Kipling Method for zero trust policies: what IAM teams need now

TL;DR: Zero trust policy writing must move beyond simple identity checks to contextual decisions based on who, what, when, where, why, and how, with continuous session verification and just-in-time access shaping enforcement, according to StrongDM. That matters because access governance now has to account for context, device posture, timing, and activity, not static trust alone.

NHIMG editorial — based on content published by StrongDM: Unlocking Zero Trust: The Kipling Method for Policy Writing

By the numbers:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

Questions worth separating out

Q: How should security teams implement contextual access policies in zero trust environments?

A: Start by defining which signals actually matter for the protected resource, then wire those signals into policy decisions at login and during the session.

Q: Why do static role-based policies fall short in zero trust programmes?

A: Roles describe broad entitlement, but they do not tell you whether a request is appropriate at that moment.

Q: How do you know if just-in-time access is actually reducing risk?

A: Look for shorter privilege windows, fewer always-on exceptions, and successful revocation when access is no longer justified.

Practitioner guidance

• Map access policy inputs to decision points List the identity, resource, time, location, device, and activity signals that should influence each sensitive access request.
• Separate login trust from session trust Require controls that can reassess access after authentication begins, especially for privileged consoles, regulated systems, and remote admin access.
• Tie just-in-time access to explicit expiry conditions Define when temporary access starts, what ends it, and which contextual signals can revoke it early.

What's in the full article

StrongDM's full blog post covers the operational detail this post intentionally leaves for the source:

• The full who, what, where, when, why, and how policy examples used to shape access decisions
• StrongDM’s contextual trust checklist for time, location, device, activity, and code-based access evaluation
• The product’s real-time session monitoring and shutdown behaviour for privileged access requests
• The platform examples for applying the same policy logic across legacy and cloud-native resources

👉 Read StrongDM's guide to zero trust policy writing with the Kipling Method →

Kipling Method for zero trust policies: what IAM teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →