Midmarket security stack strain and zero trust access gaps

TL;DR: Midmarket security teams are growing budgets but still face fragmented stacks, manual exposure tracking, and week-long visibility gaps, according to Pomerium’s analysis of Intruder survey data from more than 500 senior decision-makers. The structural problem is architectural, not resource scarcity: continuous verification and identity-aware access matter more than adding another tool.

NHIMG editorial — based on content published by Pomerium: Midmarket security teams deserve better than enterprise hand-me-downs

By the numbers:

• 94% of leaders express confidence in their ability to catch critical risks before attackers exploit them.
• 50% say it would take approximately a week to assess their exposure to a critical zero-day.
• 44% of teams describe their security stack as either outgrown or fragmented.

Questions worth separating out

Q: How should security teams reduce access risk when their stack is already fragmented?

A: Security teams should reduce access risk by consolidating trust decisions at the application layer instead of layering more tools on top of a fragmented stack.

Q: Why do midmarket teams struggle with enterprise access platforms?

A: Midmarket teams often struggle because enterprise access platforms assume more staff, more integration work, and more tolerance for operational overhead than lean teams can support.

Q: How can organisations tell whether their access controls are actually working?

A: Organisations can tell access controls are working when they can answer who has access, to what, under which conditions, and how quickly they can verify that answer after a change or exposure event.

Practitioner guidance

• Replace broad network trust with request-level policy Put internal applications behind an identity-aware reverse proxy so every request is checked against identity, device posture, group membership, and context before access is granted.
• Consolidate fragmented access controls into one policy layer Map where VPN access, application logins, and manual approvals overlap, then remove duplicate pathways that force teams to maintain separate trust decisions for the same resource.
• Version-control access policy changes Treat access rules as code so changes are reviewed, auditable, and repeatable rather than buried in ad hoc administrative work.

What's in the full article

Pomerium's full blog post covers the operational detail this post intentionally leaves for the source:

• A practical explanation of how the reverse proxy enforces browser-based access without client software.
• The article’s discussion of policy-as-code for access decisions and why that matters for auditability.
• The MCP-related access model for AI agents that need verified identities and scoped permissions.
• The comparison between replacing fragmented controls and adding yet another point solution.

👉 Read Pomerium’s analysis of midmarket access architecture and zero trust gaps →

Midmarket security stack strain and zero trust access gaps?

Explore further

View Full Forum →  |  NHI Foundation Course →