Notifications
Clear all
Topic starter
22/06/2026 1:43 pm
TL;DR: The Smells Like Identity Hygiene episode with Marene Allison and SPHERE Technology Solutions argues that identity, not network perimeters, now determines security outcomes, especially as bots and AI agents join employees and machine accounts in accessing data. The central governance problem is that Zero Trust still fails when ownership, lifecycle control, and least privilege are not enforced across every identity type.
NHIMG editorial — based on content published by SPHERE Technology Solutions: Podcast highlights from Smells Like Identity Hygiene, Zero Trust and Cowboy Boots
Questions worth separating out
Q: How should security teams govern access when bots and AI agents act like non-human identities?
A: Security teams should classify bots and AI agents as governed identities, not as informal automation.
Q: Why do valid credentials still create risk in a Zero Trust model?
A: Valid credentials still create risk when the identity behind them is over-privileged, poorly owned, or no longer aligned to business need.
Q: What do teams get wrong when treating identity governance as an IT task?
A: They lose security accountability.
Practitioner guidance
- Inventory every identity that can touch data Build a single inventory covering employees, contractors, service accounts, bots, and AI agents.
- Assign named ownership before granting access Do not approve new access unless the identity has a documented owner who can approve changes, review exceptions, and confirm offboarding.
- Review orphaned and dormant access on a fixed cadence Prioritise accounts with no clear owner, no recent activity, or permissions that no longer match business use.
What's in the full article
SPHERE Technology Solutions' full post covers the conversational detail this recap intentionally leaves for the source:
- The episode-specific commentary on identity as the perimeter, including how Marene Allison and Rosie Mastrogiacomo frame the shift from network defence to identity governance.
- The practical discussion of bots, automation scripts, and AI agents as a third identity category, including why they create lifecycle and ownership gaps.
- The career context and leadership perspective behind the identity-first security message, which is useful if you want the original narrative framing.
- The closing remarks from the podcast, including the broader security mindset that sits behind the episode's takeaways.
👉 Read SPHERE Technology Solutions' recap of Zero Trust and Cowboy Boots →
Identity as the perimeter: what does Zero Trust change for teams?
Explore further
This topic was modified 3 hours ago by Mr NHI
22/06/2026 1:48 pm
Identity perimeter thinking is now the correct baseline for governance, but only if the identity itself is governed. The article correctly rejects perimeter-only security, yet the bigger lesson is that identity has become the enforcement plane for human, NHI, and emerging agent access. When identity ownership is fragmented across IT, application teams, and security, the organisation loses the ability to prove who is allowed to touch data. Practitioners should treat identity governance as the control layer that makes Zero Trust operational.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: How do organisations make Zero Trust work across human and machine identities?
A: They map access controls to identity type and data sensitivity instead of relying on a single perimeter model. Human users need strong authentication and review. Service accounts and agents need ownership, scope limits, and lifecycle governance. The common requirement is continuous verification at the point where data is actually touched.
👉 Read our full editorial: Identity is the perimeter: what Zero Trust means for every identity
