TL;DR: Zero Trust and defense in depth solve different parts of the access problem, but Zero Trust’s continuous verification model better fits identity governance in environments with machine identities, distributed access, and internal risk, according to Axiad. The practical issue is not choosing a slogan, but deciding which controls actually reduce standing trust and lateral movement.
At a glance
What this is: This is a comparison of Zero Trust and defense in depth, with the key finding that continuous verification better addresses modern identity risk than layered trust assumptions alone.
Why it matters: It matters because IAM, NHI, and PAM teams need controls that limit standing access and internal movement across human users, service accounts, and workloads.
👉 Read Axiad's comparison of Zero Trust and defense in depth for identity security
Context
Zero Trust is an access model built on continuous verification, while defense in depth relies on stacked controls that assume one layer will catch what another misses. For identity programmes, the real question is which model better contains blast radius when users, service accounts, and workloads all need access to the same environment.
The gap shows up when organisations treat layered security as equivalent to identity governance. That approach can leave standing privilege, broad lateral movement paths, and uneven verification across human and non-human identities. The issue is less about terminology and more about whether access is being re-checked at the point of use.
Key questions
Q: How should security teams decide between Zero Trust and defense in depth?
A: Choose Zero Trust when the main problem is implicit trust across users, devices, service accounts, or workloads. Keep defense in depth as a supporting pattern for resilience, but do not rely on it to govern access decisions on its own. The deciding factor is whether the organisation needs continuous verification at the point of use.
Q: Why does Zero Trust matter for non-human identities?
A: Non-human identities often hold standing credentials and broad privileges that can be reused outside the moment they were issued. Zero Trust matters because it forces access to be validated in context, which reduces the chance that a token, key, or service account can be treated as indefinitely trusted.
Q: What do teams get wrong about defense in depth?
A: Teams often mistake multiple controls for coordinated control. In practice, separate layers can still leave gaps between authentication, authorisation, and monitoring, especially when machine identities are involved. The mistake is assuming that adding more barriers automatically fixes identity risk.
Q: Who should own the move toward Zero Trust in an identity programme?
A: Identity, security architecture, and PAM teams should own it together, because the change affects authentication, authorisation, and session control. Zero Trust is not just a network project. It is a governance shift that changes how access is granted, reviewed, and revalidated across the estate.
Technical breakdown
Continuous verification versus layered trust
Zero Trust verifies users and devices before and during access, rather than assuming an internal network or previously approved session remains trustworthy. Defense in depth places multiple barriers around the environment, but those barriers can still leave broad access once an identity is inside. In identity terms, the difference is between ongoing authorisation and perimeter-style reliance on multiple compensating controls. Continuous verification is more adaptable when access paths are distributed across cloud, SaaS, and machine identities.
Practical implication: map which high-risk access paths still rely on one-time approval rather than continuous re-evaluation.
Why defense in depth can still leave identity blind spots
Layered controls can reduce risk, but they often operate independently, which creates gaps between authentication, authorisation, segmentation, and monitoring. If one layer is configured loosely, an attacker may still move laterally or reuse a valid credential. This is especially relevant for NHI because service accounts and API keys do not behave like human users and are often overlooked in review cycles. The architectural weakness is not the number of controls, but whether they are coordinated around identity context.
Practical implication: assess whether identity, network, and detection controls share the same access context.
Zero Trust for human and non-human identities
For identity teams, Zero Trust becomes more than a network model when it is applied across human login, service account use, and workload access. That means stronger authentication, narrower privileges, and explicit trust decisions tied to each request or session. Defense in depth can still be useful, but it should not substitute for identity-first enforcement. Where the article is strongest is in showing that access models must reflect how modern identities actually operate, not just how infrastructure is segmented.
Practical implication: align human IAM, NHI governance, and PAM around the same access decision model.
NHI Mgmt Group analysis
Zero Trust is the more useful identity model when organisations need to govern access across human and machine identities. Defense in depth was built for a world where layers of protection could absorb a breach after the fact. That premise weakens when identities themselves are the access path, because service accounts, tokens, and sessions can be reused faster than layered controls can react. The practical conclusion is that identity governance now has to assume every access request can become an attack path.
Defense in depth can create control comfort without solving standing access. Multiple barriers look reassuring, but they do not automatically answer who or what should still have access after initial approval. In modern environments, the bigger problem is not only breaching a layer, but retaining access long enough to exploit weak identity controls. Practitioners should treat layered security as support for access control, not as a replacement for it.
Continuous verification is the more relevant control pattern for mixed IAM and NHI estates. Human users, service accounts, and workloads all create different trust failure modes, but they share the same need for context-aware access decisions. Zero Trust gives identity teams a common model for reducing implicit trust across that spectrum. The implication is clear: identity programmes should be organised around decision-time verification, not network nostalgia.
Zero Trust lowers the value of static trust assumptions that defense in depth still tends to preserve. The article’s core tension is that layered security can scale operationally while leaving identity assumptions largely unchanged. That is acceptable only if the environment is static, which modern enterprise identity rarely is. Practitioners should re-evaluate where their architecture still depends on once-approved access remaining safe for the rest of the session.
Identity governance should treat access model choice as an operating model decision, not a slogan choice. The real test is whether the organisation can prove who has access, when access is valid, and what must happen before that access is trusted again. That is where Zero Trust sharpens IAM, PAM, and NHI governance into a single control story. Teams that cannot answer those questions are still relying on layered hope.
From our research:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- Treat privilege review as a continuous control, not a periodic event, and pair it with Ultimate Guide to NHIs , Key Challenges and Risks for the broader NHI risk pattern.
What this signals
Identity teams should expect Zero Trust to become the default reference model for mixed human and machine access. The practical shift is toward session-level trust decisions, narrower privileges, and stronger correlation between authentication and authorisation. That is where NHI governance and PAM begin to converge instead of operating as separate control tracks.
Zero Trust only changes outcomes if the programme can measure trust decay in access paths. Teams should watch for any place where approval remains static after login, because that is where defense in depth often hides residual risk. If access cannot be revalidated, it is still effectively standing privilege.
With 97% of NHIs carrying excessive privileges, per the Ultimate Guide to NHIs, the governance problem is not abstract. Access models must be rebuilt around least privilege, revalidation, and identity-specific enforcement.
For practitioners
- Inventory access paths by identity type Separate human users, service accounts, API keys, and workload identities so you can see where verification is one-time versus continuous.
- Identify standing trust assumptions Review where access remains valid after the original authentication event, especially in remote admin, cloud, and SaaS pathways.
- Align PAM with continuous verification Ensure privileged access is rechecked at session start and during use, rather than relying on a single approval gate.
- Use defense in depth as a support layer Keep segmentation, monitoring, and endpoint controls, but do not let them replace identity-centric authorisation decisions.
Key takeaways
- Zero Trust matters because modern identity risk is driven by standing trust, not just by perimeter failure.
- Defense in depth can reduce exposure, but it does not by itself guarantee that access is continuously revalidated.
- Identity programmes should use continuous verification to unify human IAM, NHI governance, and privileged access control.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST Zero Trust (SP 800-207) | Zero Trust is the article's central model for continuous verification. | |
| NIST CSF 2.0 | PR.AC-4 | Identity access management fits the article's focus on controlling who can access what. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Standing NHI privilege and secret exposure are part of the identity risk discussed here. |
Use continuous verification and least privilege to replace implicit trust across access paths.
Key terms
- Zero Trust: A security model that treats every access request as untrusted until it is verified in context. In identity programmes, that means access is re-evaluated based on user, device, session, and resource state rather than assumed safe because it is internal.
- Defense in Depth: A security strategy that uses multiple layers of controls to slow, detect, and contain attacks. It can improve resilience, but it does not automatically ensure that identity decisions are continuously verified or that standing access is removed.
- Standing Privilege: Access that remains available after the moment it was first granted, without needing a fresh business or security justification. For non-human identities, standing privilege is especially risky because credentials can be reused at machine speed and often outlive the context that created them.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or lifecycle governance in your organisation, it is worth exploring.
This post draws on content published by Axiad: Zero Trust vs. Defense-In-Depth: What's the Difference? Read the original.
Published by the NHIMG editorial team on 2025-09-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
