Zero Trust Architecture assumes continuous verification and least privilege, while traditional VPNs usually grant access based on network connectivity after login. That mismatch matters because the control boundary is too coarse for modern identity governance, especially when remote access must support different actor types and different risk levels.
Why This Matters for Security Teams
VPNs were built to extend trusted network access, not to enforce continuous, per-request verification. That makes them a poor fit once organisations adopt zero trust Architecture, where identity, device posture, session risk, and workload context should all be evaluated every time access is used. NIST SP 800-207 Zero Trust Architecture describes this shift clearly: trust is not granted because a user is “inside” the network. The gap becomes sharper when remote access has to support humans, service accounts, APIs, and autonomous workloads under different risk tolerances.
NHI Mgmt Group’s Ultimate Guide to NHIs notes that 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation. That matters because VPNs usually collapse all of those identities into a broad tunnel, making the control boundary too coarse for modern governance. In practice, many security teams discover this only after over-privileged access has already been used as the easiest path through the environment, rather than through intentional Zero Trust design.
How It Works in Practice
Zero Trust replaces “connect once, trust broadly” with “verify continuously, authorize narrowly.” In a VPN model, a successful login often opens network reachability to many internal assets. In a Zero Trust model, the remote access broker or policy engine should decide at request time whether that specific user, device, or workload can reach that specific resource for that specific purpose. NIST guidance and the NIST SP 800-207 Zero Trust Architecture framework both push toward resource-level access decisions instead of network-wide trust.
For human users, this usually means replacing broad VPN segments with identity-aware access, strong MFA, device posture checks, and least-privilege app access. For NHIs, the pattern is even stricter: credentials should be short-lived, task-scoped, and revoked automatically when the job ends. The Guide to SPIFFE and SPIRE is relevant here because workload identity gives cryptographic proof of what a service is, rather than relying on a network location that a VPN happened to place it in. That is a better fit for service accounts, automation, and agentic systems that may chain tools or change behavior mid-session.
- Use identity-aware access gateways instead of flat network tunnels.
- Bind access to device, workload, and session context, not just login success.
- Issue short-lived credentials and rotate them automatically.
- Evaluate policy at request time, not only at connection time.
- Segment by application and data sensitivity, not by subnet.
This guidance tends to break down in legacy environments where internal applications still assume implicit network trust and cannot support per-request authorization.
Common Variations and Edge Cases
Tighter access control often increases operational overhead, requiring organisations to balance reduced blast radius against migration complexity. That tradeoff is why VPNs sometimes remain as a transitional control for specific administrative paths, partner access, or tightly constrained fallback scenarios. But best practice is evolving away from using VPNs as the default remote access layer, because the tunnel itself does not enforce Zero Trust principles.
There is no universal standard for the exact replacement pattern yet. Some organisations move first to identity-aware proxying, others to software-defined per-application access, and others to policy engines that combine context, posture, and risk scoring. For NHI-heavy environments, the important issue is not just replacing the VPN but ensuring that secrets, API keys, and tokens are not treated like durable network badges. NHIMG research shows how that fails in practice: the SonicWall VPN Mass Breach via Stolen Credentials demonstrates how stolen access can turn a remote tunnel into broad internal exposure, while the Ultimate Guide to NHIs - Standards reinforces that lifecycle controls and rotation discipline are essential to Zero Trust outcomes.
Edge cases appear in environments with air-gapped segments, industrial systems, or vendors that cannot support modern identity protocols. In those cases, current guidance suggests limiting VPN use to tightly scoped administrative exceptions, with compensating controls and aggressive monitoring.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10, CSA MAESTRO and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST Zero Trust (SP 800-207) | 3.1 | Defines continuous verification and resource-centric access instead of implicit network trust. |
| OWASP Non-Human Identity Top 10 | NHI-01 | VPNs can mask NHI overreach by granting network-wide reach to overprivileged identities. |
| CSA MAESTRO | AG1 | Agentic and automated workloads need runtime authorization beyond coarse remote tunnels. |
| NIST AI RMF | Risk-based governance supports context-aware access decisions for autonomous systems. | |
| OWASP Agentic AI Top 10 | A01 | Autonomous agents invalidate static network trust because actions and tool use are dynamic. |
Replace broad VPN trust with per-request authorization tied to identity, device, and resource context.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org