TL;DR: A $11.6 million net present value and a payback period of under six months over three years were reported in Forrester’s TEI study of AppGate ZTNA, with identity-centric segmentation also reducing lateral movement and administrative overhead, according to Appgate. The larger signal is that zero trust access decisions now hinge on control of the connection path, not just policy intent.
NHIMG editorial — based on content published by Appgate: the Forrester TEI study of AppGate ZTNA
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should security teams evaluate direct-routed ZTNA for Zero Trust access?
A: Security teams should evaluate direct-routed ZTNA by checking whether it narrows the access path as well as the application entitlement.
Q: Why do identity-centric access models matter when lateral movement is the main risk?
A: Identity-centric access models matter because most compromise paths become dangerous after authentication succeeds.
Q: What do organisations get wrong about Zero Trust network access in practice?
A: Organisations often treat Zero Trust Network Access as a connectivity project instead of a containment project.
Practitioner guidance
- Audit session path exposure Map where authenticated users still traverse shared relays, hub-and-spoke backhaul, or broad internal segments before reaching applications.
- Test lateral movement containment Run controlled breach simulations to see how far a valid session can move after access is granted.
- Review identity and network control ownership Assign clear owners for entitlement policy, session enforcement, and routing architecture so no team assumes another layer is handling containment.
What's in the full report
Appgate's full study covers the operational detail this post intentionally leaves for the source:
- The underlying Forrester TEI methodology used to calculate NPV, payback, and risk-adjusted value.
- The specific cost and productivity categories that contributed to the six-month payback result.
- The customer interview excerpts that explain why direct-routed connectivity was preferred over cloud-routed alternatives.
- The performance and administrative efficiency assumptions behind the composite organisation model.
👉 Read Appgate's analysis of the Forrester TEI study on direct-routed ZTNA →
Direct-routed ZTNA: what it means for IAM and Zero Trust teams?
Explore further
Identity-centric access is becoming a routing and governance problem, not just a login problem. The study’s real signal is that Zero Trust access is judged by how tightly it binds identity, session, and path control together. If users can authenticate but still traverse broad intermediary layers, the access model remains more permissive than most boards assume. Practitioners should treat routing architecture as part of the identity control surface.
A question worth separating out:
Q: Who is accountable when access architecture still permits excessive internal reach?
A: Accountability usually sits across IAM, network, and platform teams, but the failure is architectural rather than procedural. If internal reach remains excessive, ownership must cover entitlement design, segmentation, and enforcement together. Zero Trust frameworks require that access decisions and containment controls are aligned, not handed off between silos.
👉 Read our full editorial: Identity-centric ZTNA and what Forrester’s TEI study changes