The main failure is jurisdictional control leakage. Even if the application itself is local, the access path can leave the country, and the organisation may lose the ability to prove where access enforcement occurred. That weakens auditability, creates privacy exposure, and complicates accountability for data processors and fiduciaries.
Why This Matters for Security Teams
When ZTNA traffic is routed through vendor points of presence, the control plane may no longer align cleanly with the organisation’s legal, operational, or evidentiary boundaries. That matters because Zero Trust is not only about denying implicit trust. It is also about proving that access decisions are enforced consistently, logged reliably, and constrained to the right jurisdiction. NIST SP 800-207 Zero Trust Architecture makes clear that policy enforcement points, continuous evaluation, and telemetry are central to the model, not optional extras.
Security teams often assume that if the endpoint is protected and the session is encrypted, the access path is automatically acceptable. That is where trouble starts. A vendor POP can introduce ambiguity around where inspection occurs, where metadata is retained, and which party can actually attest to enforcement. For regulated workloads, that can affect privacy obligations, contractual data residency commitments, and incident response evidence. It can also complicate third-party risk reviews because the organisation may be relying on a path it cannot directly inspect.
In practice, many security teams encounter the jurisdictional problem only after audit evidence is requested, rather than through intentional design.
How It Works in Practice
ZTNA products usually broker access by authenticating the user or device, evaluating policy, and then relaying traffic through an intermediate service. If that relay is hosted in a vendor POP, the session may be terminated, inspected, or at least metadata-processed outside the organisation’s intended boundary. That does not automatically make the design insecure, but it does mean the team must treat the POP as part of the control environment and not as a neutral transit layer.
Operationally, the key questions are:
- Where is policy evaluated, and where is the decision logged?
- Does the vendor preserve session metadata, and for how long?
- Can access enforcement be pinned to a specific region or country?
- Can the organisation independently verify chain of custody for logs and telemetry?
- What happens when the POP is used for inspection of encrypted sessions or headers?
This is where identity and privilege controls intersect with network architecture. If the access path carries privileged administrative sessions, secrets, or sensitive personal data, the vendor POP becomes part of the trust boundary. Security teams should map this design against CISA Zero Trust Maturity Model principles, especially around visibility, segmentation, and policy enforcement. The same mapping should be checked against CIS Zero Trust guidance if the organisation uses it for implementation planning.
Where the architecture is well designed, the vendor POP is documented as an explicit dependency, data-flow diagrams show exact enforcement points, and logs are exported to the customer’s SIEM or evidence store. Where the architecture is weak, the POP becomes a hidden processing location that only appears during a breach review or regulatory inquiry. These controls tend to break down when the vendor cannot guarantee regional pinning for all traffic types, because the enforcement path and telemetry path stop matching the organisation’s compliance model.
Common Variations and Edge Cases
Tighter jurisdictional control often increases latency, cost, and operational complexity, requiring organisations to balance privacy assurance against performance and vendor coverage.
Some environments can tolerate POP-based routing because the data involved is low sensitivity, the regulatory footprint is limited, or the vendor offers hard regional controls with customer-managed logging. Best practice is evolving here, and there is no universal standard for this yet. The real test is whether the organisation can show that enforcement, inspection, and retention all stayed within approved boundaries for the specific workload.
Edge cases arise when ZTNA is used for cross-border support teams, admin access to production systems, or access to workloads containing regulated personal data. In those cases, the problem is not only data transit. It is also where authentication, session brokering, and policy logs are processed. For identity-heavy deployments, this can intersect with Zero Trust Architecture guidance and, where personal data is involved, privacy obligations that may require stronger evidence than the vendor’s default attestations.
The most practical safeguard is to demand design-time clarity: named processing locations, logging retention terms, regional routing options, and a fallback path if a POP cannot meet residency or audit requirements. If those answers are vague, the architecture is not yet ready for high-assurance or highly regulated use.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the technical controls, while NIS2 and DORA define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | ZTNA POPs affect how access control decisions are enforced and evidenced. |
| NIST Zero Trust (SP 800-207) | 5.5 | Zero Trust Architecture requires explicit policy enforcement and telemetry visibility. |
| NIST SP 800-63 | Identity assurance matters when brokered access depends on strong authentication. | |
| NIS2 | Cross-border control leakage can affect governance and incident accountability expectations. | |
| DORA | Operational resilience requirements apply when a vendor POP becomes a critical access dependency. |
Use high-confidence authentication and session assurance for access routed through third-party infrastructure.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org