TL;DR: Midmarket security teams are growing budgets but still face fragmented stacks, manual exposure tracking, and week-long visibility gaps, according to Pomerium’s analysis of Intruder survey data from more than 500 senior decision-makers. The structural problem is architectural, not resource scarcity: continuous verification and identity-aware access matter more than adding another tool.
NHIMG editorial — based on content published by Pomerium: Midmarket security teams deserve better than enterprise hand-me-downs
By the numbers:
- 94% of leaders express confidence in their ability to catch critical risks before attackers exploit them.
- 50% say it would take approximately a week to assess their exposure to a critical zero-day.
- 44% of teams describe their security stack as either outgrown or fragmented.
Questions worth separating out
Q: How should security teams reduce access risk when their stack is already fragmented?
A: Security teams should reduce access risk by consolidating trust decisions at the application layer instead of layering more tools on top of a fragmented stack.
Q: Why do midmarket teams struggle with enterprise access platforms?
A: Midmarket teams often struggle because enterprise access platforms assume more staff, more integration work, and more tolerance for operational overhead than lean teams can support.
Q: How can organisations tell whether their access controls are actually working?
A: Organisations can tell access controls are working when they can answer who has access, to what, under which conditions, and how quickly they can verify that answer after a change or exposure event.
Practitioner guidance
- Replace broad network trust with request-level policy Put internal applications behind an identity-aware reverse proxy so every request is checked against identity, device posture, group membership, and context before access is granted.
- Consolidate fragmented access controls into one policy layer Map where VPN access, application logins, and manual approvals overlap, then remove duplicate pathways that force teams to maintain separate trust decisions for the same resource.
- Version-control access policy changes Treat access rules as code so changes are reviewed, auditable, and repeatable rather than buried in ad hoc administrative work.
What's in the full article
Pomerium's full blog post covers the operational detail this post intentionally leaves for the source:
- A practical explanation of how the reverse proxy enforces browser-based access without client software.
- The article’s discussion of policy-as-code for access decisions and why that matters for auditability.
- The MCP-related access model for AI agents that need verified identities and scoped permissions.
- The comparison between replacing fragmented controls and adding yet another point solution.
👉 Read Pomerium’s analysis of midmarket access architecture and zero trust gaps →
Midmarket security stack strain and zero trust access gaps?
Explore further
Midmarket security is experiencing an access architecture mismatch, not simply a tooling shortage. The report shows that budgets are rising while visibility and response remain slow, which means the operating model is out of step with the team size. Enterprise hand-me-downs tend to assume more staff, more orchestration, and more tolerance for integration overhead than midmarket teams can sustain. Practitioners should read this as an architectural warning, not a procurement problem.
A few things that frame the scale:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: What should security teams do when AI agents start accessing internal systems?
A: Security teams should place AI agents under the same identity and policy discipline used for humans, but with tighter scoping and explicit audit trails. Agents that query data or call APIs need request-level authorization, logged actions, and clear delegation boundaries. Treating them as unmanaged automation creates a new access class outside governance.
👉 Read our full editorial: Midmarket security teams need architecture, not enterprise hand-me-downs
Midmarket security is experiencing an access architecture mismatch, not simply a tooling shortage. The report shows that budgets are rising while visibility and response remain slow, which means the operating model is out of step with the team size. Enterprise hand-me-downs tend to assume more staff, more orchestration, and more tolerance for integration overhead than midmarket teams can sustain. Practitioners should read this as an architectural warning, not a procurement problem.
A few things that frame the scale:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: What should security teams do when AI agents start accessing internal systems?
A: Security teams should place AI agents under the same identity and policy discipline used for humans, but with tighter scoping and explicit audit trails. Agents that query data or call APIs need request-level authorization, logged actions, and clear delegation boundaries. Treating them as unmanaged automation creates a new access class outside governance.
👉 Read our full editorial: Midmarket security teams need architecture, not enterprise hand-me-downs