Notifications
Clear all
Topic starter
08/06/2026 4:02 pm
TL;DR: SaaS, remote work, and shared applications expand the attack surface while zero trust helps reduce reliance on implicit trust, according to Axiad. The core issue is not the slogan but whether identity, access, and visibility controls can actually enforce least privilege across fast-changing SaaS environments.
NHIMG editorial — based on content published by Axiad: Do You Need a Zero-Trust SaaS?
By the numbers:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- Only 5.7% of organisations have full visibility into their service accounts.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
Questions worth separating out
Q: How should security teams implement zero trust for SaaS applications?
A: Start with an inventory of every identity and access path, then enforce least privilege through conditional access, entitlement review, and session-based controls.
Q: Why do SaaS environments make zero trust harder to enforce?
A: SaaS makes zero trust harder because access is distributed across many apps, identities, and integrations, while the data needed to govern that access is often fragmented.
Q: What breaks when organisations only strengthen sign-in and ignore authorization?
A: They improve the front door while leaving the inside of the building unsecured.
Practitioner guidance
- Inventory all SaaS identities and access paths Map users, service accounts, API keys, tokens, and delegated integrations to each SaaS application so the team can see who or what can access what.
- Tie passwordless rollout to entitlement cleanup Do not treat passwordless authentication as a standalone fix.
- Re-certify high-risk SaaS access on a shorter cycle Prioritise apps with sensitive data, external collaboration, or privileged integrations for more frequent access reviews.
What's in the full article
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- Practical explanation of zero-trust SaaS design choices across authentication, authorization, and application access.
- Passwordless authentication flow examples for teams modernising user sign-in without abandoning access governance.
- Discussion of the implementation challenges Axiad identifies for SaaS environments, including visibility and enforcement gaps.
👉 Read Axiad's article on zero trust for SaaS and identity controls →
Zero-trust SaaS: are your identity controls keeping up?
Explore further
08/06/2026 5:26 pm
Zero trust in SaaS fails first as a visibility problem, not a policy problem. Organisations often talk about zero trust as if the main issue is choosing the right control set. In practice, the harder failure is knowing what identities, sessions, and application permissions exist across a SaaS estate that changes daily. If the security team cannot see the access graph, it cannot govern it, certify it, or contain it with confidence.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means most teams are governing blind spots rather than complete identity inventories.
A question worth separating out:
Q: What is the difference between passwordless authentication and zero trust?
A: Passwordless authentication is a sign-in method. Zero trust is an operating model that decides whether an identity should continue to have access based on context, privilege, and policy. Passwordless can support zero trust, but it does not replace access governance or lifecycle control.
👉 Read our full editorial: Zero trust for SaaS: the identity controls teams still miss
