be the primary trust decision point once identities, workloads, and APIs move outside it.
Practical implication: move authorisation decisions from the network edge to identity-aware policy.
Why unified human and machine identity policy is now essential
Zero Trust identity cannot stop at users. Service accounts, workloads, API-driven integrations, and other non-human identities generate a large share of modern access traffic, and each needs the same policy discipline as a human session. If the IAM platform treats workloads as exceptions, the organisation creates a blind spot that undermines continuous verification.
Practical implication: extend policy, logging, and review processes to non-human identities as first-class subjects.
NHI Mgmt Group analysis
Perimeter-based IAM is now a broken trust assumption, not just an outdated deployment model. Cloud services, remote access, and machine-to-machine traffic have moved the control point away from the network edge. That means identity is carrying decisions the perimeter was never designed to make. Practitioners should treat network location as a weak signal, not a trust qualifier.
Continuous verification changes IAM from a login problem into a runtime policy problem. Once a request can originate from anywhere, the security question becomes whether current context justifies access at that instant. Static authentication alone no longer closes the gap because authorisation must reflect device posture, resource sensitivity, and session risk. The implication is that identity teams need policy enforcement closer to the resource.
Unified policy across human and non-human identities is the real Zero Trust test. The article correctly points to the need for one engine to evaluate both user access and workload access. That matters because the same perimeter logic that fails for remote users fails even faster for service identities that never sit behind a VPN in the first place. Practitioners should stop running separate trust models for users and workloads.
Identity blast radius becomes the better planning metric than network segmentation depth. When identity is the trust boundary, the question is how far a compromised credential or token can move before policy stops it. That aligns closely with Ultimate Guide to NHIs thinking around visibility, credential scope, and control boundaries. Security teams should measure how much access any single identity can reach before containment intervenes.
Zero Trust identity is strongest when it is built as an operating model, not a bolt-on control. The article’s five enforcement points show that authentication, policy, logging, and workload identity all have to work together. That is consistent with NIST SP 800-207 Zero Trust Architecture, which assumes coordinated enforcement rather than isolated products. Practitioners should evaluate whether their IAM design actually behaves like a trust system.
From our research:
- 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which is a direct warning sign for identity programmes that still rely on partial trust boundaries.
- For a broader baseline, Ultimate Guide to NHIs , Key Challenges and Risks covers the visibility, sprawl, and over-privilege issues that Zero Trust identity has to absorb.
What this signals
Zero Trust identity only works when the identity layer can see enough context to make a real decision. That means IAM teams should expect pressure to unify policy engines, telemetry, and audit trails across human users and workloads. The old split between user access controls and machine access controls is becoming harder to defend as a programme design choice.
The practical shift is toward identity governance as a runtime discipline, not a periodic review exercise. If a request cannot be evaluated continuously, then the organisation is still operating with perimeter-era assumptions even if the architecture diagram says otherwise.
For practitioners
- Replace perimeter trust assumptions with identity-aware policy Map every access decision to a policy checkpoint that evaluates identity, device context, and resource sensitivity before granting access. Treat network location as supporting data, not the basis for trust.
- Extend Zero Trust controls to workloads and service accounts Include non-human identities in the same authorisation and logging model used for human users, so service-to-service traffic is not excluded from continuous verification.
- Demand audit-ready policy evidence from IAM tooling Require logs that show why a decision was made, which context signals were evaluated, and what enforcement point allowed or denied the request.
- Use policy enforcement points as design anchors Place controls at the resource boundary, then verify that human and workload identities are both evaluated consistently before access is granted.
Key takeaways
- Zero Trust identity replaces location-based trust with request-level policy decisions.
- The operating model now has to cover both human users and non-human identities if it is to be credible.
- IAM teams should measure whether policy enforcement actually happens at runtime, not just at login.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST Zero Trust (SP 800-207) | The article explicitly maps Zero Trust identity to NIST SP 800-207. | |
| NIST CSF 2.0 | PR.AC-1 | Identity and access management underpins Zero Trust access control decisions. |
| OWASP Non-Human Identity Top 10 | NHI-02 | The article directly extends Zero Trust to non-human identities and workloads. |
Use NIST SP 800-207 to structure policy enforcement around continuous verification and resource-bound decisions.
Key terms
- Zero Trust Identity: A control model that evaluates every authentication and authorisation request at the moment it occurs, rather than assuming trust because a request comes from inside the network. For human and non-human identities alike, trust is conditional, contextual, and continuously re-evaluated.
- Policy Enforcement Point: The component that actually allows or denies access after policy has been evaluated. In Zero Trust designs, it sits close to the resource so that decisions are enforced in real time. For workload and agent traffic, this is where runtime access control becomes practical.
- Identity-Aware Policy: A policy layer that uses identity, context, and risk signals to decide whether access should be granted. Unlike perimeter-based rules, it does not rely on location as the main trust factor and can be applied consistently across users, workloads, and automated service interactions.
What's in the full article
eMudhra's full article covers the operational detail this post intentionally leaves for the source:
- The five enforcement points the article expects buyers to demand from an IAM platform, including continuous verification and audit-ready evidence.
- The practical mapping of Zero Trust identity to NIST SP 800-207 policy engine, policy administrator, and policy enforcement point roles.
- The article's explanation of how unified policy should treat human access and non-human identity access under the same trust model.
- The specific role of eMudhra's SecurePass platform in the article's Zero Trust identity discussion.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-07-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org