Identity-centric zero trust: are governance and enforcement aligned?

TL;DR: Identity-centric Zero Trust still breaks down when governance decisions are not enforced at session start, and the Saviynt-Zscaler partnership is aimed at closing that gap by combining just-in-time access, inline policy enforcement, and privileged lifecycle visibility, according to Saviynt. The real issue is not whether access is approved, but whether ephemeral privileges can be made to expire as designed before standing privilege becomes the default.

NHIMG editorial — what this means for NHI practitioners

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

Questions worth separating out

Q: How should security teams enforce just-in-time access in Zero Trust environments?

A: Security teams should enforce just-in-time access by binding approval, context validation, and session start enforcement to the same control flow.

Q: Why do standing privileges undermine Zero Trust programmes?

A: Standing privileges undermine Zero Trust because they allow access to exist before it is needed and continue after the work is complete.

Q: What do security teams get wrong about third-party access governance?

A: Teams often treat third-party access as an onboarding issue instead of a lifecycle issue.

Practitioner guidance

• Map decision points to enforcement points Identify where access is approved, where it is validated, and where it is actually enforced.
• Replace standing privilege with task-scoped access Define entitlement windows for privileged work and ensure they end automatically when the task completes.
• Tighten third-party offboarding controls Require explicit expiration and revocation for every external identity, including delegated access used for support or integration.

What's in the full announcement

Saviynt's full press release covers the operational detail this post intentionally leaves for the source:

• The exact integration model for aligning identity governance with session-start enforcement across privileged access flows.
• The specific ways the partnership positions just-in-time access for users, applications, and infrastructure.
• The vendor's own description of how third-party access, expiration, and audit visibility are expected to work.
• The funding and partnership context behind the collaboration, including the named investors involved.

👉 Read Saviynt's statement on its expanded partnership with Zscaler →

Identity-centric zero trust: are governance and enforcement aligned?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →