When you think about Zero Trust—particularly what it means in terms of access controls and where to start strengthening your security posture—what comes to mind?
For many organizations, the answer focuses on perimeter security: multi-factor authentication (MFA), segmentation, device posture, and the like.
But Zero Trust isn’t just about who gets in. Rather, it’s about continuously verifying that the right identities—and only the right identities—have the right access, at the right time, to a particular resource.
Never trust, always verify: that’s Zero Trust governance, and it’s the foundation of a Zero Trust architecture that goes beyond checking boxes to actually deliver security outcomes.
However, a foundation is only the starting point. Making the most of it—and taking care of compliance obligations along the way—requires getting a few more things right, including:
- The ability to actually enforce your governance policies
- Visibility into and across your user base and IT environment
- A high degree of automation, to maintain a tight security posture and respond to threats in real time
Governance doesn’t matter unless it’s enforceable
In theory, every organization has governance policies—that is, guidelines and rules (whether written down or merely a part of institutional knowledge) about how to do particular things.
In the Identity and Access Management (IAM) domain, governance influences:
- Who (or what, in the case of non-human identities) has access to which resources (e.g., networks, systems, data, applications, etc.)
- Under what conditions access is granted or denied
Accordingly, governance as it relates to IAM also becomes a vital contributor to cybersecurity and risk management. It’s important to note, however, that identity by itself is not Zero Trust. Identity is a critical component that Zero Trust consumes and enforces within broader, context-aware policies that continuously validate access decisions.
In practice, however, most organizations can’t (or don’t) actually enforce their IAM policies consistently, efficiently, and at scale.
Lacking such capabilities or the conviction to implement them, efforts to safeguard the organization—including by implementing Zero Trust controls—have their effectiveness artificially limited.
The Zero Trust governance gap
As it relates to Zero Trust, governance means:
- Knowing exactly what needs to be governed and what you are actually governing
- Defining and understanding your Protect Surface, the critical data, applications, assets, and services that require the highest levels of security
- Being able to see, at any point in time, which entities (human and otherwise) have access to what resources
- Evaluating, enforcing, and updating (i.e., in response to changes in context, permissions, etc.) policies in real time
When any of these elements are absent, for any combination of entities and resources, there’s a Zero Trust governance gap. In such a scenario, governance becomes little more than an academic exercise—something that might help to satisfy some very basic elements of a compliance audit, but that definitely won’t stop an attack.
For example, the 2013 breach of the Target retail chain was traced to a compromised contractor account. As a handler of credit card data and transactions, Target was required to meet PCI DSS requirements—including network segmentation. Target, however, allowed the contractor's computer system to be Installed on the cardholder data network, a clear violation of PCI DSS. This governance gap enabled one of the most damaging breaches in history.
And as we’ll see in a moment, many apps that organizations rely on are outside the scope of IAM or Identity Governance and Administration (IGA) systems, which creates considerable risk. In fact, The Hidden Cybersecurity Threat in Organizations: Disconnected Applications, prepared by the Ponemon Institute, revealed that 52% of organizations experienced a cybersecurity incident caused by the inability to secure disconnected applications.
Lack of visibility means lack of control
You can’t govern what you can’t see.
This pithy truism is especially important in the world of Zero Trust, because many organizations think they have strong governance until they look into things more deeply. Upon doing so, they come to learn that many entities and resources operate outside the scope of the organization’s IAM controls.
Returning to the Target example, no one (other than the attacker) saw the lack of segmentation and the unfettered access it enabled, so the vulnerability remained until it was exploited to devastating effect.
Apps present a real risk
Apps comprise a very important resource class that routinely falls outside of governance control. Organizations today manage hundreds of applications across SaaS, cloud, on-prem, mobile, thick client, and legacy systems.
These applications vary widely in how they authenticate users, what protocols they support, and whether or not they integrate with modern identity tools. Consider that:
- Many lack support for standards like SAML, SCIM, or OIDC
- Others reserve integration features for top-tier licenses
- Some simply weren’t built with identity in mind
As a result, a shockingly large proportion of applications—often the majority of an organization’s app library—are largely invisible to IAM and IGA systems.
Yet these same apps routinely handle sensitive data and power critical workflows, putting them squarely in the crosshairs of threat actors looking to acquire sensitive information or disrupt operations.
Closing the Zero Trust governance gap requires gaining visibility into these apps and enforcing policies to control access to them.
Cerby helps close “the app gap” by integrating any application—no APIs or standard protocols needed—and bringing them under centralized visibility and control, so you can apply consistent Zero Trust principles across your entire ecosystem.
Automation is the only way to scale governance
Security teams often hesitate to introduce automation, out of concern for the impact of mistakes—false alarms, impacting the organization by blocking the wrong thing, and so on. Instead, manual processes involving spreadsheets, tickets, and emails are common.
Compounding the risks, for many organizations these manual processes are limited to traditional working hours, which can lead to delays to important lifecycle management actions—including deprovisioning access.
But attackers have no such hesitation about occasional mistakes. Motivated by the potential upside, with little concern for the consequences of errors, they’ll eagerly automate everything.
Trying to counter automated threats while relying on manual processes is like trying to manually deploy an airbag during a crash. This latter scenario is rightfully seen as absurd, yet organizations—even those that embrace automation in many other areas—continue to take a cautious approach with access controls.
There’s a real irony at play here, because the truly cautious organizations recognize that automation is the only way to scale governance.
Automating identity workflows
By executing workflows at the speed of APIs and networks—rather than at the speed of humans—automation enables you to detect and counter threats in real time.
Focusing on IAM and IGA, automation also:
- Strengthens your security posture by maintaining least-privilege policies and by reducing errors (especially those relating to missed steps and configuration mistakes)
- Simplifies and expedites access reviews, revocations, and audit trails
In fact, The 2025 Identity Automation Gap Report showed that 49% of respondents said the single most important step they would take to reduce identity risk is extending automation across more applications and workflows.
With Cerby, you can automate critical tasks like password rotation, MFA enrollment, and lifecycle management (LCM) for all of your apps, while reducing reliance on end users and freeing up the time and expertise of your IT and security personnel.
Security teams need to embrace automation, and organization leaders need to provide support and cover for any occasional missteps that occur. I promise you that a few minor inconveniences along the way are a small price to pay for the vastly stronger protections that will result.
Governance done right makes compliance a non-issue
Compliance itself shouldn’t be the end goal. After all, compliance just means you’ve done the minimum to satisfy some externally imposed requirement.
Instead, compliance should be a natural byproduct of continuous and contextual governance backed by effective enforcement. That is, compliance emerges as a positive side effect of taking measures to protect your organization.
For instance, Cerby doesn’t just extend enforcement policies across your apps, it also equips those responsible for fulfilling your organization’s Governance, Risk, and Compliance (GRC) obligations with continuous, audit-ready evidence.
In contrast, in the 2023 Ponemon Institute study cited earlier, 47% of organizations reported failing to meet regulatory requirements because of disconnected applications that weren’t properly secured and governed.
Much better (at least in my opinion) to protect our organization and then, with a few clicks, also demonstrate compliance.
Ready to become a Zero Trust leader?
I like to tell people that “All bad things happen inside of an allow rule.”
Importantly, this is functionally equivalent to not having a deny rule.
Zero Trust turns the tables by adopting a deny-by-default approach that forces an entity—again, it’s worth repeating that this applies to human and non-human identities—to prove it should be granted access to a resource.
But, too often, organizations take half-steps on their Zero Trust journey, resulting in a governance gap suffering from:
- Lack of enforcement capabilities
- Incomplete visibility into the IT environment
- A continued reliance on manual processes
- Challenges demonstrating compliance
Disconnected apps are a perfect example of these shortcomings.
As I’ve written previously, the best Zero Trust security model isn’t a lengthy checklist—it’s five steps done well:
- Define the Protect Surface
- Map the transaction flows
- Architect the environment
- Create your Zero Trust policy
- Monitor and maintain
Cerby helps to enable these steps by bringing every application into your secure Zero Trust environment—closing the governance gap with the visibility, control, and protection those systems have been missing.
Watch the On-Demand Webinar: Zero Trust in Practice: What’s Working, What’s Failing & What’s Next
Continue learning from John Kindervag, the creator of Zero Trust, in this exclusive discussion with Cerby’s Rick Weinberg. They explore real-world Zero Trust successes, common pitfalls (including disconnected apps), and practical steps to future-proof your security strategy.
