Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Mixed infrastructure zero trust: what IAM teams need to change


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Mixed infrastructure breaks access models built on network location, because VPNs, jump hosts, and static firewall rules still assume trust comes from where a request originates, according to Pomerium. Identity-aware, per-request policy becomes the practical control plane for legacy, hybrid, and cloud-native environments, while old access assumptions keep creating exceptions and audit gaps.

NHIMG editorial — based on content published by Pomerium: How Pomerium Brings Zero Trust to Legacy, Hybrid, and Cloud-Native Environments

By the numbers:

Questions worth separating out

Q: How should security teams apply zero trust in mixed infrastructure environments?

A: Security teams should enforce access at the application layer, using identity, context, and session conditions rather than network location.

Q: Why do VPNs and jump hosts create governance problems in hybrid estates?

A: VPNs and jump hosts often encode location-based trust, which is too coarse for modern estates.

Q: What do teams get wrong about zero trust for service accounts and agents?

A: Teams often treat non-human access as an infrastructure exception instead of an identity governance problem.

Practitioner guidance

  • Replace network trust shortcuts with request-level policy Map the applications that still depend on VPNs, bastions, or firewall exceptions and move their access decisions to an identity-aware control point.
  • Scope temporary access to the task, not the environment Use short-lived access for SSH, admin portals, and sensitive internal tools so that credentials expire when the work ends.
  • Unify policy for users, services, and agents Apply the same decision model to human users and non-human identities that reach internal APIs or dashboards.

What's in the full article

Pomerium's full blog post covers the operational detail this post intentionally leaves for the source:

  • How the identity-aware gateway is positioned across legacy, Kubernetes, and cloud workloads in the vendor's own architecture model.
  • Examples of short-lived SSH certificates, policy as code, and temporary access workflows described in the source article.
  • The vendor's implementation framing for agent-to-service access in hybrid and air-gapped environments.
  • The compliance and deployment claims that sit behind the access model described in the article.

👉 Read Pomerium's analysis of zero trust access across legacy, hybrid, and cloud-native environments →

Mixed infrastructure zero trust: what IAM teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Location-based trust is the wrong abstraction for mixed infrastructure. VPNs, jump hosts, and perimeter firewalls still reflect an older model in which the network edge was the main security boundary. That model fails once applications and identities are distributed across cloud, data center, Kubernetes, and SaaS. The practical conclusion is that zero trust has to be enforced where the request is made, not where the traffic enters the network.

A few things that frame the scale:

  • 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
  • Only 13% of organisations feel extremely prepared for the reality of agentic AI, according to The 2026 Infrastructure Identity Survey.

A question worth separating out:

Q: Who should own zero trust policy when access spans users, workloads, and agents?

A: Ownership should sit with identity, IAM, and PAM stakeholders working with platform teams, because the policy must be consistent across human and non-human subjects. If infrastructure teams own ad hoc exceptions in isolation, the organisation will keep reintroducing gaps in access governance.

👉 Read our full editorial: Zero Trust for mixed infrastructure needs identity-aware access



   
ReplyQuote
Share: