Subscribe to the Non-Human & AI Identity Journal
Home FAQ Cyber Security How should security teams handle trust when employees…
Cyber Security

How should security teams handle trust when employees work from home and the office?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 11, 2026 Domain: Cyber Security

Security teams should stop using workplace location as a primary trust signal and instead rely on multifactor authentication, device posture, and session-level verification. Hybrid work increases the number of networks and devices in play, so access decisions must follow the user and the context, not the desk they happen to sit at.

Why This Matters for Security Teams

Hybrid work breaks the old assumption that office traffic is inherently safer than home traffic. Once access is granted from multiple networks, personal devices, and unmanaged home routers, location becomes a weak trust signal. Security teams need a model that evaluates identity, device health, and session risk together, rather than treating the office as a default safe zone. That shift aligns well with the NIST Cybersecurity Framework 2.0, which emphasises governance, risk management, and ongoing protection rather than static perimeter thinking.

The practical issue is not whether work happens at home or in the office. It is whether the session can be trusted at the moment access is requested. Teams that keep using network location as a shortcut often miss account takeover, device compromise, and session hijacking because the request appears to come from a familiar place. In a hybrid model, the trust decision has to be continuous and evidence-based.

In practice, many security teams discover weak trust assumptions only after an attacker has already logged in from a “normal” location and blended into routine user activity.

How It Works in Practice

Hybrid trust decisions should be built around conditional access, strong authentication, and device posture signals. A user may authenticate successfully, but that should not automatically grant the same access every time. Security teams should evaluate whether the device is managed, patched, encrypted, and free of high-risk indicators, then confirm whether the session matches expected behaviour. This is where location becomes one signal among many, not the deciding factor.

At a minimum, teams should combine:

  • multifactor authentication for all remote and privileged access
  • device compliance checks before granting access to sensitive systems
  • step-up authentication when risk increases during a session
  • logging and alerting for unusual login patterns, impossible travel, and repeated failures
  • least-privilege access so hybrid users only reach what they need

For identity assurance, NIST SP 800-63 Digital Identity Guidelines is useful for separating identity proofing from routine session trust. That distinction matters because a successfully authenticated user is not automatically a low-risk user. Security operations should also correlate access events with endpoint telemetry and, where appropriate, network signals from the same session to spot drift in trust.

Teams often get better outcomes when they define trust as a set of verifiable controls rather than a feeling of familiarity. That means making remote and office access follow the same policy engine, while adapting enforcement to risk, sensitivity, and device state. These controls tend to break down when legacy applications cannot support conditional access because teams are forced to bypass policy for business continuity.

Common Variations and Edge Cases

Tighter trust controls often increase user friction, requiring organisations to balance stronger assurance against productivity and support overhead. That tradeoff becomes visible in executive workflows, contractors, and operational roles that need frequent access across changing locations.

There is no universal standard for every hybrid environment, so guidance should be tailored to data sensitivity and threat exposure. For low-risk collaboration tools, step-up checks may be enough. For finance, admin, or production access, current guidance suggests stronger controls such as phishing-resistant MFA, shorter session lifetimes, and more aggressive revalidation. This is especially important where privileged access is involved, because the office network does not reduce the damage caused by a compromised account.

Edge cases also include BYOD, travel, and shared family devices. In those settings, location-based trust is even less reliable because the device itself may be the main exposure. Security teams should be cautious about exempting “trusted locations” unless they can prove the underlying endpoint is managed and monitored. The office should be treated as a convenient place to work, not as a security boundary. Where identity, endpoint, and session controls are missing, hybrid access becomes inconsistent very quickly, especially for legacy SaaS and internal apps that cannot enforce policy at the session layer.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Hybrid trust should be based on verified access logic, not physical location.
NIST SP 800-63IAL/AAL/FALIdentity assurance levels help separate proofing strength from session trust.
NIST Zero Trust (SP 800-207)PL-1Zero trust directly rejects location-based trust and supports continuous verification.
OWASP Agentic AI Top 10Agentic systems and autonomous access decisions need explicit trust boundaries.
NIST AI RMFGOVERNRisk governance is needed when trust decisions are delegated to policy engines.

Constrain automation so agents cannot expand trust or access beyond approved session policy.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org