Notifications
Clear all
Topic starter
22/06/2026 3:41 pm
TL;DR: IBM’s 2022 analysis says organisations without Zero Trust incur $1M higher breach costs, yet 59% still lack a comprehensive strategy, while EmpowerID’s healthcare example shows the bigger shift is business velocity, not just improved security. The real test is whether Zero Trust removes access friction without creating new governance blind spots.
NHIMG editorial — based on content published by EmpowerID: Zero Trust architecture and the business velocity it enables
By the numbers:
- IBM's 2022 analysis shows organizations without Zero Trust incur $1M higher breach costs.
- 59% still haven't deployed a comprehensive Zero Trust strategy.
Questions worth separating out
Q: How should security teams measure Zero Trust success beyond breach reduction?
A: Teams should measure Zero Trust across both risk and operations.
Q: When does Zero Trust create more friction than value?
A: Zero Trust creates more friction than value when every access request still passes through manual approval or when policy design is too rigid for real business workflows.
Q: What is the difference between Zero Trust and Zero Standing Privilege?
A: Zero Trust is the broader access model that continuously evaluates whether a request should be allowed.
Practitioner guidance
- Measure identity friction alongside security outcomes Track access approval time, exception rates, and the percentage of requests that still require manual review.
- Convert standing privilege into task-scoped elevation Inventory persistent admin and high-risk access, then replace it with time-bounded elevation tied to specific workflows.
- Separate authentication assurance from authorisation logic Use adaptive MFA to raise or lower authentication requirements, but do not let MFA decisions become a substitute for entitlement governance.
What's in the full article
EmpowerID's full article covers the operational detail this post intentionally leaves for the source:
- Implementation specifics for Adaptive MFA, Zero Standing Privilege, and contextual authorisation across the access path
- The healthcare case study narrative that shows how access decisions changed day to day business operations
- The architecture discussion around unified IGA, PAM, and access management in one control plane
- The Siemens case study link and source context for practitioners who want the vendor's full framing
👉 Read EmpowerID's analysis of how Zero Trust changes security and business velocity →
Zero Trust architecture: what it changes beyond security?
Explore further
22/06/2026 3:45 pm
Zero Trust is often sold as a breach-reduction project, but its real value is governance compression. The article’s central insight is that identity decisions become faster and more consistent when access is evaluated continuously rather than negotiated through layered approvals. That shifts Zero Trust from a perimeter story to an operational model for identity control. Practitioners should treat it as a change in how access is governed, not just how it is defended.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- In the same research, only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: How can IAM teams prove that contextual access policies are working?
A: They should look for fewer unnecessary prompts, lower exception rates, shorter access paths, and reduced over-privileged access. A working contextual policy does not just block threats. It also routes ordinary users and systems through the least disruptive path that still satisfies policy and risk requirements.
👉 Read our full editorial: Zero Trust architecture is changing more than breach risk
