TL;DR: Zero Trust identity applies continuous verification to every authentication and authorisation request, and enterprise surveys show 96 percent of organisations now prefer it over VPN while 65 percent plan to retire VPN within twelve months, according to eMudhra. Perimeter-based IAM is no longer the operating model security teams can rely on, because identity has become the trust boundary.
NHIMG editorial — based on content published by eMudhra: Zero Trust identity is replacing perimeter-based IAM
By the numbers:
- 96 percent of organisations now prefer Zero Trust to VPN.
- 65 percent plan to retire their VPN within twelve months.
Questions worth separating out
Q: How should security teams implement Zero Trust identity without relying on VPN trust?
A: Security teams should move access decisions to an identity-aware policy layer that evaluates context every time a request is made.
Q: Why do cloud and SaaS environments weaken perimeter-based IAM?
A: Cloud and SaaS environments weaken perimeter IAM because users, workloads, and APIs no longer sit behind a single trusted boundary.
Q: What breaks when machine identities are excluded from Zero Trust policy?
A: Zero Trust breaks when machine identities are excluded because service accounts and workloads often generate the highest-volume internal access.
Practitioner guidance
- Replace perimeter trust assumptions with identity-aware policy Map every access decision to a policy checkpoint that evaluates identity, device context, and resource sensitivity before granting access.
- Extend Zero Trust controls to workloads and service accounts Include non-human identities in the same authorisation and logging model used for human users, so service-to-service traffic is not excluded from continuous verification.
- Demand audit-ready policy evidence from IAM tooling Require logs that show why a decision was made, which context signals were evaluated, and what enforcement point allowed or denied the request.
What's in the full article
eMudhra's full article covers the operational detail this post intentionally leaves for the source:
- The five enforcement points the article expects buyers to demand from an IAM platform, including continuous verification and audit-ready evidence.
- The practical mapping of Zero Trust identity to NIST SP 800-207 policy engine, policy administrator, and policy enforcement point roles.
- The article's explanation of how unified policy should treat human access and non-human identity access under the same trust model.
- The specific role of eMudhra's SecurePass platform in the article's Zero Trust identity discussion.
👉 Read eMudhra's analysis of Zero Trust identity and IAM enforcement points →
Zero Trust identity and IAM: what changes for practitioners?
Explore further
Perimeter-based IAM is now a broken trust assumption, not just an outdated deployment model. Cloud services, remote access, and machine-to-machine traffic have moved the control point away from the network edge. That means identity is carrying decisions the perimeter was never designed to make. Practitioners should treat network location as a weak signal, not a trust qualifier.
A few things that frame the scale:
- 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which is a direct warning sign for identity programmes that still rely on partial trust boundaries.
A question worth separating out:
Q: Who is accountable for enforcing Zero Trust across human and non-human identities?
A: IAM, security architecture, and platform owners are jointly accountable for enforcing Zero Trust across human and non-human identities. The control model spans authentication, authorisation, logging, and policy enforcement, so ownership cannot sit in a single tool team. Governance should make that responsibility explicit across the full identity lifecycle.
👉 Read our full editorial: Zero Trust identity is replacing perimeter-based IAM