Notifications
Clear all
Topic starter
12/06/2026 10:17 pm
TL;DR: Zero Trust and defense in depth solve different parts of the access problem, but Zero Trust’s continuous verification model better fits identity governance in environments with machine identities, distributed access, and internal risk, according to Axiad. The practical issue is not choosing a slogan, but deciding which controls actually reduce standing trust and lateral movement.
NHIMG editorial — based on content published by Axiad: Zero Trust vs. Defense-In-Depth: What's the Difference?
Questions worth separating out
Q: How should security teams decide between Zero Trust and defense in depth?
A: Choose Zero Trust when the main problem is implicit trust across users, devices, service accounts, or workloads.
Q: Why does Zero Trust matter for non-human identities?
A: Non-human identities often hold standing credentials and broad privileges that can be reused outside the moment they were issued.
Q: What do teams get wrong about defense in depth?
A: Teams often mistake multiple controls for coordinated control.
Practitioner guidance
- Inventory access paths by identity type Separate human users, service accounts, API keys, and workload identities so you can see where verification is one-time versus continuous.
- Identify standing trust assumptions Review where access remains valid after the original authentication event, especially in remote admin, cloud, and SaaS pathways.
- Align PAM with continuous verification Ensure privileged access is rechecked at session start and during use, rather than relying on a single approval gate.
What's in the full article
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- A breakdown of how Zero Trust authentication differs from layered perimeter controls in practical deployments.
- Axiad's discussion of implementation trade-offs, including user experience and operational complexity.
- Additional explanation of why large environments often struggle to coordinate multiple security layers.
- The source article's vendor framing around authentication model choice and adoption considerations.
👉 Read Axiad's comparison of Zero Trust and defense in depth for identity security →
Zero Trust versus defense in depth: what should identity teams change?
Explore further
13/06/2026 12:58 am
Zero Trust is the more useful identity model when organisations need to govern access across human and machine identities. Defense in depth was built for a world where layers of protection could absorb a breach after the fact. That premise weakens when identities themselves are the access path, because service accounts, tokens, and sessions can be reused faster than layered controls can react. The practical conclusion is that identity governance now has to assume every access request can become an attack path.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: Who should own the move toward Zero Trust in an identity programme?
A: Identity, security architecture, and PAM teams should own it together, because the change affects authentication, authorisation, and session control. Zero Trust is not just a network project. It is a governance shift that changes how access is granted, reviewed, and revalidated across the estate.
👉 Read our full editorial: Zero Trust versus defense in depth in identity governance
