Zero trust without lock-in: what does it change for IAM teams?

TL;DR: European platform, SRE, and DevOps teams are prioritising auditability, data locality, and self-hosted control for zero trust access, according to Pomerium’s KubeCon EU 2025 recap. The signal for IAM leaders is that sovereignty, observability, and protocol coverage now shape access architecture as much as policy design.

NHIMG editorial — based on content published by Pomerium: Zero Trust Without Lock-In: What We Heard at KubeCon EU 2025

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

Questions worth separating out

Q: How should teams govern zero trust access in self-hosted environments?

A: Teams should define the control plane as part of the trust boundary, then verify where policy decisions, logs, and metadata live.

Q: Why do non-HTTP protocols complicate zero trust architecture?

A: Because zero trust often starts with web applications and then leaves administrative and operational channels outside policy enforcement.

Q: When should organisations prioritize self-hosted access control over managed access services?

A: They should prioritise self-hosted control when auditability, data locality, resilience, or regulatory sovereignty are non-negotiable.

Practitioner guidance

• Map every access path outside HTTP Inventory SSH, DNS, syslog, UDP, and any other non-web protocol that bypasses your current policy layer.
• Separate policy enforcement from vendor dependency Document where access decisions are made, where logs are retained, and which controls fail if the control plane becomes unavailable.
• Extend zero trust to workload and AI-driven access Treat AI agents and workloads as distinct actor types that still need contextual policy evaluation.

What's in the full article

Pomerium's full article covers the operational detail this post intentionally leaves for the source:

• The release-level breakdown of v0.29.0 features, including OpenTelemetry tracing and UDP tunneling.
• The product-specific explanation of native SSH support and how the access flow is implemented.
• The conference-grounded examples from banking, healthcare, and critical infrastructure teams.
• The practical framing of how the platform positions itself for self-hosted and airgapped environments.

👉 Read Pomerium's KubeCon EU 2025 recap on zero trust without lock-in →

Zero trust without lock-in: what does it change for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →