TL;DR: VPNs still create a broad trust zone after authentication, while zero trust continuously verifies users, devices, and policy conditions, according to Beyond Identity’s analysis. For IAM and NHI practitioners, the real shift is from network reachability to task-scoped access that limits blast radius and forces stronger identity checks.
At a glance
What this is: This is an editorial analysis of why VPN-centric access models no longer match modern zero trust and identity governance needs.
Why it matters: It matters because the same perimeter assumptions that weaken human access control also create poor controls for service accounts, API keys, and other NHIs.
By the numbers:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
- Only 5.7% of organisations have full visibility into their service accounts.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
👉 Read Beyond Identity's analysis of zero trust versus VPN access models
Context
VPNs were designed to extend network access, not to govern identity in a world of cloud services, remote work, and machine-to-machine access. Once a user is inside a VPN, the access model often remains too broad for modern least-privilege expectations, which is the same governance problem that appears when NHIs inherit standing trust.
Zero trust changes the question from whether someone connected to the network to whether they should keep access to a specific resource at that moment. For IAM teams, that shift matters because the same task-scoped logic must eventually apply to human users, service accounts, and agent identities. For background on the identity side of that model, see the Ultimate Guide to NHIs.
Key questions
Q: How should security teams replace VPN trust with zero trust access controls?
A: Start by defining access around the resource and the task, not the network location. Enforce continuous checks for identity, device posture, and policy compliance, then limit each session to the smallest set of actions needed. The goal is to make every access decision temporary, contextual, and revocable.
Q: Why do VPNs create risk for NHI governance?
A: VPNs often grant broad internal reach after a single authentication event, which is the opposite of least privilege. That makes them a poor fit for service accounts, API keys, and automated workflows that need narrowly scoped, time-bound access. NHI governance requires lifecycle control, not just connectivity control.
Q: What is the difference between zero trust and a traditional VPN model?
A: A VPN assumes the network tunnel is trustworthy once authentication succeeds. Zero trust assumes every request must be rechecked against identity, device, and policy context. For IAM teams, the practical difference is persistent network access versus continuously evaluated, resource-specific access.
Q: When should organisations re-evaluate their perimeter access model?
A: Re-evaluate it when cloud adoption, remote work, or machine identities make the network boundary less meaningful. If users or NHIs can reach sensitive resources after a single connection event, the model is already too broad. That is the point at which least-privilege governance needs to replace perimeter logic.
Technical breakdown
Why vpn perimeter trust breaks under zero trust assumptions
A VPN creates an encrypted tunnel into a trusted network segment, but it does not continuously reassess whether the user, device, or workload still deserves access. That model assumes the network boundary is the main control point. Zero trust replaces that assumption with continuous verification, policy checks, and resource-specific authorisation. In practice, the failure is not encryption. It is overbroad trust after authentication. For NHI governance, the same weakness appears when tokens or service accounts retain durable access long after their original purpose has expired.
Practical implication: Treat network entry as the start of control evaluation, not the end of it.
How continuous verification changes access decisions
Zero trust is not a single product category. It is an access model that combines identity, device posture, policy enforcement, and ongoing validation. A user or device can authenticate successfully and still be denied or downgraded if its security state does not meet policy. That is the architectural difference from VPN access, where the initial connection often grants too much standing reach. For NHIs, continuous verification translates into tighter credential scope, shorter-lived access, and stronger policy boundaries around automated systems.
Practical implication: Map every privileged path to a policy that can re-evaluate access in real time.
Why cloud policy engines matter for identity governance
When policy enforcement moves closer to cloud resources, security teams can separate access decisions from the old assumption that traffic must traverse the corporate network. This supports least privilege, micro-segmentation, and context-aware access decisions across distributed environments. It also exposes an operational reality: identity governance must account for where access is decided, not just who is authenticated. For NHIs, that means policy must follow the workload or agent across services, not stay anchored to a perimeter gateway.
Practical implication: Design controls so authorisation travels with the identity, wherever the resource lives.
Threat narrative
Attacker objective: The attacker wants to turn one authenticated session into broad internal access with minimal resistance.
- Entry occurs when an attacker compromises credentials that are trusted by a VPN and gains network access with excessive reach.
- Escalation follows when the perimeter model fails to question device posture, privilege scope, or whether the session still matches policy.
- Impact emerges as the attacker moves laterally inside the trusted zone and reaches sensitive systems that were never intended for broad access.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Perimeter trust is the wrong abstraction for both VPNs and NHIs. A VPN authenticates the session, but it does not sufficiently govern what happens after access is granted. NHIs create the same problem at machine speed, because service accounts and tokens often inherit persistent reach without a comparable verification loop. Practitioners should stop treating the network edge as the security boundary and start treating identity scope as the boundary.
Identity blast radius is the concept teams should measure next. The article is really about how much access remains after authentication succeeds. That same question applies to service accounts, API keys, and autonomous agents, which can move faster than human review cycles. If a compromise occurs, the blast radius is what determines whether the event stays contained or becomes systemic. Teams should measure and reduce identity blast radius directly.
Zero trust validates the direction of travel, but it does not solve NHI sprawl by itself. Continuous verification, micro-segmentation, and policy-based access all help, yet they still require disciplined identity inventory, rotation, and revocation for non-human identities. Without that operational layer, the architecture remains easier to explain than to enforce. Practitioners should pair zero trust design with lifecycle control.
Remote work exposed a governance gap that agentic AI will widen. The same control failures that made VPNs inadequate for human users will reappear when agents and workloads operate independently across cloud services. Security teams should expect more frequent exceptions, more distributed trust decisions, and more pressure on identity governance processes. The practical answer is to move from session trust to continuous entitlement control.
Perimeter-era access models are now a liability for high-automation environments. As more business processes depend on APIs, service accounts, and agents, broad network access becomes harder to justify and easier to abuse. The right response is not simply to replace VPNs, but to rebuild access policy around purpose, duration, and verified context. Practitioners should govern access by task and lifecycle, not by tunnel.
From our research:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- For the identity lifecycle angle, see Ultimate Guide to NHIs and align access review with revocation, rotation, and offboarding.
What this signals
Identity teams should expect perimeter controls to lose relevance as automation expands. The practical signal is that session trust will keep shrinking in value while lifecycle control grows in importance. That makes discovery, rotation, and revocation the operational centre of gravity for both human and non-human access.
Identity blast radius is now a programme metric, not a theoretical concern. With only 5.7% of organisations having full visibility into their service accounts, teams cannot reduce risk they cannot see. The next control improvement is to find every standing path and narrow it before it becomes an incident.
Zero trust programmes will stall if they stop at network architecture. The real work is to align policy, telemetry, and entitlement governance so that access can be continuously reconsidered. That is the difference between a conceptual framework and an operating model.
For practitioners
- Inventory all standing access paths Document which users, service accounts, and workloads inherit broad network access through VPNs or similar perimeter controls. Prioritise the highest-privilege paths first, then remove any access that is not tied to a current business task.
- Shift to task-scoped authorisation Require policy checks that grant only the resource needed for the current action, then re-evaluate access as context changes. This is especially important for admin sessions, cloud consoles, and automated identities that can act without human pause.
- Apply continuous device and identity checks Use device posture, authentication strength, and session context as ongoing inputs, not one-time gates. If the context drifts, downgrade or revoke access instead of letting the session persist unchanged.
- Reduce NHI standing privilege Shorten credential lifetime, rotate secrets on a defined schedule, and remove dormant service accounts before they become hidden entry points. Make revocation part of the access model, not a separate cleanup activity.
Key takeaways
- VPNs reduce transport exposure, but they do not solve the governance problem created by broad post-authentication access.
- The same least-privilege logic that improves human access control is essential for NHIs, especially where standing privilege and weak visibility persist.
- Security teams should treat zero trust as an access governance model and pair it with identity inventory, rotation, and revocation.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST Zero Trust (SP 800-207) | §2.1 | The post centers on moving from perimeter trust to continuous verification. |
| NIST CSF 2.0 | PR.AC-4 | Access management and least privilege are core to the article's control model. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Rotation and revocation of non-human credentials are critical to the governance gap. |
Use zero trust principles to rebind access decisions to identity, device, and context.
Key terms
- Zero Trust Architecture: A security model that does not assume trust based on network location or prior authentication. Access is continually evaluated using identity, device posture, policy, and context, which makes it better suited to cloud and distributed environments than perimeter-only controls.
- Non-Human Identity: A machine identity used by software rather than a person, including service accounts, API keys, tokens, certificates, and AI agents. NHIs often need access at scale and speed, which means their lifecycle, scope, and revocation must be governed more tightly than human accounts.
- Standing Privilege: Persistent access that remains in place after the moment it was granted. In identity programmes, standing privilege increases attack surface because compromise of one credential can expose many resources, especially when the identity is rarely reviewed, rotated, or revoked.
Deepen your knowledge
Zero trust architecture, identity scope, and NHI lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are replacing perimeter access with task-scoped controls, it is worth exploring.
This post draws on content published by Beyond Identity: Zero Trust vs VPN: Is it time to ditch VPNs? Read the original.
Published by the NHIMG editorial team on 2025-08-05.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
