TL;DR: More than half of organisations experienced at least one VPN-related cyberattack in the past year, while public vulnerability data shows over 21,500 CVEs by mid-2025 and a large share tied to edge and VPN appliances, according to Appgate and public advisories. VPN dependence is now a governance decision because implicit network trust no longer matches attacker behaviour or Zero Trust expectations.
NHIMG editorial — based on content published by Appgate: VPN replacement in 2026 and the case for Zero Trust remote access
Questions worth separating out
Q: What breaks when organisations keep treating VPN access as a trusted internal path?
A: The main failure is that a VPN turns successful authentication into broad network reach, which creates a large blast radius if credentials are stolen or bypassed.
Q: Why do VPNs become a worse fit as organisations adopt Zero Trust Architecture?
A: Zero Trust Architecture assumes continuous verification and least privilege, while traditional VPNs usually grant access based on network connectivity after login.
Q: What do security teams get wrong about replacing VPNs with Zero Trust Network Access?
A: They sometimes treat ZTNA as a transport swap rather than a governance change.
Practitioner guidance
- Inventory VPN-dependent access paths Map which applications, services, and user groups still rely on VPN and identify where broad network reach exceeds actual business need.
- Re-scope remote access to application entitlements Replace subnet-level access with per-application policy wherever possible so the access decision follows the identity and the resource, not the network tunnel.
- Separate human and non-human access paths Keep service accounts, workloads, and AI-enabled services off human-style remote access patterns.
What's in the full article
Appgate's full article covers the operational detail this post intentionally leaves for the source:
- Specific guidance on replacing VPN-centric remote access with ZTNA patterns in real environments
- The source's discussion of recent VPN-related attack trends and vulnerability pressure on edge devices
- Appgate's explanation of how its ZTNA architecture maps to identity-driven access and session scoping
- Implementation context for organisations moving from tunnel-based access to application-level entitlements
👉 Read Appgate's analysis of VPN risk and ZTNA replacement in 2026 →
VPN replacement in 2026: are your controls keeping up?
Explore further
VPN dependence is now an identity governance problem, not only a network architecture choice. The article’s core finding is that remote access paths are being actively optimised against by attackers while policy direction moves toward continuous verification and identity-driven controls. That means VPN replacement affects IAM, PAM, and lifecycle governance, not just networking. Practitioners should treat remote access as a governed identity flow, not a tunnel.
A few things that frame the scale:
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
A question worth separating out:
Q: Who is accountable when legacy VPN infrastructure remains in place after exposure risks are known?
A: Accountability sits with the teams that own identity governance, remote access architecture, and infrastructure risk, because the decision is no longer purely technical. When a VPN remains a primary access path, it should be reviewed through the same control lens used for privileged access and high-risk endpoints.
👉 Read our full editorial: VPN replacement is now an identity governance decision