Zero trust coverage gaps: what IAM teams are missing

TL;DR: 63% of organisations have started Zero Trust initiatives, yet those deployments often cover less than half of the environment, leaving blind spots in access, privilege, and compliance, according to JumpCloud. Partial rollout is now a governance problem, not just an architecture choice.

NHIMG editorial — based on content published by JumpCloud: Zero Trust is a go-to strategy for securing everything from on-prem infrastructure and cloud services to remote workers and SaaS apps

By the numbers:

• 63% of organisations have begun Zero Trust initiatives, but those implementations often cover less than half of their actual environment.

Questions worth separating out

Q: What breaks when Zero Trust only covers part of the environment?

A: Partial coverage leaves unprotected paths for lateral movement, privileged access abuse, and audit blind spots.

Q: Why does partial Zero Trust create compliance risk?

A: Compliance depends on being able to prove that controls operate consistently across the environment.

Q: How can security teams tell whether Zero Trust is actually working?

A: They should test whether access decisions, logging, and privileged controls are enforced across all major paths, not only the easiest ones to instrument.

Practitioner guidance

• Measure actual control coverage across the estate Inventory which users, devices, applications, network segments, and privileged paths are genuinely covered by Zero Trust policies.
• Prioritise privileged pathways that remain outside continuous verification Review admin accounts, service access, and high-risk sessions that still rely on static trust or local exceptions.
• Collapse disconnected policy stacks into a shared identity control model Align access decisions, logging, and exception handling across IAM, PAM, and device trust so one gap does not undermine the rest of the architecture.

What's in the full article

JumpCloud's full post covers the operational detail this post intentionally leaves for the source:

• A phased rollout model for extending Zero Trust beyond the first set of critical assets.
• Specific guidance on where teams usually stall when expanding policy coverage across legacy and new systems.
• Operational examples of how incomplete enforcement creates user friction and IT burden.
• The article's own recommended progression from basics to optimisation and scale.

👉 Read JumpCloud's analysis of why partial Zero Trust leaves organisations exposed →

Zero trust coverage gaps: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →