Subscribe to the Non-Human & AI Identity Journal
Home FAQ Cyber Security Why do VPNs and firewall segmentation create compliance…
Cyber Security

Why do VPNs and firewall segmentation create compliance risk in financial services?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 11, 2026 Domain: Cyber Security

They create risk because they often turn access governance into a manual change process that lags behind business change. When exceptions pile up, the documented policy and the actual enforcement path drift apart, which weakens least privilege and makes it harder to prove continuous control to auditors.

Why This Matters for Security Teams

In financial services, VPNs and firewall segmentation are often treated as proof of control when they are really just one layer of enforcement. The compliance risk appears when access decisions are buried in tickets, manual rule changes, and exception approvals that do not keep pace with business change. That gap affects least privilege, segregation of duties, and the ability to show continuous control under frameworks such as the NIST Cybersecurity Framework 2.0.

Auditors usually care less about whether a VPN exists and more about whether access is justified, reviewed, time-bound, and enforceable across the actual environment. If segmentation rules do not map cleanly to business roles, data sensitivity, and application ownership, the organisation may have a policy that looks strong on paper but is weak in operation. That is especially problematic where regulated workloads support payments, trading, lending, or customer identity processes.

The core issue is not that VPNs or firewalls are inherently non-compliant. The risk comes from relying on them as static perimeter controls in a dynamic environment where users, service accounts, third-party access, and cloud-connected systems change quickly. In practice, many security teams encounter compliance failures only after an audit request or incident reveals that the approved access path was never the enforced access path.

How It Works in Practice

Compliance teams typically expect three things from network access controls: a defined business purpose, a reviewable approval trail, and evidence that access is removed or constrained when it is no longer needed. VPNs can support this if they are tied to strong identity assurance, but they often become a coarse gateway that grants broad reach once a user is inside. Firewall segmentation can also help, but only when the ruleset is tightly governed, regularly validated, and aligned to asset criticality and data flows.

Financial services environments often fail here because the access model spans multiple control planes. A user may authenticate to a VPN, traverse segmented networks, reach a shared service, and then rely on application-level permissions that are not reconciled with the original access request. That creates a documentation problem as much as a security problem. Guidance from NIST SP 800-53 Rev 5 Security and Privacy Controls and ISO/IEC 27001:2022 Information Security Management supports formal control ownership, access review, and change management, but the practical implementation must prove that the control actually restricts access as intended.

  • Map VPN groups and firewall zones to business functions, not just technical teams.
  • Require time-bound approvals for exceptions and revalidate them on a fixed schedule.
  • Reconcile network access with application entitlements, privileged access, and third-party accounts.
  • Preserve logs that show who approved access, when the rule changed, and what was actually reachable.
  • Test segmentation against real user paths, not only against diagrammed intended paths.

When identity assurance matters, the access decision should be anchored in strong authentication and device confidence, which is where NIST SP 800-63 Digital Identity Guidelines becomes relevant. These controls tend to break down when legacy networks, shared admin accounts, and unmanaged exceptions coexist because the team can no longer prove who had access, why they had it, and whether the restriction was enforced consistently.

Common Variations and Edge Cases

Tighter segmentation often increases operational overhead, requiring organisations to balance reduced blast radius against slower change cycles and higher maintenance cost. That tradeoff is especially visible in branch networks, merger integrations, and outsourced operations where business teams need rapid access changes but security teams need auditable control.

There is no universal standard for this yet, but current guidance suggests that perimeter tools should be paired with evidence of governance, not treated as the governance mechanism itself. For banks and payment firms, network controls may also intersect with AML, KYC, and privacy obligations when access paths expose customer identity data or case management systems. In those environments, auditors may ask whether the organisation can trace access from the original request through to effective enforcement, not just whether the firewall rule existed.

Edge cases also arise with vendor access, cloud-to-on-prem connectivity, and emergency break-glass routes. Those scenarios are legitimate, but they require explicit exception handling, stronger monitoring, and post-use review. Best practice is evolving toward identity-centric controls and just-in-time access, because static network boundaries rarely keep pace with modern financial workflows. That shift aligns well with ISO/IEC 27002:2022 Information Security Controls and the governance expectations reflected in FATF Recommendations for AML and KYC when customer data and sensitive case access are in scope.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST AI RMF, NIST SP 800-63, NIST SP 800-53 Rev 5 and ISO/IEC 27001:2022 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Access governance and enforcement are central to the compliance risk described.
NIST AI RMFGovernance discipline applies when automated policy decisions support access control.
NIST SP 800-63IAL2Strong identity assurance supports defensible access decisions for regulated environments.
NIST SP 800-53 Rev 5AC-4Information flow enforcement maps directly to segmentation and firewall rule control.
ISO/IEC 27001:2022ISMS governance supports evidence, ownership, and continual improvement for controls.

Maintain documented ownership, review cycles, and audit evidence for access controls.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org