Trends in Computer Science and Information Technology
Department of Computer Science, Egerton University, Kenya
Cite this as
Onchoka KN, Bosire ZO, Kemei PK. Identity as the New Security Perimeter: The Evolution of Identity and Access Management within Zero Trust Architecture. Trends Comput Sci Inf Technol. 2026;11(2):68-79. Available from: 10.17352/tcsit.000112
Copyright License
© 2026 Onchoka KN, et al. This is an open-access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.The rapid evolution of digital transformation, cloud computing, remote work environments, and mobile technologies has significantly weakened traditional perimeter-based cybersecurity models. Conventional security approaches relied heavily on securing organizational network boundaries while assuming that users and devices within the network could be trusted. However, increasing cyber threats, insider attacks, credential theft, and sophisticated attack vectors have demonstrated the limitations of this trust-based model. Consequently, Zero Trust Architecture (ZTA) has emerged as a modern cybersecurity paradigm founded on the principle of “never trust, always verify.” Within this framework, identity has become the central element of security enforcement, replacing the traditional network perimeter. This paper examines the evolution of Identity and Access Management (IAM) from traditional authentication systems to identity-centric security mechanisms that support Zero Trust principles. The paper discusses the role of IAM technologies such as Multi-Factor Authentication, Single Sign-On, Privileged Access Management, adaptive authentication, and behavioral analytics in enabling ZTA. Additionally, the paper explores the challenges associated with implementing IAM in Zero Trust environments, including complexity, privacy concerns, legacy systems integration, and usability issues. Finally, password less authentication, artificial intelligence-driven identity analytics, and decentralized identity systems as emerging trends are discussed which forms the future directions in identity-centric cybersecurity.
ZTA: Zero Trust Architecture; IAM: Identity and Access Management; MFA: Multi-Factor Authentication; SSO: Single Sign-On; PAM: Privileged Access Management; VPN: Virtual Private Network; IoT: Internet of Things; IDS: Intrusion Detection Systems; IPS: Intrusion Prevention Systems; DMZ: Demilitarized Zone; RBAC: Role Based Access Control; ABAC: Attribute Based Access Control; IP: Internet Protocol; IEEE: Institute of Electrical and Electronics Engineers; FIdM: Federated Identity Management; IdP: Identity Provider; OTP: One Time Password; SAML: Security Assertion Markup Language; OAuth: Open Authentication; OIDC: OpenID Connect; FIDO: Fast Identity Online; SIEM: Security Information and Event Management; UEBA: User and Entity Behavior Analytics; AI: Artificial Intelligence; JIT: Just In Time; SSI: Self-Sovereign Identity; API: Application Programming Interface; VLAN: Virtual Local Area Network; DID: Decentralized Identity; CTAP: Client To Authenticator Protocol; MTTD: Mean Time To Detect; MTTR: Mean Time To Respond; sPACA: Strong PIN-based Access Control for Authenticators; IRR: Incident Response Rate; UAR: Unauthorized Access Rate
Cybersecurity has traditionally depended on perimeter-based security models designed to protect organizational resources by establishing trusted internal networks and untrusted external environments. This approach, commonly referred to as the “castle-and-moat” security model, focused on securing firewalls, intrusion detection systems, and virtual private networks (VPNs) at the network boundary. Once users gained access to the internal network, they were often granted broad access privileges with minimal additional verification [1,2].
However, technological advancements such as cloud computing, Internet of Things (IoT), mobile devices, remote working environments, and distributed enterprise systems have significantly transformed organizational IT infrastructures [1,2]. Modern users access organizational resources from multiple devices, locations, and networks beyond traditional corporate boundaries. Consequently, cyber attackers increasingly exploit compromised credentials, insider privileges, and weak authentication systems to gain unauthorized access.
These evolving threats have exposed the limitations of traditional perimeter-based security architectures. In response, Zero Trust Architecture (ZTA) has emerged as a modern security framework that eliminates implicit trust and continuously validates every user, device, application, and transaction before granting access [4]. Within this model, identity becomes the primary security control mechanism.
Identity and Access Management (IAM) plays a central role in enabling Zero Trust principles by ensuring that only authenticated and authorized users can access organizational resources. Modern IAM solutions integrate advanced authentication mechanisms, adaptive access control, behavioral analytics, and least privilege enforcement to provide continuous identity verification. This transformation has led to the concept of “identity as the new perimeter,” where security decisions are increasingly based on user identity rather than network location [3,5,6].
This paper examines the evolution of IAM technologies and their integration within Zero Trust Architecture frameworks to enhance modern cybersecurity strategies.
Traditional cybersecurity models rely heavily on perimeter-based defenses that assume internal users and devices can be trusted once authenticated into organizational networks. However, the growth of cloud services, remote access, insider threats, and credential-based attacks has rendered these assumptions ineffective. Cybercriminals increasingly exploit compromised identities and privileged accounts to bypass traditional defenses [2,5,7].
Although Zero Trust Architecture provides a more secure approach by enforcing continuous verification and least privilege access, many organizations face challenges in transitioning from conventional IAM systems to identity-centric security frameworks. Furthermore, the rapid evolution of IAM technologies has created complexities related to scalability, interoperability, usability, and policy enforcement.
Therefore, there is a need to examine how IAM has evolved within Zero Trust Architecture and how identity-centric security can effectively address modern cybersecurity challenges.
To examine the evolution of Identity and Access Management within a Zero Trust Architecture framework.
This study contributes to the growing body of knowledge on modern cybersecurity architectures by examining the transition from traditional perimeter-based security to identity-centric security models. The findings may benefit organizations seeking to implement Zero Trust security frameworks, cybersecurity professionals interested in IAM modernization strategies, researchers exploring emerging cybersecurity paradigms and policymakers developing identity governance and access control policies. The study also provides academic insights into how IAM technologies support secure digital transformation initiatives.
This paper focuses on the evolution of Identity and Access Management within the context of Zero Trust Architecture. The study examines traditional and modern IAM technologies, identity-centric security principles, IAM challenges in ZTA implementation, and emerging trends shaping future cybersecurity systems. The study is limited to conceptual and literature-based analysis without conducting empirical data collection.
Traditional perimeter-based security underpins the “castle-and-moat” model that Zero Trust and identity-centric approaches are now replacing. It assumes that the internal network is trusted while the outside is not, with defenses focused on the boundary rather than every user and device.
Security perimeter is one of the concepts where networks are split into an internal trusted zone and an external untrusted zone, typically enforced by firewalls, border routers, IDS/IPS, VPNs, DMZs, and screened subnets [8,9]. Trust model is another concept where internal entities are trusted by default; external entities must authenticate once to gain lasting trust (“trust but verify”) [9-11]. Castle-and-moat analogy is also another concept in which there are strong outer walls but “soft” inside and once an attacker gets in, there is often little internal segmentation or further checks [12].
Some of the key weaknesses of perimeter-based security include (a) insider and post-breach risk whereby once the perimeter is breached, attackers can move laterally with few checks, threatening critical data and systems (b) static and single-barrier defense whereby a single, mostly static perimeter becomes a single point of failure in dynamic, distributed environments (c) poor fit for cloud, remote work, and IoT whereby blurred boundaries, remote access, and distributed services make location-based trust unreliable (d) assumed “safe internal traffic” whereby lack of continuous verification leaves networks vulnerable to compromised credentials and malicious insiders.
These limitations drive the shift from perimeter-centric to identity- and access-based controls. Zero Trust and modern IAM continuously authenticate and authorize every user, device, and transaction, regardless of network location, directly addressing the weaknesses of traditional perimeter security [8,9].
ZTA is built on “never trust, always verify,” assuming any user, device, or app may be compromised, inside or outside the network [1,2].
ZTA is based on the following core principles and practices (a) continuous authentication and authorization whereby every request is verified based on identity, device health, behavior, and context, not just initial login [3,13] (b) least privilege access whereby users/devices get only the minimal permissions needed, reducing damage from compromised accounts [1,2,13] (c) micro‑segmentation whereby networks are split into small segments with strict policies, limiting lateral movement during breaches [2,6] (d) continuous monitoring and analytics whereby real‑time behavior analysis, anomaly detection, and logging detect and respond to threats quickly [1-3] (e) identity‑centric security where strong identity verification (often with MFA and IAM) is the cornerstone of ZTA [1-3,13]. ZTA shifts protection from static network boundaries to who/what is accessing what, under which conditions, making it suitable for cloud, hybrid, and remote environments.
Table 1 shows the Zero Trust Architecture components and effects.
IAM manages digital identities and controls who can access which resources, when, and how [3,6,14] as illustrated in figure 1.
Identity and Access Management has the following core functions: (a) authentication which verify user/device identity via passwords, MFA, biometrics, or behavioral signals (b) authorization which enforce what authenticated entities can do using role‑based or attribute‑based models (c) identity governance which does lifecycle management, policy enforcement, and compliance reporting (d) access provisioning & role management which assigns/removes access based on roles and business needs, reducing privilege misuse.
The modern Identity and Access Management capabilities are: (a) Single Sign‑On (SSO) and MFA to strengthen and streamline login (b) adaptive/authentication & risk‑based access which involve context‑aware checks using behavior, device, and location (c) Privileged Access Management (PAM) for tight control and monitoring of high‑risk accounts (d) AI‑ and behavior‑driven IAM such as machine learning and user behavior analytics for anomaly detection and dynamic policies.
Research consistently positions IAM as foundational for enforcing Zero Trust. ZTA relies on IAM plus MFA, behavioral analytics, and micro‑segmentation to implement continuous, least‑privilege, identity‑centric access decisions. AI‑enhanced IAM further aligns with ZTA by enabling continuous, adaptive authentication and real‑time risk scoring for every access attempt.
In conclusion, ZTA redefines security around continuous verification, least privilege, micro‑segmentation, and identity‑centric controls. IAM supplies the identity, authentication, authorization, and governance backbone that makes these Zero Trust principles enforceable in practice, especially when strengthened with MFA, behavioral analytics, and AI‑driven adaptive policies. Together, ZTA and IAM create a tightly integrated, context‑aware defense against modern cyber threats. Table 2 highlights the comparison between traditional perimeter-based security and zero trust model.
Existing work analyzes ZTA cost–effectiveness, enterprise security gains, AI-driven IAM, phishing resistant authentication, and decentralized identity for trustworthy governance. However, research remains fragmented: most studies focus on single technologies or domains rather than providing an integrated, critical synthesis of identity-centric Zero Trust, covering IAM evolution, MFA vs FIDO2, AI‑driven IAM risks, decentralized identity scalability, and quantified Zero Trust outcomes.
This paper addresses that gap by (a) unifying seminal IAM, ZTA, FIDO2/WebAuthn, AI‑IAM, and decentralized identity (DID) literature into a coherent identity‑as‑perimeter perspective, (b) critically evaluating benefits and limitations (e.g., phishing resistance vs downgrade attacks, AI explainability and bias, DID interoperability), and (c) aligning these insights with quantitative evidence on Zero Trust adoption costs and security metrics.
The contribution is a multi-dimensional critical review that connects these strands into a coherent picture of “identity as the new perimeter” in practice.
This study followed a structured literature review process guided by PRISMA principles to examine how Identity and Access Management (IAM) has evolved and how it enables Zero Trust Architecture (ZTA), with a focus on “identity as the new perimeter” hence ensuring reproducibility and transparency.
Searches were conducted in IEEE Xplore, ACM Digital Library, Scopus, SpringerLink, ScienceDirect, Web of Science, and Google Scholar, selected for their comprehensive coverage of security, networking, IAM, AI, and cryptography research.
Search strings combined Zero Trust, IAM, MFA, AI, and decentralized identity concepts using Boolean operators, for example: (“Zero Trust Architecture” OR “ZTA”) AND (“identity and access management” OR “IAM”), (“multi-factor authentication” OR “MFA” OR “FIDO2” OR “WebAuthn”) AND (phishing OR “password less”), (“AI-driven IAM” OR “machine learning” AND (“access control” OR “anomaly detection”)), (“decentralized identity” OR “self-sovereign identity” OR “blockchain-based identity”) AND (interoperability OR scalability OR governance), (“human factors” OR “insider threats” AND “cybersecurity awareness training”). The objectives include (a) trace the evolution from perimeter-based security to Zero Trust and identity‑centric models (b) analyze how IAM capabilities support ZTA principles (c) identify challenges and future directions. The temporal scope was 2011 - 2026, covering the formalization of Zero Trust and contemporary IAM and identity research.
Studies were included if they (a) addressed ZTA concepts, implementation, or roadmaps with explicit reference to identity, IAM, or continuous verification (b) focused on IAM technologies, such as MFA, SSO, PAM, AI‑driven anomaly detection, or risk‑based access (c) investigated decentralized/SSI identity, blockchain-based IAM, or privacy-preserving authentication (d) explored human factors, insider threats, and training in cybersecurity contexts connected to Zero Trust or identity controls. Conceptual opinion pieces without clear methodological grounding and purely technical works unrelated to IAM/ZTA integration were excluded.
Screening followed a PRISMA-style process: Initial screening of titles and abstracts to remove clearly irrelevant papers, full‑text review of remaining studies to verify relevance to IAM–ZTA, identity‑centric security, or human / AI / decentralized identity aspects. Classification and mapping of selected works into themes: Evolution of perimeter vs Zero Trust and identity, IAM technologies and AI‑driven enhancements, Decentralized/SSI identity frameworks, Human factors and awareness strategies.
For each included paper, key data elements were extracted as in the ZTA SLR [15] which include: objectives, methodology type, IAM/ZTA components studied, challenges, and reported results, using classification approaches from prior mapping studies. Findings were synthesized using narrative, comparative analysis: cross‑comparing how different studies conceptualize Zero Trust and the identity perimeter, aggregating evidence about the effectiveness and limitations of MFA, PAM, AI‑driven IAM, and decentralized identity, integrating insights on human behavior, training, and culture to complement technical IAM controls. A PRISMA-style flow diagram (Figure 2) summarizes the screening and selection stages.
Identity and Access Management has undergone several stages of transformation namely; password-based authentication era, role-based access control, federated identity management and single sign-on, multi-factor and adaptive authentication and identity-centric security.
Early IAM systems relied almost exclusively on username–password pairs stored in centralized credential databases as illustrated in figure 3. While simple and cheap to deploy, passwords suffer from poor memorability, leading users to choose weak, guessable passwords and to reuse or slightly modify them across many services [16-18]. Large-scale analyses of leaked credentials show that password reuse and similarity allow attackers to compromise up to approximately 16% of accounts in targeted guessing attacks, even in the presence of modern countermeasures [17]. Password databases are also attractive breach targets; once stolen, they enable offline cracking and credential stuffing, where attackers test known username–password pairs across multiple sites [19,20]. Measurements on real web traffic found that approximately 1.5% of logins used already-breached credentials [19]. Phishing further exploits password-based models by tricking users into submitting credentials to fake sites, with usability issues (too many passwords, confusing browser indicators) worsening this risk [18]. The password-based authentication is shown in figure 2.
These systemic weaknesses motivated stronger IAM models, password managers, breach‑alerting services, and new authentication factors [17-20].
RBAC shifted access management from individual users to roles that encapsulate job functions. Permissions are assigned to roles, and users are assigned to roles, simplifying administration, supporting least privilege, and easing personnel changes [21] as illustrated in figure 4. In large enterprises and cloud environments, RBAC improves scalability and regulatory compliance by standardizing who can do what [21].
However, traditional RBAC is largely static and non-contextual. It struggles with dynamic, fine-grained needs (e.g., time, device, risk level) and can suffer from “role explosion” and over‑permissive roles if not carefully engineered and audited [21]. These limitations have driven interest in risk‑aware and attribute‑based extensions [22].
Federated Identity Management (FIdM) lets users authenticate once with an Identity Provider (IdP) and then access multiple independent services (Service Providers) via Single Sign-On, reducing password proliferation and improving usability [23-26] as illustrated in figure 5.
Core technologies include Security Assertion Markup Language (SAML 2.0) which is XML-based assertion widely used for enterprise SSO across domains, Open Authentication (OAuth 2.0) a delegation protocol allowing limited access to resources without sharing credentials and OpenID Connect (OIDC) an identity layer on OAuth 2.0 standardizing user authentication and profile claims as illustrated in figure 6.
These standards improve interoperability across organizations and clouds, support centralized authentication, and reduce the amount of sensitive data shared between parties [23-26]. However, they were designed for earlier assumptions and now require extensions and new profiles to address mobile apps, privacy, and emerging zero‑trust and decentralized identity use cases [24-26].
To mitigate password weaknesses, Multi-Factor Authentication (MFA) combines something you know (password), something you have (tokens, devices), and something you are (biometrics) [27,28] as illustrated in figure 7. One-time passwords (OTPs), hardware/software tokens, and biometric checks significantly raise the bar for account takeover, especially in high‑risk sectors like finance [16,22]. Modern systems go further with adaptive (risk-based) authentication, which evaluates contextual factors, device characteristics, location, time, historical behavior, and threat signals to assign a dynamic risk score and adjust requirements in real time [22,27]. Low-risk logins may proceed with minimal friction, while high-risk events trigger step‑up MFA, session restrictions, or denial. Machine learning and user behavior analytics increasingly power these assessments and anomaly detection.
In regulated or compliance‑critical environments, unified risk-based IAM frameworks combine identity federation, MFA, behavioral analytics, and continuous monitoring to improve both security and regulatory adherence [22,27].
As organizations adopt Zero Trust Architecture (ZTA), identity has become the effective security perimeter. Instead of trusting anything “inside” a network, ZTA assumes potential compromise and enforces “never trust, always verify” for every request, regardless of location [16,27,29] as illustrated in figure 8.
Identity-centric Zero Trust IAM typically includes (a) strong, continuously evaluated user and device identities, with devices treated as first-class identities and categorized as safe/unsafe (b) device health and posture checks integrated into access decisions (c) contextual and behavioral analytics, using sign-in logs, behavior baselines, and anomaly detection to compute risk scores on an ongoing basis, sometimes every few minutes (d) least privilege and dynamic policies, where roles, attributes, and risk jointly determine minimal, time‑bounded access, often enforced alongside micro‑segmentation and role-based network access management.
Research shows that AI-driven IAM and risk-based authentication, aligned with Zero Trust principles, can significantly improve detection of identity spoofing, privilege escalation, and misuse of stolen credentials while maintaining user experience through adaptive friction [16,22,27,28]. This represents a fundamental move from static, one-time checks toward continuous, intelligence-driven trust evaluation as the core of modern IAM. Table 3 highlights the IAM main eras, their primary focus and key limitations.
Identity‑centric security treats identity (human and non‑human) as the primary control plane, shifting protection from static network borders to continuous verification of users, devices, applications, Application Programming Interface (APIs), and workloads [6,30].
Modern Zero Trust and cloud‑native IAM systems use (a) strong identity proofing and MFA before any session is established (b) context signals such as device health, geolocation, time, and resource sensitivity to drive access decisions (c) continuous validation of identity and session behavior, not just at login, using monitoring and behavioral analytics. This reduces reliance on IP ranges or VLANs and instead enforces identity‑based policies.
Table 4 capture the various IAM technologies and how they support ZTA.
Advanced patterns such as Just‑in‑Time (JIT) access and behavior‑based dynamic access further tighten least‑privilege enforcement [30,31].
Research links identity‑centric, Zero Trust IAM to (a) reduced insider and credential‑based threats through continuous authentication, PAM, and behavioral analytics (b) improved access visibility and auditability via centralized IAM, identity governance, and detailed session trails, especially for privileged accounts (c) better compliance with regulations that require strong authentication, least privilege, and demonstrable access controls (d) stronger remote/hybrid work security, as access is based on identity and context rather than physical location (e) reduced attack surface and lateral movement through micro‑segmentation, least privilege, JIT, and per‑segment identity enforcement.
Conventional MFA (e.g., OTPs over SMS, email, or apps) improves security over passwords but remains vulnerable to real‑time phishing and adversary‑in‑the‑middle credential relay [36]. In contrast, FIDO2/WebAuthn offers phishing-resistant authentication using device‑resident private keys and origin‑bound public keys, significantly raising the bar for attackers [37-39].
Formal and empirical analyses confirm WebAuthn’s strong authentication guarantees, while also identifying weaknesses and proposing protocol-level improvements (e.g., stronger CTAP security models, sPACA, and enhanced downgrade resilience) [39,40]. Recent work further explores high‑assurance architectures that secure virtual FIDO2 authenticators with QES‑grade tokens and untrusted cloud synchronization, maintaining a pure WebAuthn interface while strengthening key protection [37]. Alternative protocols such as QRAuth seek to retain public‑key security while addressing FIDO2’s usability and accessibility limitations [38].
Within Zero Trust, identity becomes the primary trust anchor: every access request is authenticated and authorized continuously, often combining phishing-resistant mechanisms like FIDO2/WebAuthn with contextual checks and micro‑segmentation. Nonetheless, implementation must account for device and platform dependencies, recovery processes, fallback mechanisms that may reintroduce phishing risks, and user experience constraints.
AI-driven IAM leverages machine learning and behavioral analytics to enhance authentication, authorization, and monitoring, enabling adaptive access control and real‑time anomaly detection [42]. Surveys show AI can reduce manual workload, improve detection of anomalous identities, and support continuous risk assessment.
However, these gains introduce new risks. Key challenges include data privacy, integration complexity, and the interpretability of ML‑driven decisions [42,43]. AI in IAM must contend with model bias and fairness issues, as unbalanced training data can lead to discriminatory access decisions [44]. False positives can burden users and administrators, while false negatives may leave attacks undetected [42,45]. Adversarial attacks and data poisoning further threaten AI-based detection pipelines, especially when used to defend against AI‑driven phishing and malicious URLs [36]. Governance requirements such as transparent communication, robust data governance, lifecycle model management, and human oversight are therefore emphasized as essential for trustworthy AI‑IAM deployment.
Decentralized identity and DID systems promise user‑controlled, privacy‑preserving identity, but face interoperability, scalability, and governance challenges. Integrating explainable deep learning with DID is proposed as a way to align transparency, fairness, and privacy in algorithmic governance, using verifiable credentials, zero‑knowledge proofs, and privacy‑preserving audit trails [44]. These systems must still address cross‑platform interoperability, performance under large‑scale usage, and clear accountability models before they can be widely adopted as IAM underpinnings in Zero Trust environments.
Modern security architectures in enterprises and government agencies are moving from network perimeters to identity as the primary control point, often within Zero Trust frameworks. The case studies below show how this shift is implemented in practice and what outcomes organizations report.
Table 5 gives a highlight of the various organizations and sectors where identity has become the new security perimeter.
Government and public‑sector deployments use identity‑centric Zero Trust to secure federal financial systems, distributed government systems, and tax administration platforms, emphasizing continuous verification, segmentation, and advanced identity management to protect citizen data and enable inter‑agency collaboration [46-48,51].
Across enterprises and government institutions, real‑world implementations show that treating identity as the new security perimeter within Zero Trust architectures measurably improves security, compliance, and visibility. These gains come with substantial design, integration, and change‑management effort, but case studies suggest that when IAM is mature and change is well managed, identity‑first security becomes a sustainable foundation for modern, distributed environments.
Recent empirical work quantifies the impact of Zero Trust frameworks compared to perimeter-based models. Large‑scale evaluations across 300 enterprises report that ZTA deployments reduced Mean Time to Detect by 40%, improved Mean Time to Respond by 39%, and decreased successful breaches by 63%, also achieving 75% fewer annual incidents, 70% less downtime, and 78% lower financial losses; all improvements were statistically significant [52]. Another study found that ZTA improved breach detection rates by ~75% and reduced unauthorized access incidents by ~66.7%, albeit with higher implementation costs and some user‑experience degradation due to continuous verification [53].
Cost–benefit analyses show that ZTA can reduce risk impact by an average of $684K over four years for small to large organizations, while demanding significant upfront investments [54]. Case‑oriented research on mid‑sized enterprises indicates up to 90% reduction in lateral movement, 65% fewer insider threats, and 80% reduction in attack surface through micro‑segmentation and identity‑centric controls [55].
Framework-level comparisons highlight that NIST SP 800‑207 and the Forrester ZTX model share core principles (never trust, always verify; least privilege; micro‑segmentation), but differ in emphasis and implementation guidance [48]. Studies combining these frameworks with industry case studies (e.g., BeyondCorp, Microsoft implementations, U.S. federal mandates) underscore trade‑offs between improved access control, compliance, and threat mitigation versus integration challenges, performance overhead, and organizational readiness [48,52,53,55].
These quantitative and comparative findings support a more evidence‑based discussion of Zero Trust frameworks, aligning them with measurable outcomes (IRR, UAR, MTTD, MTTR, financial impact) and contextual factors such as sector, legacy complexity, and governance maturity [52,54,55].
This staged approach aligns with recommendations that ZTA be introduced in ways that minimize performance overhead and integration risk, while enhancing resilience.
Privacy-preserving MFA schemes using distributed authentication and zero‑knowledge proofs demonstrate that strong verification can coexist with user privacy and resilience against single points of failure [33].
Research on ZTA and insider threats repeatedly shows that enforcing least privilege and micro‑segmentation helps contain breaches and reduces opportunities for malicious or negligent insiders [6,57,58].
Evidence from banking, critical infrastructure, and fintech sectors shows that continuous awareness programs, combined with behavioral analytics and Zero Trust monitoring, significantly reduce insider and human-related vulnerabilities [57,58,60].
The rapid evolution of modern computing environments has significantly weakened traditional perimeter-based cybersecurity models. Zero Trust Architecture has emerged as an effective approach for addressing contemporary cyber threats by eliminating implicit trust and enforcing continuous verification. Within this framework, Identity and Access Management has evolved into the foundation of modern cybersecurity. Identity is increasingly becoming the new security perimeter through technologies such as MFA, adaptive authentication, PAM, and behavioral analytics. Although challenges such as implementation complexity, legacy systems, and privacy concerns remain, identity-centric security models provide stronger protection against evolving cyber threats. Future cybersecurity strategies will increasingly depend on advanced IAM technologies integrated within Zero Trust frameworks.
The author declares no conflict of interest associated with this study. No funding or external influence affected the preparation and presentation of this work.
The author wishes to acknowledge the support, guidance, and encouragement received from supervisors, lecturers, colleagues, and all individuals who contributed directly or indirectly to the successful completion of this paper. Appreciation is also extended to authors and researchers whose scholarly works formed the foundation of this study.

PTZ: We're glad you're here. Please click "create a new query" if you are a new visitor to our website and need further information from us.
If you are already a member of our network and need to keep track of any developments regarding a question you have already submitted, click "take me to my Query."