TL;DR: Zero trust can reduce exposure in SaaS-heavy environments, but it still depends on visibility, enforceable controls, and identity governance across users, devices, and permissions, according to Axiad. The real challenge is not adopting the label, but removing the trust assumptions that let access drift beyond what teams can actually govern.
At a glance
What this is: This is an analysis of why zero-trust SaaS architectures still fail when identity visibility, control enforcement, and access governance lag behind adoption.
Why it matters: It matters because IAM teams have to govern access across human identities, machine identities, and shared SaaS entitlements without relying on inherited trust or incomplete inventory.
By the numbers:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
👉 Read Axiad's analysis of zero-trust SaaS and identity governance
Context
Zero trust in SaaS environments means access is never presumed safe just because a user or device sits inside the perimeter. The article argues that the model becomes harder to implement as SaaS sprawl, remote work, and shifting application states expand the number of identities and connections that must be governed.
The identity problem here is not the concept of zero trust itself, but the gap between policy and enforceability. If teams cannot see which users, devices, and applications are interacting, then least privilege becomes difficult to apply consistently and even harder to sustain across changing SaaS estates.
Key questions
Q: How should security teams implement zero trust in SaaS environments?
A: Start with identity inventory, application visibility, and enforceable policy. Zero trust in SaaS only works when teams can verify users and devices continuously, scope access tightly, and confirm that each application can actually enforce the policy. Without those three elements, the programme becomes a branding exercise rather than a control model.
Q: Why do SaaS environments make zero trust harder to govern?
A: SaaS environments spread access across many applications, data stores, and control planes, which makes it difficult to see who has what access and whether that access is still justified. The result is fragmented governance, slower reviews, and weaker enforcement when permissions drift beyond their intended scope.
Q: What do teams get wrong about passwordless authentication and zero trust?
A: They often treat passwordless authentication as if it completes the zero-trust programme. It does not. Strong login reduces credential theft risk, but it does not solve authorisation, entitlement sprawl, or SaaS policy enforcement. Those controls still need their own lifecycle and review discipline.
Q: Who is accountable when SaaS access cannot be fully enforced under zero trust?
A: Accountability sits with the organisation that owns the identity and access policy, even when a SaaS provider operates part of the control plane. Teams must document exceptions, understand platform limitations, and retain governance evidence for any access path they cannot fully enforce.
Technical breakdown
Why zero trust changes the SaaS access model
Zero trust replaces inherited trust with explicit verification at each access decision. In SaaS environments, that matters because access often happens over the internet, across shared apps, and through identities that can change quickly as teams add users, vendors, and integrations. The model is effective only when the organisation can continuously validate who is requesting access, what they are requesting, and whether the request still fits policy. Without that, zero trust becomes a slogan rather than an operating model.
Practical implication: teams need access decisions that are policy-driven and continuously validated, not assumed from network location or app ownership.
Why visibility and control are the hard parts of SaaS governance
The article identifies lack of visibility, siloed data, and lack of control as the main barriers to zero-trust SaaS adoption. Those are not abstract problems. They mean security teams may not know which accounts exist, where data flows, or which SaaS provider owns the enforcement layer. When data is fragmented across applications, governance becomes reactive and certification efforts miss active privilege drift. In practice, this is where many zero-trust programmes stall: the architecture exists in principle, but the operational evidence trail does not.
Practical implication: build a complete inventory of SaaS identities, entitlements, and data paths before trying to certify zero-trust maturity.
Passwordless authentication is not the same as zero trust
Passwordless authentication improves user verification by removing passwords, but it does not by itself solve authorisation, lifecycle, or SaaS entitlements. A stronger login step does not fix overexposure in shared applications, stale permissions, or delegated access that persists after a business need changes. The article treats passwordless as an enabler for zero trust, not a substitute for it. That distinction matters because many programmes confuse stronger authentication with full identity governance.
Practical implication: pair passwordless authentication with access review, entitlement cleanup, and SaaS policy enforcement.
NHI Mgmt Group analysis
Zero trust fails in SaaS when teams treat authentication as the whole problem. The article's real lesson is that strong login controls do not resolve entitlement sprawl, shared application access, or the inability to enforce policy across a fragmented SaaS stack. Zero trust becomes brittle when identity governance stops at the login screen. Practitioners should treat authentication as one control layer, not the operating model itself.
Visibility is the prerequisite control, not an optional maturity feature. The article correctly identifies that teams cannot govern what they cannot see, and SaaS environments make that gap worse because access is distributed across multiple applications and control planes. This is where identity programmes inherit a blind spot: certification, least privilege, and enforcement all depend on an accurate live inventory. The implication is that zero trust cannot outpace discovery.
Zero-trust SaaS exposes the same governance problem across human and non-human access. The article focuses on users, but the same enforcement challenge appears when service accounts, integrations, and API-driven workflows touch SaaS applications. Once access is shared, delegated, or continuously changing, static trust assumptions fail across the board. That makes SaaS governance a cross-identity discipline, not a user-only access problem. Practitioners should align human IAM and NHI controls under one policy model.
Identity blast radius is the right way to frame SaaS risk. The biggest danger is not just that access exists, but that overly broad access in one SaaS app can spread through connected workflows, shared data, and delegated permissions. That turns one weak entitlement into a larger compromise surface. The term captures the operational reality better than generic 'trust' language. Practitioners should reduce blast radius before they chase architectural purity.
From our research:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how often zero-trust ambitions outpace identity inventory discipline.
- That is why 52 NHI Breaches Analysis is a useful next read for understanding how visibility failures turn into real compromise paths.
What this signals
Zero-trust SaaS programmes are increasingly judged by whether they can prove enforcement, not whether they can describe architecture. The teams that will mature fastest are the ones that connect SaaS discovery, entitlement review, and policy enforcement into one operational loop, rather than treating them as separate projects.
Identity blast radius: the real governance target is the amount of access a single weak entitlement can expose across connected SaaS tools, shared data, and delegated workflows. Teams should expect board-level questions about enforcement coverage, not just authentication method adoption.
For practitioners
- Inventory SaaS identities and entitlements first Map all user, service, and integration accounts across SaaS platforms before attempting broader zero-trust controls. Include shared accounts, delegated access, and application-to-application permissions so reviews are based on live exposure rather than incomplete lists.
- Separate authentication strength from authorisation governance Use passwordless or other strong login methods to improve proof of identity, but keep entitlement review, access approval, and policy enforcement as separate control domains. A stronger login does not remove excessive access already granted inside SaaS tools.
- Reduce shared and inherited access paths Eliminate informal access handoffs between employees and reduce app-level permissions that depend on trust in adjacent systems. Where SaaS tools support role scoping, apply the narrowest role that still supports the business task and revalidate it regularly.
- Tie zero-trust policy to measurable enforcement Define what policy enforcement looks like in each SaaS application, then verify that the control can actually deny, log, or step up access when conditions change. If the platform cannot enforce the policy, document the exception and treat it as residual risk.
Key takeaways
- Zero trust in SaaS fails when organisations equate strong authentication with complete governance.
- Visibility and enforceability are the limiting factors, and fragmented SaaS estates make both harder to sustain.
- Identity teams should reduce entitlement sprawl and prove policy enforcement before claiming zero-trust maturity.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST Zero Trust (SP 800-207) | Zero trust is the article's core model for SaaS access decisions. | |
| NIST CSF 2.0 | PR.AC-4 | Access permissions management is central to SaaS governance and enforcement. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Shared accounts and unmanaged service identities create the same trust gaps described here. |
Verify every access request continuously and scope SaaS permissions to the minimum required.
Key terms
- Zero trust: A security model that assumes no access request is inherently trustworthy, even if it comes from inside the network. Access must be explicitly verified and authorised each time, based on identity, context, and policy rather than location or historical trust.
- SaaS entitlement: The specific permissions a user or identity has inside a software-as-a-service application. Entitlements determine what data, features, and actions are available, and they often become the real source of risk when they are too broad, poorly reviewed, or disconnected from business need.
- Passwordless authentication: An authentication method that removes the password as the primary secret, usually replacing it with biometrics, device-based proof, or one-time verification. It can reduce phishing and password reuse risk, but it does not by itself fix authorisation, entitlement sprawl, or governance drift.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Axiad: Do You Need a Zero-Trust SaaS? Read the original.
Published by the NHIMG editorial team on 2025-09-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
