Notifications
Clear all
Topic starter
12/06/2026 10:07 pm
TL;DR: Zero trust can reduce exposure in SaaS-heavy environments, but it still depends on visibility, enforceable controls, and identity governance across users, devices, and permissions, according to Axiad. The real challenge is not adopting the label, but removing the trust assumptions that let access drift beyond what teams can actually govern.
NHIMG editorial — based on content published by Axiad: Do You Need a Zero-Trust SaaS?
By the numbers:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
Questions worth separating out
Q: How should security teams implement zero trust in SaaS environments?
A: Start with identity inventory, application visibility, and enforceable policy.
Q: Why do SaaS environments make zero trust harder to govern?
A: SaaS environments spread access across many applications, data stores, and control planes, which makes it difficult to see who has what access and whether that access is still justified.
Q: What do teams get wrong about passwordless authentication and zero trust?
A: They often treat passwordless authentication as if it completes the zero-trust programme.
Practitioner guidance
- Inventory SaaS identities and entitlements first Map all user, service, and integration accounts across SaaS platforms before attempting broader zero-trust controls.
- Separate authentication strength from authorisation governance Use passwordless or other strong login methods to improve proof of identity, but keep entitlement review, access approval, and policy enforcement as separate control domains.
- Reduce shared and inherited access paths Eliminate informal access handoffs between employees and reduce app-level permissions that depend on trust in adjacent systems.
What's in the full article
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- The article's step-by-step explanation of why zero trust became necessary as SaaS, remote work, and device movement increased exposure.
- The fuller breakdown of where visibility breaks down across shared applications and why that complicates policy enforcement.
- The vendor's discussion of passwordless authentication as an implementation path for zero-trust IAM.
- The practical challenges Axiad highlights when employees resist stricter access controls or ask for informal access workarounds.
👉 Read Axiad's analysis of zero-trust SaaS and identity governance →
Zero-trust SaaS and identity visibility: what IAM teams miss?
Explore further
13/06/2026 12:40 am
Zero trust fails in SaaS when teams treat authentication as the whole problem. The article's real lesson is that strong login controls do not resolve entitlement sprawl, shared application access, or the inability to enforce policy across a fragmented SaaS stack. Zero trust becomes brittle when identity governance stops at the login screen. Practitioners should treat authentication as one control layer, not the operating model itself.
A few things that frame the scale:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how often zero-trust ambitions outpace identity inventory discipline.
A question worth separating out:
Q: Who is accountable when SaaS access cannot be fully enforced under zero trust?
A: Accountability sits with the organisation that owns the identity and access policy, even when a SaaS provider operates part of the control plane. Teams must document exceptions, understand platform limitations, and retain governance evidence for any access path they cannot fully enforce.
👉 Read our full editorial: Zero trust SaaS exposes the identity visibility gap in modern environments
