Amid regulatory mandates, evolving cyber threats, and increasingly complex technology environments, federal agencies understand the importance of implementing strong Zero Trust principles. However, a prevailing challenge is execution – how best to operationalize across environments containing hybrid cloud infrastructure, automation, and rapidly expanding machine identities. During the recent CyberArk Federal Meetup, hosted in partnership with Merlin Cyber and Olympus Solutions, federal identity practitioners gathered to focus on identity security objectives to drive successful mission and Zero Trust outcomes.
Below are the key takeaways shaping how agencies should think about identity security in 2026 and beyond.
Zero Trust initiatives often stall when identity is narrowly defined as just “human access.” Modern federal environments contain many users but also devices, workloads, service accounts, APIs, automation, and now AI agents. Each of these identities are authenticating and many are unmanaged, amplifying the attack surface. Machine identities already outnumber humans 82:1, and 42% hold sensitive or privileged access.
As federal systems rely more on machine identities and AI agents, threat actors are increasingly targeting these identities as attack vectors. If it can authenticate access or an action, it is an identity and must be governed accordingly.
CyberArk’s latest Endpoint Privilege Manager (EPM) capabilities demonstrated how identity controls can proactively enable SOC operations. Instead of choosing between doing nothing or isolating endpoints entirely, SOC teams can now dynamically reduce privilege, enforce step-up authentication, and prevent lateral movement. By granularly governing privileged access across endpoints, SOC teams can effectively do their job without disrupting mission-critical access and operations.
This integration of privilege controls with SOC workflows turns identity and access management into a real-time, contextual response mechanism instead of just a static safeguard. This approach aligns with Zero Trust principles: assume compromise, limit blast radius, and continuously verify.
The Vault Analysis Tool (VAT) session reinforced the criticality of proper vault hygiene for PAM effectiveness. Misconfigurations, outdated settings, and coverage and performance gaps quietly erode security and compliance over time. CyberArk’s VAT provides agencies with a rapid, repeatable, and audit-ready way to assess vault health, identify risk, and prioritize remediation before issues escalate. By proactively provisioning credentials with CyberArk’s VAT, agencies can ensure and demonstrate risk reduction, regulatory compliance, positive privacy posture, and migration readiness.
VAT delivers a real-time, automated vault health check to support continuous assessments, pre-upgrade checks, and audit readiness without the overhead and audit fatigue of manual analysis.
Olympus Solutions highlighted how non-human identities (NHIs), including service accounts, bots/RPAs, automation pipelines, and AI agents, introduce new risks when ownership, lifecycle controls, and privileges are missing. AI agents especially amplify blast radius when over-privileged and poorly governed. This is because of the integration multiplier effect where AI agents autonomously use tools/plugins to call APIs and communicate with other systems. Additionally, agent sprawl adds to the complexity of governing AI agents due to privilege proliferation that lacks visibility, lifecycle control, and ownership.
Below is the recommended model to govern NHIs:
Beyond technology, the meetup emphasized the importance of shared learning and operational alignment through the Federal Identity User Community. With Zero Trust mandates, compliance pressures, and talent gaps colliding, agencies benefit most when identity security is treated as a program, not a point solution. Merlin Cyber is committed to enabling Zero Trust outcomes for government through these collaborative forums focused on best practices.
Zero Trust success depends on knowing where you stand today. Merlin Cyber’s CyberArk Health Check provides a focused, expert-led assessment of your PAM environment—highlighting quick wins, risk gaps, and an actionable roadmap toward measurable Zero Trust outcomes. It is complimentary, efficient, and designed specifically for federal environments.
Talk to Merlin Cyber about scheduling your CyberArk Health Check.