When you think about Zero Trust—particularly what it means in terms of access controls and where to start strengthening your security posture—what comes to mind?
For many organizations, the answer focuses on perimeter security: multi-factor authentication (MFA), segmentation, device posture, and the like.
But Zero Trust isn’t just about who gets in. Rather, it’s about continuously verifying that the right identities—and only the right identities—have the right access, at the right time, to a particular resource.
Never trust, always verify: that’s Zero Trust governance, and it’s the foundation of a Zero Trust architecture that goes beyond checking boxes to actually deliver security outcomes.
However, a foundation is only the starting point. Making the most of it—and taking care of compliance obligations along the way—requires getting a few more things right, including:
In theory, every organization has governance policies—that is, guidelines and rules (whether written down or merely a part of institutional knowledge) about how to do particular things.
In the Identity and Access Management (IAM) domain, governance influences:
Accordingly, governance as it relates to IAM also becomes a vital contributor to cybersecurity and risk management. It’s important to note, however, that identity by itself is not Zero Trust. Identity is a critical component that Zero Trust consumes and enforces within broader, context-aware policies that continuously validate access decisions.
In practice, however, most organizations can’t (or don’t) actually enforce their IAM policies consistently, efficiently, and at scale.
Lacking such capabilities or the conviction to implement them, efforts to safeguard the organization—including by implementing Zero Trust controls—have their effectiveness artificially limited.
As it relates to Zero Trust, governance means:
When any of these elements are absent, for any combination of entities and resources, there’s a Zero Trust governance gap. In such a scenario, governance becomes little more than an academic exercise—something that might help to satisfy some very basic elements of a compliance audit, but that definitely won’t stop an attack.
For example, the 2013 breach of the Target retail chain was traced to a compromised contractor account. As a handler of credit card data and transactions, Target was required to meet PCI DSS requirements—including network segmentation. Target, however, allowed the contractor's computer system to be Installed on the cardholder data network, a clear violation of PCI DSS. This governance gap enabled one of the most damaging breaches in history.
And as we’ll see in a moment, many apps that organizations rely on are outside the scope of IAM or Identity Governance and Administration (IGA) systems, which creates considerable risk. In fact, The Hidden Cybersecurity Threat in Organizations: Disconnected Applications, prepared by the Ponemon Institute, revealed that 52% of organizations experienced a cybersecurity incident caused by the inability to secure disconnected applications.
You can’t govern what you can’t see.
This pithy truism is especially important in the world of Zero Trust, because many organizations think they have strong governance until they look into things more deeply. Upon doing so, they come to learn that many entities and resources operate outside the scope of the organization’s IAM controls.
Returning to the Target example, no one (other than the attacker) saw the lack of segmentation and the unfettered access it enabled, so the vulnerability remained until it was exploited to devastating effect.
Apps comprise a very important resource class that routinely falls outside of governance control. Organizations today manage hundreds of applications across SaaS, cloud, on-prem, mobile, thick client, and legacy systems.
These applications vary widely in how they authenticate users, what protocols they support, and whether or not they integrate with modern identity tools. Consider that:
As a result, a shockingly large proportion of applications—often the majority of an organization’s app library—are largely invisible to IAM and IGA systems.
Yet these same apps routinely handle sensitive data and power critical workflows, putting them squarely in the crosshairs of threat actors looking to acquire sensitive information or disrupt operations.
Closing the Zero Trust governance gap requires gaining visibility into these apps and enforcing policies to control access to them.
Cerby helps close “the app gap” by integrating any application—no APIs or standard protocols needed—and bringing them under centralized visibility and control, so you can apply consistent Zero Trust principles across your entire ecosystem.
Security teams often hesitate to introduce automation, out of concern for the impact of mistakes—false alarms, impacting the organization by blocking the wrong thing, and so on. Instead, manual processes involving spreadsheets, tickets, and emails are common.
Compounding the risks, for many organizations these manual processes are limited to traditional working hours, which can lead to delays to important lifecycle management actions—including deprovisioning access.
But attackers have no such hesitation about occasional mistakes. Motivated by the potential upside, with little concern for the consequences of errors, they’ll eagerly automate everything.
Trying to counter automated threats while relying on manual processes is like trying to manually deploy an airbag during a crash. This latter scenario is rightfully seen as absurd, yet organizations—even those that embrace automation in many other areas—continue to take a cautious approach with access controls.
There’s a real irony at play here, because the truly cautious organizations recognize that automation is the only way to scale governance.
By executing workflows at the speed of APIs and networks—rather than at the speed of humans—automation enables you to detect and counter threats in real time.
Focusing on IAM and IGA, automation also:
In fact, The 2025 Identity Automation Gap Report showed that 49% of respondents said the single most important step they would take to reduce identity risk is extending automation across more applications and workflows.
With Cerby, you can automate critical tasks like password rotation, MFA enrollment, and lifecycle management (LCM) for all of your apps, while reducing reliance on end users and freeing up the time and expertise of your IT and security personnel.
Security teams need to embrace automation, and organization leaders need to provide support and cover for any occasional missteps that occur. I promise you that a few minor inconveniences along the way are a small price to pay for the vastly stronger protections that will result.
Compliance itself shouldn’t be the end goal. After all, compliance just means you’ve done the minimum to satisfy some externally imposed requirement.
Instead, compliance should be a natural byproduct of continuous and contextual governance backed by effective enforcement. That is, compliance emerges as a positive side effect of taking measures to protect your organization.
For instance, Cerby doesn’t just extend enforcement policies across your apps, it also equips those responsible for fulfilling your organization’s Governance, Risk, and Compliance (GRC) obligations with continuous, audit-ready evidence.
In contrast, in the 2023 Ponemon Institute study cited earlier, 47% of organizations reported failing to meet regulatory requirements because of disconnected applications that weren’t properly secured and governed.
Much better (at least in my opinion) to protect our organization and then, with a few clicks, also demonstrate compliance.
I like to tell people that “All bad things happen inside of an allow rule.”
Importantly, this is functionally equivalent to not having a deny rule.
Zero Trust turns the tables by adopting a deny-by-default approach that forces an entity—again, it’s worth repeating that this applies to human and non-human identities—to prove it should be granted access to a resource.
But, too often, organizations take half-steps on their Zero Trust journey, resulting in a governance gap suffering from:
Disconnected apps are a perfect example of these shortcomings.
As I’ve written previously, the best Zero Trust security model isn’t a lengthy checklist—it’s five steps done well:
Cerby helps to enable these steps by bringing every application into your secure Zero Trust environment—closing the governance gap with the visibility, control, and protection those systems have been missing.
Continue learning from John Kindervag, the creator of Zero Trust, in this exclusive discussion with Cerby’s Rick Weinberg. They explore real-world Zero Trust successes, common pitfalls (including disconnected apps), and practical steps to future-proof your security strategy.