For federal agencies, zero trust is no longer theoretical. It’s a mandate. With directives in place and frameworks like NIST SP 800-207 defining the architecture, agencies have a clear foundation for implementation.
But policy and frameworks alone do not produce outcomes. Across the federal landscape, many zero trust efforts have advanced on paper while falling short in day-to-day operations. The emerging struggle is turning zero trust plans into operational reality. Federal agencies are finding that strategy is not the issue; execution is.
Projects stall due to specific execution gaps: limited visibility into privileged identities, legacy infrastructure that can't support modern security, and the need for controls that don't impact mission velocity. When privileged access and non-human identities (NHIs) cannot be continuously governed without slowing operations, security mandates risk becoming operational liabilities.
Take a closer look at the issues at stake and what it will take to shift to successful zero trust implementation.
Three critical execution gaps undermining Federal zero trust
The vision for federal zero trust isn't the problem. The problem is closing critical operational gaps that prevent identity-centric security from working in practice: visibility, legacy infrastructure, and velocity constraints.
Addressing these barriers is essential to turning federal zero trust from a framework into a working reality.
1. Visibility limitations: Trying to secure what you don't know exists
Most federal agencies cannot answer basic questions about their privileged identity landscape, such as how many exist, how many are active, and which have retained admin access beyond their intended use.
The rapid growth of NHIs compounds this problem. Service accounts, application credentials, machine-to-machine tokens, scheduled task credentials, and database connection strings outnumber human identities by at least 10 to 1 in most environments. These accounts are rarely inventoried, almost never rotated, and frequently overprivileged. With AI agent adoption, NHI growth will only continue to accelerate.
2. Legacy systems: Running modern security on outdated infrastructure
Federal environments often rely on legacy systems that assume persistent credentials, static network trust, and local admin access—the opposite of zero trust principles. Many older systems cannot support modern agents or new authentication protocols, creating inherent incompatibilities.
This gap becomes a critical bottleneck: Retrofitting systems with zero trust controls is often impractical, yet replacing systems is rarely feasible.
3. Velocity friction: Having security controls that keep pace with operations
If a privileged access management (PAM) solution adds time, even just seconds, to every routine action, operators will find workarounds, especially when mission success is on the line.
This challenge is amplified in federal environments, where systems may be physically disconnected or restricted by classification boundaries. Most zero trust architectures assume constant connectivity to identity providers, policy engines, or cloud analytics services. When controls introduce friction in time-sensitive conditions, the likelihood of user workarounds increases significantly.
Identity as the control plane for federal zero trust
The shift required for successful zero trust implementation is a move from network-centric to identity-centric security.
Traditional network perimeters once served as the security control plane, trusting what's inside and blocking what's outside. But modern federal environments span classified, unclassified, disconnected, and forward-deployed networks with no single perimeter to enforce. Attackers have adapted accordingly, stealing credentials and exploiting trusted access rather than breaching network boundaries.
Identity is the most consistent control plan across these environments, following users in a way networks cannot.
The shift is from 'network location equals trust' to 'identity assertion equals trust.' A user on the internal network gets no implicit trust. They authenticate, their privilege is scoped to exactly what they need, and that privilege expires.
~ Darrel Lewis
Without continuous governance of who has access to what, when, and why, zero trust remains theoretical rather than operational.
The common mistake: Treating zero trust as a checklist
Organizations often deploy privileged access management solutions across their environment and consider the project complete. But zero trust is not simply a tooling exercise; it's an operational model that requires continuous discipline in identity and privilege management.
Achieving zero trust requires more than deploying PAM. Federal environments must also change their credential management processes, onboard and govern service accounts, enforce rotation, and continuously validate access.
From strategy to operational success
Moving from a federal zero trust strategy to measurable security outcomes requires a repeatable execution model. Success depends on answering key operational questions:
-
Visibility: Do you have a complete inventory of all privileged accounts, both human and non-human? Can you identify which accounts are active, shared, or over-privileged?
-
Legacy enforcement: How will you apply zero trust principles to systems that cannot support modern authentication? What's your approach to wrapping legacy infrastructure with modern controls?
-
Least privilege-at-scale: Can you eliminate standing privileges and implement just-in-time, just-enough access across thousands of identities? How will you automate privilege governance to operate at scale?
-
NHI governance: With inevitable NHI growth, how will you discover, vault, and rotate machine credentials without manual intervention?
Successfully executing zero trust involves treating it not as a procurement exercise but as a comprehensive operating model that integrates diverse capabilities, processes, and partnerships.
Mapping Delinea solutions to the Department of War Zero Trust Execution Roadmap
| Delinea Solutions | Capability ID# | Associated Capability | ID# | Activity Name |
| Delinea Suite / Platform | 1.2 | Conditional User Access | 1.2.1 | Implement App-Based Permissions per Enterprise |
| Delinea Suite / Platform | 1.2 | Conditional User Access | 1.2.2 | Rule-Based Dynamic Access Pt1 |
| Delinea Suite / Platform | 1.3 | Multi-Factor Authentication (MFA) | 1.3.1 | Organizational MFA/IDP |
| Delinea Suite / Platform | 1.4 | Privileged Access Management (PAM) | 1.4.1 | Implement System and Migrate Privileged Users Pt1 |
| Delinea Suite / Platform | 1.4 | Privileged Access Management (PAM) | 1.4.2 | Implement System and Migrate Privileged Users Pt2 |
| Delinea Suite / Platform with integration | 1.5 | Identity Federation & User Credentialing | 1.5.1 | Organizational Identity Life-Cycle Management |
| Delinea Suite / Platform | 1.5 | Identity Federation & User Credentialing | 1.5.2 | Enterprise Identity Life-Cycle Management Pt1 |
| Delinea Suite / Platform (only) | 1.6 | Behavioral, Contextual ID, and Biometrics | 1.6.1 | Implement User & Entity Behavior Activity (UEBA) and User Activity Monitoring (UAM) Tooling |
| Delinea Suite / Platform | 1.7 | Least Privileged Access | 1.7.1 | Deny User by Default Policy |
| Delinea Suite / Platform with integration | 1.9 | Integrated ICAM Platform | 1.9.1 | Enterprise PKI/IDP Pt1 |
| Server Suite | 6.1 | Policy Decision Point (PDP) & Policy Orchestration | 6.1.1 | Policy Inventory & Development |
| Server Suite | 6.1 | Policy Decision Point (PDP) & Policy Orchestration | 6.1.2 | Organization Access Profile |
| Server Suite | 6.1 | Policy Decision Point (PDP) & Policy Orchestration | 6.1.3 | Enterprise Security Profile Pt1 |
For a structured framework addressing the real execution challenges of federal zero trust—including where identity gaps emerge, what they cost, and what it takes to sustain progress—download Delinea's whitepaper, Operationalizing Zero Trust in the Department of War.
How to secure identities with zero trust