The Zurich release shipped two consoles that fix problems most security teams had been working around with spreadsheets and quarterly audits: where sensitive data actually lives on the platform, and which non-human identities have access to what. Vault Console and Machine Identity Console are not exotic add-ons; they are the operational surface for governance work that was previously invisible until it became an incident.
Vault Console
Centralized sensitive-data management on the platform. Identify what is sensitive (PII, PHI, financial, regulated by region) using built-in classifiers plus custom rules. Classify with a tagged policy framework. Apply protection — field-level encryption, row-level masking, restricted access via ACL — without writing one-off business rules. Audit access and changes from a single timeline that joins the data source, the operation, the actor, and the policy that was matched.
Vault classification policy example:
match: field type = email AND table.contains_pii = true
classification: PII-low
protection: mask in non-prod, audit reads in prod
retention: per data subject regionMachine Identity Console
Manage non-human identities — service accounts, API credentials, OAuth client IDs, x509 certificates, MID Server credentials. Monitor for expiring certs, over-privileged services, stale accounts that have not been used in months, and credentials referenced by no active integration (orphaned). The non-human identity sprawl that has been growing in every instance for years finally gets a centralized inventory and the operational tooling to clean it up.
Why It Matters
Agentic AI deployments multiply non-human identities — every agent needs credentials, every spoke needs an integration user, every webhook subscription needs a token. Without centralized management, identity sprawl creates audit gaps, makes least-privilege impossible to enforce, and turns rotation into a coordination project. Zurich’s consoles address this natively rather than via custom builds on top of sys_user and sys_auth_credential.
Operational Adoption
Run Vault discovery early in the Zurich upgrade window. Baseline current sensitive data exposure. Define classification policies that match your regulatory profile (GDPR, HIPAA, PCI as applicable). Enforce protection progressively — start with non-prod masking, add prod read-audit, then add prod encryption for the classifications that warrant it. For Machine Identity, audit first, retire the obviously stale, then tighten scope on the remaining identities. Both consoles deliver visible progress within the first sprint when prioritized.
Common Failure Modes
Treating classification as a one-time exercise — data drifts, rules need quarterly review. Encrypting everything because it sounds safe — encrypted fields lose searchability in many cases, breaking reporting; classify and protect proportionally. Rotating service account credentials without notifying integration owners — coordinate via the Machine Identity Console’s notification webhook before rotation, not after.
Implementation Sequence
Stand up Vault Console with classification of one regulated data domain (PII or PHI), validate the audit trail against a sample access pattern, then add the next domain. Stand up Machine Identity Console in read-only inventory mode, identify the top 20 most-privileged non-human identities, verify each has a current owner and a rotation schedule. Aggressive enforcement on day one creates breakage; staged enforcement builds confidence and surfaces hidden dependencies before they bite.
What to do this week: query sys_user for non-human accounts (active, never logged in via UI, owns active integrations) and verify each has a documented owner and rotation schedule — anything missing both is your first Machine Identity Console finding.
