TL;DR: Zero Trust 2025 is framed as an identity-first operating model built on continuous verification, least privilege, JIT elevation, machine identity hygiene, and ITDR, with a 30-day MVP and 90 to 120 day scale-out path, according to Unosecur. The hard part is not the architecture label but proving identity inventory, access governance, and detection can operate together without breaking legacy access paths.
NHIMG editorial — based on content published by Unosecur: Zero Trust 2025: A 30-day identity-first MVP you can launch
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
Questions worth separating out
Q: How should security teams begin a 30-day Zero Trust MVP?
A: Start with identity discovery, then map who and what can reach critical systems, where privilege concentrates, and which controls already exist.
Q: Why do NHIs complicate Zero Trust implementations?
A: NHIs complicate Zero Trust because they often hold durable access, use long-lived secrets, and are poorly covered by the same review rhythms used for people.
Q: What breaks when standing privilege is left in place during Zero Trust programmes?
A: Standing privilege keeps the blast radius wide, even if authentication gets stronger.
Practitioner guidance
- Baseline identity inventory across every access domain Map human users, contractors, privileged accounts, NHIs, cloud roles, and SaaS entitlements before designing any Zero Trust control sequence.
- Convert persistent admin rights to task-scoped elevation Target the most over-permissioned roles first and replace daily admin access with JIT elevation bound to a specific action and strict expiry.
- Inventory and rotate machine credentials in parallel with user controls Treat service accounts, API keys, certificates, and static secrets as part of the same programme as MFA and access reviews.
What's in the full article
Unosecur's full blog covers the operational detail this post intentionally leaves for the source:
- A 30-day week-by-week MVP plan with day-level sequencing for discovery, authentication uplift, privilege reduction, and detection setup
- The starter KPI dashboard structure for coverage, reduction, speed, and automation with practical metric examples
- Specific guardrails for exception handling, fallback paths, and phased rollout decisions in mixed legacy environments
- Examples of ITDR remediation actions and the tuning approach used before expanding automation
👉 Read Unosecur's 30-day identity-first Zero Trust MVP plan →
Zero trust identity controls: what IAM teams need to fix first?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
Identity-first Zero Trust works only when governance begins with the actor, not the perimeter. The article correctly treats identity as the first control plane because network-centric trust models do not survive cloud, SaaS, and machine-driven access patterns. That framing aligns with NIST SP 800-207 and the Zero Trust expectation that every request must be re-evaluated in context. Practitioners should read this as a governance reset, not a tooling refresh.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: Who should be accountable for identity governance in a Zero Trust model?
A: Accountability should sit with the teams that own identity, access policy, and operational response together, not with infrastructure teams alone. IAM, PAM, NHI owners, and security operations all need defined responsibilities because Zero Trust fails when discovery, enforcement, and remediation are split across unrelated silos. Governance must be shared, but ownership cannot be vague.
👉 Read our full editorial: Zero trust 2025 needs identity-first controls, not perimeter reset