NIST’s new Zero Trust guide proves ZTA works in practice… but also reveals exactly why current approaches still leave critical gaps that only continuous identity can fill.
The National Institute of Standards and Technology (NIST) has recently published their Special Publication (SP) 1800-35, “Implementing a Zero Trust Architecture.” It’s the culmination of a ton of amazing work from 24 technology collaborators and the outcome is 19 distinct Zero Trust Architecture (ZTA) implementation examples of NIST 800-207. These examples prove that ZTA is not just a theoretical ideal, but rather an achievable, tangible security model that security teams can build a plan towards. However, some of the key takeaways I observed from the report stem from the documented challenges and still existing architectural gaps of market-leading tools. Sections on “Challenges in Implementing ZTA” and “General Findings” highlight a critical truth: demonstrated approaches are foundational and effective, but not the final destination for organizations implementing Zero Trust.
The core of the issue lies in a fundamental distinction. The architectures tested by NIST largely rely on periodic checks and provisioned access. This is Zero Trust based on scheduled verifications and temporary, but still-standing, privileges. The future of security, however, demands a paradigm shift toward continuous and contextual access decisions that provide truly ephemeral access. This is the leap from a static, rules-based ZTA to an adaptive, business-aware architecture that can operate at the speed of modern threats. To frame this evolution, consider the following comparison between the baseline demonstrated in NIST SP 1800-35 and the next-generation capabilities required to achieve a more mature and resilient security posture.
| Capability | NIST SP 1800-35 Demonstrated Approach | The SGNL Advancement (Achieving True ZSP) |
|---|---|---|
| Access Provisioning | Just-in-Time (JIT) Provisioning of temporary roles or entitlements (Use Case B-7). | Ephemeral, Just-in-Time (JIT) Access bound directly to a session, eliminating the need for any standing privilege. |
| Policy Context | Decisions based on siloed Policy Information Points (PIPs), leading to a “fragmented policy environment” and lack of PDP integration (Section 5.3) | Decisions based on a Unified Identity Data Fabric that correlates real-time signals from all business and security systems into a single source of truth. |
| Session Management | Re-evaluation based on periodic checks or detected events that trigger a response, such as compliance failure (Use Case F). | Continuous, event-driven session management and access revocation via a SGNL’s CAEP Hub, enabling instantaneous response to context changes. |
NIST’s implementation guide, by detailing current ZTA limitations, inadvertently built a strong business case for new ZTA solutions. It serves as a de facto requirements document for Zero Trust’s evolution. Security leaders must not just replicate the report’s builds, but address the identified gaps with a more dynamic, intelligent, and effective architecture that delivers access only when a user needs to leverage it, not a second before or after.
SP 1800-35 highlights policy and data fragmentation as a major challenge in multi-vendor Zero Trust Architectures (ZTAs), “the policies that the ZTA enforces are not centrally located… This makes it challenging to understand, articulate, and manage the ZTA’s policies as a comprehensive whole.” The report also notes that ZTA’s multiple Policy Decision Points (PDPs) typically don’t share information, leading to an incomplete understanding of user/endpoint risks. For example, an EDR tool’s compliance failure might not inform an Identity Provider’s access decision. SGNL was fundamentally built to address these exact problems. SGNL’s Identity Data Fabric is the connective layer that unifies identity, security and business data. The centralized policy engine leverages this rich data to make real-time, contextual access decisions. And our CAEP Hub orchestrates identity events in response to identity, security and data events.
Specifically, the SGNL Identity Data Fabric seamlessly connects integrates to the very Policy Information Points (PIPs) that the report identifies as critical, including:
By creating a single, authoritative source of truth for identity and context, the fabric eliminates the need for complex, brittle integrations between individual Policy Decision Points (PDPs). This unified data model makes it possible to create simple, human-readable policies that can “replace thousands of brittle roles” (section 8.2). Instead of wrestling with disparate policy languages and data models, security teams can define access in plain business terms, such as: “A DevOps engineer can access a production AWS account only when they are on-call in PagerDuty, have an active, high-priority incident ticket assigned in ServiceNow, and are connecting from a compliant device as verified by CrowdStrike.”
Another key tenet of advanced Zero Trust is the principle of least privilege, which logically extends to eliminating standing access wherever possible. NIST SP 1800-35 addresses this through Use Case B-7: Just-in-Time Access Privileges. This scenario describes a process where “an enterprise provisions access privileges to a resource based on a single business process flow. Temporary privileges are granted… and then revoked when the process is complete”.
As I have previously described in this blog, Just-in-Time (JIT) provisioning is still standing access. JITP creates accounts. It assigns entitlements. And even if those permissions are revoked after a pre-designated amount of time, they exist long enough to be exploited. This is where the industry has often conflated “Just-in-Time Provisioning” with “Zero Standing Privilege” (ZSP). They are not synonymous. True ZSP requires a more advanced approach that grants ephemeral access, not temporary privilege. This is a fundamental architectural distinction. SGNL is built on the philosophy of true ZSP, ensuring that access is “not persistent based on roles or credentials”, but rather grants ephemeral access to an active session or token.
True Zero Standing Privilege (ZSP) is an access management function, not an identity governance and administration (IGA) function. It should be a stateless, real-time evaluation granting temporary, purpose-specific access, decoupling access decisions from identity objects. This eliminates provisioning/de-provisioning risks by shifting from “making users temporarily powerful” to “granting powerful access temporarily.”
The principle of “verify continuously” is a core tenet of Zero Trust. An initial access decision is not enough; trust must be continually re-evaluated throughout a session. NIST SP 1800-35 captures this requirement perfectly in Use Case F: Confidence Level, which outlines numerous scenarios where access should be dynamically re-evaluated or terminated mid-session. Cited triggers include events like “Compliance fails during active session” (F-4), “User reauthentication fails” (F-1), or the detection of an “Enterprise-ID Attempting Unauthorized Access” (F-10).
The framework is sound but how good is the implementation? How quickly can a “compliance failure” detected by an EDR tool be communicated to the enforcement point that can terminate a session? In many of the architectures implicitly described in the NIST report, this communication relies on periodic API polling. The IdP or ZTNA gateway might query the EDR’s API every five, ten, or fifteen minutes to check for changes in device posture.
The future of Zero Trust enforcement is not just about making the right decision, but about making it at the right time. This requires a move from a reactive, state-based polling architecture to a proactive, event-driven one. SGNL’s architecture is built around this principle, delivered by its CAEP Hub. CAEP, the Continuous Access Evaluation Profile, is an open standard from the OpenID Foundation designed specifically to communicate security events between systems in near real-time. SGNL’s CAEP Hub acts as a central nervous system, enabling the system to respond instantly to changes in user context or security posture, by orchestrating identity remediation actions like ending sessions or removing access.
An architecture based on polling will always have a latency gap. An architecture based on event-driven messages can finally allow the security system to operate at the speed of the business—and at the speed of the attacker.
NIST SP 1800-35 has provided the industry with an invaluable service. It has codified the principles of Zero Trust into practical, demonstrable architectures, moving the conversation from theory to reality. Yet, its most enduring legacy may be its honest assessment of the challenges that remain. The report clearly illuminates the operational friction caused by data fragmentation, the inherent risks of JIT provisioning, and the dangerous latency of periodic verification.
The question for today’s CISO is no longer “Can we implement Zero Trust?” but “Can we implement it for the future?” Delivering Zero Trust means moving beyond static builds and periodic checks. It means embracing a system that understands business context, eliminates standing privilege, and adapts to risk in real-time to deliver continuous identity controls that truly meet the guidelines for Zero Trust.
Want more of the latest identity-first security topics and trends delivered to your inbox? Helpful and insightful content, no fluff.