Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Zero Trust discovery and identity inventory: what changes now?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10965
Topic starter  

TL;DR: The NSA’s January 2026 Zero Trust Implementation Guidelines shift Zero Trust from theory to execution by making discovery, inventories, telemetry, and policy visibility the first prerequisites for enforcement, according to Appgate. The operational lesson is that least privilege fails when organisations cannot see users, devices, workloads, and access paths clearly enough to govern them.

NHIMG editorial — based on content published by Appgate: the NSA Zero Trust implementation guidelines and discovery phase guidance

By the numbers:

Questions worth separating out

Q: How should organisations start a Zero Trust programme when identity data is incomplete?

A: Start with discovery, not enforcement.

Q: Why does Zero Trust depend so heavily on identity visibility?

A: Because every Zero Trust decision depends on knowing who or what is requesting access, what context applies, and whether that context is current.

Q: What do security teams get wrong about discovery in Zero Trust?

A: They often treat discovery as a one-time inventory exercise instead of a continuous governance function.

Practitioner guidance

  • Inventory identities before policy rollout Build a current inventory of human users, service accounts, workloads, applications, devices, and data paths before expanding Zero Trust enforcement.
  • Define evidence requirements for every access decision Specify the logs, posture signals, and entitlement data needed to explain allow and deny decisions.
  • Map non-person entities into the same governance model Bring service accounts, API tokens, and automated workloads into the same discovery and review process used for human access.

What's in the full article

Appgate's full article covers the operational detail this post intentionally leaves for the source:

  • A breakdown of how AppGate ZTNA aligns to NSA discovery and policy-driven access expectations.
  • Capability-by-capability mapping of identity-centric access, granular enforcement, and continuous verification.
  • Implementation context for federal and defense aligned environments that need to translate Zero Trust guidance into access architecture.
  • The vendor’s view of how its architecture supports discovery without exposing applications to the network.

👉 Read Appgate's analysis of the NSA Zero Trust discovery guidelines →

Zero Trust discovery and identity inventory: what changes now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10520
 

Discovery debt is the new control debt: Zero Trust programmes fail when discovery is treated as a preparatory task instead of the control layer that determines whether enforcement is even possible. The NSA’s guidance confirms that inventories and telemetry are not side inputs, they are the evidence base for every access decision. Practitioners should treat missing discovery as an active governance gap, not an implementation delay.

A few things that frame the scale:

  • 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which shows how far most identity programmes still are from dependable discovery.

A question worth separating out:

Q: Who is accountable when Zero Trust controls fail because discovery was incomplete?

A: Accountability usually sits with the teams responsible for identity governance, asset ownership, and control validation, not with the technology alone. If inventories are stale or ownership is unclear, the failure is structural. Practitioners should assign explicit accountability for identity data quality before expanding enforcement.

👉 Read our full editorial: NSA Zero Trust discovery makes identity inventory the first control



   
ReplyQuote
Share: