Notifications
Clear all
Topic starter
02/06/2026 12:58 pm
TL;DR: Federal zero trust efforts are stalling because agencies cannot continuously govern privileged identities, legacy systems resist modern controls, and NHIs are multiplying faster than inventories and rotation processes can keep up, according to Delinea. The operational gap, not the policy gap, now determines whether zero trust becomes real.
NHIMG editorial — based on content published by Delinea: Federal zero trust: Turn stalled strategy into execution
By the numbers:
- The rapid growth of NHIs compounds this problem, as service accounts, application credentials, machine-to-machine tokens, scheduled task credentials, and database connection strings outnumber human identities by at least 10 to 1 in most environments.
- Only 5.7% of organisations have full visibility into their service accounts.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
Questions worth separating out
Q: How should security teams implement zero trust for non-human identities in federal environments?
A: Start with an inventory of all privileged NHIs, then assign owners, remove standing access where possible, and enforce short-lived credentials with automated rotation.
Q: Why do non-human identities complicate zero trust architectures?
A: NHIs complicate zero trust because they multiply faster than human identities, are often overprivileged, and are frequently ignored in access reviews.
Q: What breaks when privileged access is not continuously governed?
A: When privileged access is not continuously governed, standing privilege persists, dormant accounts remain usable, and the attack surface expands across human and machine identities.
Practitioner guidance
- Inventory every privileged identity Build a current register of human and non-human privileged accounts, including service accounts, scheduled tasks, tokens, and local admin paths.
- Wrap legacy systems with compensating controls Map systems that cannot support modern authentication or policy enforcement, then apply compensating controls such as tighter segmentation, narrower privileges, and monitored jump paths.
- Automate rotation and revocation for machine credentials Move NHIs onto explicit lifecycle processes for issuance, rotation, and offboarding.
The next funding cycle should favor inventory, ownership, and rotation capabilities before additional policy orchestration?
👉 Read Delinea's analysis of why federal zero trust is stalling on execution →
Explore further
02/06/2026 12:59 pm
Federal zero trust is collapsing at the point where identity governance meets operational reality. Policy can define the target state, but it cannot compensate for missing inventory, unmanaged machine credentials, or legacy systems that resist modern access patterns. Agencies that treat implementation as a documentation exercise will keep producing paper compliance without real control.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: How do organisations know if zero trust controls are actually working?
A: They know the controls are working when they can inventory privileged identities, prove access is time-bound, and show that rotation and revocation happen on schedule. A healthy programme also has few manual exceptions and low workflow friction, because recurring bypasses are a sign that policy and operations are out of sync.
👉 Read our full editorial: Federal zero trust execution is stalling on NHI governance gaps
