Why identity is the engine of zero trust

In 2025 identity-related breaches accounted for 80% of cyber incidents, according to reports from CrowdStrike and Okta, making zero trust not just a buzzword but a necessity. Zero trust is often misunderstood as a collection of network controls or access technologies. In practice, zero trust is an architectural approach to access decisions, and identity sits at its core.

As users, applications, and workloads move across cloud and hybrid environments, identity has replaced the network as the primary control point. Zero trust formalises this shift by requiring every access request to be evaluated based on identity, context, and policy, rather than implicit trust derived from location.

What zero trust really means

The zero trust model removes the assumption that anything inside a network boundary is trustworthy. Instead, access is continuously evaluated based on who or what is making the request, what they are trying to access, and under which conditions.

The US National Institute of Standards and Technology (NIST) defines zero trust as an evolving set of cybersecurity paradigms that move defences from static, network-based perimeters to focus on users, assets, and resources instead.

This definition highlights a key point: zero trust is not a product. It is a decision-making model. Every access request must be verified explicitly and enforced consistently.

Identity as the primary decision input

In a zero-trust architecture, access decisions are made by a policy decision point and enforced by a policy enforcement point, with a control plane coordinating policy and telemetry. Identity feeds directly into that decision logic.

Identity provides answers to fundamental zero-trust questions:

• Who or what is requesting access?
• How confidently has that identity been verified?
• What access should that identity have at this point in time?
• What risk signals are associated with the request?

Without strong identity controls, zero trust cannot function. Network controls alone cannot determine whether a user should access a SaaS application, a cloud workload, or sensitive data. Identity provides the context needed to make those decisions meaningful.

This is why Gartner consistently positions identity as a foundational element of zero trust architectures, rather than a supporting component.

IAM as the enforcement layer for zero trust

Identity and Access Management (IAM) operationalises zero trust by enforcing access decisions at sign-in and during use. Where traditional IAM focused primarily on whether a user could authenticate, zero trust IAM focuses on whether access should be allowed at that moment, based on identity, context and risk.

IAM enables zero-trust principles through:

• Strong authentication, including MFA and risk-based controls
• Least privilege access, limiting entitlements to what is required
• Conditional access, where context, such as device posture or risk level, affects decisions
• Continuous visibility, ensuring access decisions are logged and traceable

Instead of granting broad access based on network presence, IAM enforces policy at the identity level. This allows organisations to apply zero trust consistently across SaaS applications, cloud platforms, and private systems.

IAM, PAM, and IGA in a zero-trust model

In a zero-trust architecture, Identity and Access Management (IAM), Privileged Access Management (PAM), and Identity Governance and Administration (IGA) work together to ensure access decisions are accurate, enforceable, and accountable.

IAM controls how identities authenticate and request access, and how that access is enforced across applications and services. PAM focuses on privileged access, such as administrative roles and high-impact permissions, where misuse or compromise has outsized consequences. IGA provides governance by ensuring access rights remain correct over time through approvals, reviews, and auditable processes.

In a zero-trust context, PAM is critical because privileged access represents the highest risk. Standing administrative rights undermine zero-trust principles by bypassing continuous evaluation. Controlling elevation and monitoring privileged sessions aligns PAM directly with zero-trust goals.

IGA supports zero trust by ensuring access decisions remain valid. If identities retain access they no longer need, policy enforcement loses meaning. Regular reviews, approvals, and lifecycle controls keep zero trust policies aligned with organisational reality.

From network-centric to identity-centric enforcement

Traditional security models relied heavily on network segmentation and trusted zones. Zero trust replaces this with identity-centric enforcement.

This shift reflects how access patterns have changed:

• Users access applications directly over the internet
• Workloads authenticate to each other using machine identities
• Devices move between networks without consistent trust levels

Identity provides a stable control point across these scenarios. Whether a request originates from a remote user, a cloud workload, or an API, identity allows the same policy logic to be applied.

Nomios believes identity-centric access is a key pillar of modern zero-trust architectures, particularly in cloud and hybrid environments.