Zero trust maturity and Entra ID exposure are not the same

At a glance

What this is: This is a side-by-side comparison of two different assessment goals, showing that Zero Trust maturity scoring and Entra ID exposure analysis answer different security questions.

Why it matters: IAM teams should treat maturity benchmarks and exploitability assessments as complementary but not interchangeable, especially when NHI-style privilege exposure and human identity controls intersect in Entra ID programmes.

👉 Read Semperis' comparison of Zero Trust maturity and Entra ID exposure

Context

Zero Trust maturity and attacker exposure are not the same measurement. One asks how closely an organisation aligns with a security model across identity, devices, apps, data, and infrastructure, while the other asks whether an attacker could compromise Entra ID today through privilege exposure, bypasses, and attack paths.

That distinction matters for IAM, PAM, and lifecycle governance because a control can exist on paper and still leave standing privilege, legacy authentication, or OAuth permission risk in place. For identity teams, the practical question is not only whether policy is present, but whether the tenant is actually resistant to misuse under real operating conditions.

Key questions

Q: What is the difference between Zero Trust maturity and identity exposure analysis?

A: Zero Trust maturity tells you whether policy and control coverage exist across the expected domains. Identity exposure analysis tells you whether an attacker can still reach privileged access, bypass Conditional Access, or exploit legacy authentication and delegated permissions. Organisations need both views because maturity can look acceptable while exploitable paths remain open.

Q: How should security teams assess Entra ID risk beyond dashboard scores?

A: Security teams should test the tenant for standing privilege, Tier 0 escalation paths, PIM exceptions, Conditional Access bypasses, legacy authentication, and excessive OAuth permissions. The goal is to confirm whether the identity layer resists real attack paths, not just whether the policy catalogue is populated.

Q: What do security teams get wrong about Zero Trust assessments?

A: They often treat a maturity score as proof of resilience. In practice, an organisation can align to a model while still carrying privileged access exposure, weak exception handling, and app permissions that create viable compromise paths. The score is useful, but it is not a substitute for exploitability testing.

Q: Which frameworks should guide Entra ID exposure reviews?

A: NIST SP 800-207 is relevant for the Zero Trust model, while identity governance and least-privilege review should be grounded in access control and lifecycle practices that actually remove reachable privilege. Teams should use the framework to organise decisions, then validate those decisions against object-level evidence in the tenant.

Technical breakdown

Zero Trust maturity scoring vs identity exposure analysis

Zero Trust assessments usually measure policy adoption and alignment to a target model. Exposure assessments look for concrete paths an attacker could use, such as privilege escalation chains, bypassable Conditional Access rules, legacy authentication, and delegated permissions that extend beyond intended scope. The difference is between model compliance and exploitability. In identity terms, this is the gap between saying controls exist and proving they break attack paths in practice.

Practical implication: Use maturity scores as a benchmark, but validate them against an attack-surface review of actual Entra ID configurations.

Privilege exposure, standing access, and Tier 0 risk

In Entra ID, the highest-value findings are often not obscure vulnerabilities but ordinary governance failures: standing admin privilege, weak PIM enforcement, stale privileged accounts, and break-glass accounts with unclear oversight. These create durable access paths that survive policy rollouts and dashboard reporting. For identity security, Tier 0 exposure is the issue because compromise there changes the security posture of everything downstream.

Practical implication: Inventory privileged roles, standing access, and PIM exceptions together so Tier 0 risk is visible in one control plane.

Conditional Access and OAuth permissions as bypass surfaces

Conditional Access can indicate maturity without proving resilience if exceptions, legacy authentication, or delegated app permissions remain under-reviewed. OAuth and app permissions are especially important because they can extend access without the same user-facing signals as interactive logins. That makes them a governance problem as much as a technical one. Effective identity reviews need object-level evidence, not only policy summaries.

Practical implication: Review Conditional Access exceptions, legacy auth exposure, and OAuth permissions as separate bypass channels rather than one combined control.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Zero Trust maturity and attack exposure are different control questions, not alternative labels for the same programme. Maturity measures whether policy exists across the expected domains, but exposure asks whether the identity layer still contains reachable attack paths. The security team that treats those as equivalent will miss the difference between compliance with a model and actual tenant resilience. Practitioner conclusion: governance should report both alignment and exploitability.

Standing privilege remains the clearest sign that identity governance has drifted from intent to habit. When Tier 0 access, PIM exceptions, or dormant privileged accounts persist, the organisation is preserving breach paths even if its maturity dashboard looks healthy. This is a control gap in lifecycle enforcement, not a tooling problem. Practitioner conclusion: privileged access must be reviewed as a live attack surface, not a recertification checkbox.

Conditional Access and OAuth permission review define the gap between policy design and bypass reality. A policy framework can be mature while exception handling, legacy authentication, and delegated permissions still allow unauthorized access. That is why object-level evidence matters more than summary scores for Entra ID. Practitioner conclusion: identity security teams should test the bypass surface, not just the policy catalog.

Identity attack surface management: the practical security lens that measures where an identity tenant can be reached, inherited, or misused today. This concept is useful because Entra ID risk often accumulates in small, governable objects, not in broad architecture diagrams. It captures the need to connect configuration state, privilege paths, and monitoring coverage into one view. Practitioner conclusion: teams should manage identity exposure as an ongoing attack surface, not a one-time assessment.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• From our research: 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs , Standards.

What this signals

Identity attack surface management is becoming the practical layer between maturity reporting and breach prevention. Teams that only track policy adoption will keep missing the reachable privilege paths that matter most in Entra ID and adjacent NHI programmes. With 97% of NHIs carrying excessive privileges, the governance problem is not abstract risk but measurable exposure.

Maturity frameworks still have value, but they do not prove that Tier 0 access, exception handling, and delegated permissions are actually constrained. Programme owners should expect more scrutiny on object-level evidence, lifecycle offboarding, and control bypass testing as boards ask whether identity controls reduce attackability, not just improve scores.

For practitioners

• Separate maturity scoring from exposure testing Run Zero Trust maturity reviews as a strategic benchmark, but pair them with an identity attack surface assessment that enumerates current privilege paths, exceptions, and bypass conditions.
• Map Tier 0 privilege and PIM gaps Build an inventory of standing admin roles, break-glass accounts, dormant privileged users, and PIM enforcement exceptions so Tier 0 exposure is measurable.
• Review Conditional Access exceptions and legacy authentication Treat exception rules, legacy authentication, and OAuth delegated permissions as separate bypass channels that need object-level evidence and ownership.
• Tie lifecycle controls to exposure reduction Use joiner-mover-leaver, offboarding, and access review processes to remove privileged accounts that no longer match business need or operational reality.

Key takeaways

• Zero Trust maturity and Entra ID exposure answer different questions, and treating them as the same leaves identity risk unmeasured.
• The material risk is not only missing controls but standing privilege, bypassable exceptions, and delegated access paths that stay reachable.
• Practitioners should pair maturity reporting with attack-surface review, because only exploitability testing shows whether identity controls actually reduce breach likelihood.

Key terms

• Zero Trust Maturity: A measure of how closely an organisation aligns with a Zero Trust model across identity, device, data, application, and infrastructure controls. It shows policy coverage and strategic progress, but it does not by itself prove that an attacker cannot reach privileged identity paths.
• Identity Attack Surface: The set of reachable identity configurations, permissions, exceptions, and access paths that could be abused today. In Entra ID and similar environments, this includes standing privilege, legacy authentication, delegated permissions, and governance gaps that make compromise more likely.
• Standing Privilege: Persistent elevated access that remains available outside a just-in-time or task-scoped approval model. It is a governance problem because the access exists before the work begins, widening the window for misuse, lateral movement, and privilege escalation.
• Conditional Access Exception: A rule or carve-out that bypasses normal identity policy enforcement for a user, app, or scenario. Exceptions are often necessary, but unmanaged ones become hidden access paths that can undermine a mature-looking Zero Trust posture.

Deepen your knowledge

Zero Trust maturity, Entra ID exposure, and privilege governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building identity controls that need to work beyond dashboard reporting, it is worth exploring.

This post draws on content published by Semperis: Microsoft Zero Trust Assessment vs. Semperis Entra ID Security Assessment. Read the original.