Mixed infrastructure zero trust: what IAM teams need to change

TL;DR: Mixed infrastructure breaks access models built on network location, because VPNs, jump hosts, and static firewall rules still assume trust comes from where a request originates, according to Pomerium. Identity-aware, per-request policy becomes the practical control plane for legacy, hybrid, and cloud-native environments, while old access assumptions keep creating exceptions and audit gaps.

NHIMG editorial — based on content published by Pomerium: How Pomerium Brings Zero Trust to Legacy, Hybrid, and Cloud-Native Environments

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should security teams apply zero trust in mixed infrastructure environments?

A: Security teams should enforce access at the application layer, using identity, context, and session conditions rather than network location.

Q: Why do VPNs and jump hosts create governance problems in hybrid estates?

A: VPNs and jump hosts often encode location-based trust, which is too coarse for modern estates.

Q: What do teams get wrong about zero trust for service accounts and agents?

A: Teams often treat non-human access as an infrastructure exception instead of an identity governance problem.

Practitioner guidance

• Replace network trust shortcuts with request-level policy Map the applications that still depend on VPNs, bastions, or firewall exceptions and move their access decisions to an identity-aware control point.
• Scope temporary access to the task, not the environment Use short-lived access for SSH, admin portals, and sensitive internal tools so that credentials expire when the work ends.
• Unify policy for users, services, and agents Apply the same decision model to human users and non-human identities that reach internal APIs or dashboards.

What's in the full article

Pomerium's full blog post covers the operational detail this post intentionally leaves for the source:

• How the identity-aware gateway is positioned across legacy, Kubernetes, and cloud workloads in the vendor's own architecture model.
• Examples of short-lived SSH certificates, policy as code, and temporary access workflows described in the source article.
• The vendor's implementation framing for agent-to-service access in hybrid and air-gapped environments.
• The compliance and deployment claims that sit behind the access model described in the article.

👉 Read Pomerium's analysis of zero trust access across legacy, hybrid, and cloud-native environments →

Mixed infrastructure zero trust: what IAM teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →