Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Zero trust identity governance: what IAM teams should prioritise


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Micro-segmentation and software-defined perimeters still matter, but Bravura Security argues that identity governance and IAM are the more scalable foundation for Zero Trust Architecture as cloud adoption, social engineering, and credential abuse reduce the value of network boundaries. The real shift is from perimeter control to contextual access decisions and lifecycle governance.

NHIMG editorial — based on content published by Bravura Security: identity governance as a Zero Trust architecture approach

Questions worth separating out

Q: How should security teams build Zero Trust around identity rather than the network perimeter?

A: Start by making identity governance the decision layer for access, then use segmentation and software-defined perimeters only to reduce blast radius.

Q: Why do micro-segmentation and software-defined perimeters fall short on their own?

A: They still depend on boundaries, policy engines, and trust assumptions that weaken as workloads shift into cloud and SaaS environments.

Q: What should Zero Trust programmes measure to know whether identity governance is working?

A: Measure how quickly access is provisioned, reviewed, and revoked, and whether privilege is actually reduced over time.

Practitioner guidance

  • Map trust decisions to the identity lifecycle Inventory where access is still granted by network location, then replace those decisions with identity, device, and policy checks that can be audited across joiner, mover, and leaver events.
  • Use segmentation as containment, not governance Keep micro-segmentation for high-value assets and legacy isolation, but define it as a blast-radius control while identity governance owns the access decision.
  • Adopt just-in-time access for high-risk privileges Reserve standing access only for the rare cases that truly require it, and make elevated access expire automatically after the task is complete.

What's in the full article

Bravura Security's full article covers the operational detail this post intentionally leaves for the source:

  • A side-by-side explanation of micro-segmentation, software-defined perimeters, and identity governance in Zero Trust design
  • A practical discussion of how reduced trust is applied as a phased transition from legacy perimeter assumptions
  • The article’s own walkthrough of why IAM, provisioning, and just-in-time access change the access model
  • The source’s framing of how Zero Trust maturity shifts as cloud and SaaS adoption expands

👉 Read Bravura Security's analysis of identity governance and Zero Trust Architecture →

Zero trust identity governance: what IAM teams should prioritise?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Perimeter control is now a containment layer, not a trust model. Micro-segmentation and software-defined perimeters can still reduce exposure, but they do not answer the harder question of who or what should receive access in the first place. Once attackers arrive with valid credentials, the network boundary has already failed as a governance mechanism. Practitioners should treat these controls as blast-radius reducers, not as the foundation of Zero Trust.

A few things that frame the scale:

  • 68% of organisations do not know how to fully address NHI risks, according to Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.

A question worth separating out:

Q: Who should own Zero Trust decisions when IAM, networking, and cloud teams all touch the same controls?

A: IAM should own the access policy and lifecycle rules, while networking and cloud teams provide the enforcement points and telemetry. The accountability line matters because Zero Trust fails when no single team owns the end-to-end access decision.

👉 Read our full editorial: Identity governance is the strongest path to zero trust today



   
ReplyQuote
Share: