Notifications
Clear all
Topic starter
12/06/2026 10:06 pm
TL;DR: CISA’s zero-trust maturity model highlights that perimeter security alone cannot address hybrid and cloud-based access risk, and the White House OMB memo pushes agencies and contractors toward stronger authentication, authorization, and ongoing assessment according to Axiad. The practical shift is that identity governance, not just network defense, becomes the control plane for access decisions.
NHIMG editorial — based on content published by Axiad: CISA Zero-trust Maturity Model takeaways from the White House OMB memo
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.
Questions worth separating out
Q: How should security teams implement zero trust in hybrid environments?
A: Start by making identity policy the primary access decision point and use the network only for containment and monitoring.
Q: Why do hybrid environments weaken perimeter-based security models?
A: Because users, workloads, and contractors no longer live behind a single stable boundary.
Q: How do organisations know if zero trust is actually working?
A: They should look for continuous verification, policy-enforced access changes, and rapid revocation when context changes.
Practitioner guidance
- Define zero-trust maturity targets for identity controls Map authentication, authorisation, device trust, and revocation processes to the CISA maturity stages so teams can see where policy is still implicit rather than enforced.
- Separate perimeter containment from access decisioning Keep firewalls and segmentation as containment layers, but move access approval, session validation, and revocation into identity policy and control workflows.
- Inventory hybrid identities and delegated access paths Identify users, contractors, service accounts, and federated sessions that cross cloud and on-premises boundaries, then assign a single control owner for each trust point.
What's in the full article
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- How Axiad maps the White House OMB memo to practical authentication changes for federal and contractor environments
- The article's explanation of why zero trust and perimeter security are complementary rather than competing controls
- The specific way Axiad positions authentication service design inside the CISA zero-trust maturity model
- The source's discussion of compliance expectations for organisations working with the public sector
👉 Read Axiad’s analysis of the CISA zero-trust maturity model and OMB memo →
CISA zero-trust maturity model: what identity teams need to change?
Explore further
13/06/2026 12:39 am
Identity controls, not perimeter controls, are the real enforcement point in zero trust. The article correctly treats perimeter security as compatible with zero trust, but that only works when identity policy decides access and the network merely contains risk. In hybrid estates, trust must be evaluated at the identity layer because network location no longer tells you whether access is legitimate. Practitioners should treat identity governance as the operational centre of zero trust.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- That same research found that enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
A question worth separating out:
Q: Who is accountable when zero-trust maturity fails in a contractor environment?
A: Accountability should sit with the organisation that owns the access policy and the delegated trust relationship, not just the team operating the perimeter tools. In practice, contractor access needs the same governance, logging, and review discipline as internal access.
👉 Read our full editorial: CISA zero-trust maturity pushes identity controls beyond the perimeter
