Notifications
Clear all
Topic starter
12/06/2026 10:16 pm
TL;DR: EO 14028 pushes federal agencies and contractors toward zero trust, stronger information sharing, software supply chain scrutiny, and more disciplined incident and vulnerability response, according to Axiad. The practical effect is that identity security, especially authentication, contractor oversight, and lifecycle controls, becomes a board-relevant control plane rather than a back-office task.
NHIMG editorial — based on content published by Axiad: Understanding the Executive Order on Improving the Nation's Cybersecurity
Questions worth separating out
Q: How should organisations apply zero trust principles to identity controls?
A: Start by treating identity as a continuous risk decision rather than a one-time login event.
Q: Why do contractor and supplier identities matter in zero trust programmes?
A: Because external identities often have real access to code, infrastructure, or sensitive data.
Q: What breaks when access reviews do not include machine identities?
A: The review process misses the accounts that often perform the most sensitive actions, including service-to-service calls, deployments, and integrations.
Practitioner guidance
- Harden zero trust checkpoints Review authentication and authorisation paths to ensure access is re-evaluated at critical system boundaries, not only at initial login.
- Extend identity controls to suppliers Inventory third-party service accounts, API keys, certificates, and support identities that can reach internal systems.
- Build revocation into incident playbooks Add explicit steps for credential disablement, access removal, and downstream dependency checks whenever a cyber event or vulnerability disclosure occurs.
What's in the full article
Axiad's full article covers the operational detail this post intentionally leaves for the source:
- The article breaks down the White House statement and EO 14028 language in more detail than this analysis.
- It walks through the specific federal agency and contractor implications that underpin the policy shift.
- It outlines the practical steps Axiad recommends for improving cybersecurity posture under the EO.
- It connects the policy discussion to passwordless authentication and Axiad's product positioning.
👉 Read Axiad's analysis of EO 14028 and zero trust identity hardening →
Zero trust under EO 14028: what identity teams need to change?
Explore further
13/06/2026 12:56 am
EO 14028 is really a trust-reset order, not just a compliance update. The article focuses on federal systems, but the deeper issue is that static trust assumptions are no longer defensible in distributed environments. When access, software, and incident response all depend on external suppliers, the boundary between policy and identity governance disappears. The implication is that programmes still built around periodic authentication checks are operating on an outdated trust model.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means most identity teams cannot reliably see the machine identities they are expected to govern.
A question worth separating out:
Q: Who is accountable when exposed credentials or weak supplier controls lead to an incident?
A: Accountability should sit with the system owner, the identity governance team, and the supplier manager together, because the failure is usually shared across lifecycle, access, and oversight. The right question is not who owns the blame, but who can revoke access, validate scope, and prove the controls worked.
👉 Read our full editorial: Executive Order 14028 accelerates zero trust and identity hardening
