IT Governance & Strategy

The US Federal Zero Trust Failure: Why 75% of Agencies Will Miss the Target

A 2021 executive order mandated zero trust for US federal agencies by fiscal year 2024. Gartner predicts 75% will fail. The gap is not technical.

2026-05-14 · 6 min read IT Governance & StrategyTechnology AdoptionTrust & Security

Gartner's 2026 IT spending forecast carries a finding that should be alarming to anyone who thinks about federal technology policy: 75 percent of US federal agencies will fail to implement zero-trust security policies through 2026 (https://www.gartner.com/en/newsroom/press-releases/2026-04-07-gartner-forecasts-worldwide-it-spending-to-grow-9-8-percent-in-2026). Only 10 percent of organizations overall will reach zero-trust maturity by the end of this year. As someone who studies IS governance and policy implementation, I find the federal number striking not because it is surprising but because the failure was predictable, and the reasons have almost nothing to do with technology. They have everything to do with how large public-sector organizations absorb and implement complex policy mandates.

The mandate itself was ambitious and clear. Executive Order 14028, signed in May 2021, directed federal agencies to move toward zero-trust security architectures. The Office of Management and Budget followed with M-22-09, which set specific maturity goals across five pillars: identity, devices, networks, applications, and data. The deadline was the end of fiscal year 2024. That deadline has passed. The Gartner prediction covers 2026. Two years after the official deadline, 75 percent of agencies are still projected to miss the target. The gap between the policy mandate and the implementation reality is not a minor shortfall. It is a systemic failure to convert a presidential directive into operational change.

The technology for zero trust is not the constraint. NIST published SP 800-207, the zero-trust architecture standard, in 2020. The "never trust, always verify" principle is conceptually clear. It requires continuous authentication of every user and device at every access request, microsegmentation of networks to limit lateral movement, continuous monitoring of activity, and consistent policy enforcement across all systems. None of these things are research problems. The underlying technologies, identity management systems, software-defined networking, security information and event management platforms, exist and are commercially available. The constraint is organizational and structural, not technical.

The IS theory that explains this most directly is absorptive capacity from Cohen and Levinthal (1990). Their framework argues that an organization's ability to recognize, assimilate, and apply new knowledge depends on its prior related knowledge base. Federal agencies that lack deep internal cybersecurity expertise cannot effectively recognize what zero-trust implementation actually requires, cannot evaluate vendor claims about zero-trust capability, and cannot design the organizational processes that make zero-trust controls operationally real rather than technically present. The agencies that are furthest behind on zero-trust implementation tend to be the ones with the largest legacy system portfolios, the thinnest in-house cybersecurity teams, and the highest dependence on external contractors whose incentives are not necessarily aligned with rapid modernization.

Legacy infrastructure is the most visible structural constraint. A significant portion of federal IT runs on systems built before the zero-trust model was formulated. Authentication mechanisms that assume perimeter security. Applications that cannot support modern identity federation because they were never designed to integrate with centralized identity providers. Mainframes running critical mission functions on protocols that predate the web. Retrofitting zero-trust controls onto these systems is not a configuration exercise. It often requires middleware layers, proxy architectures, and workarounds that provide partial coverage at high complexity cost. Each workaround adds technical debt and creates new potential failure points. The agencies with the most ambitious zero-trust mandates often have the most entrenched legacy infrastructure, precisely because they have been around longest and have accumulated the most technical debt.

Federal procurement is structurally misaligned with the pace of cybersecurity modernization. An agency that begins a procurement action for a new identity management platform in 2022 may not receive and deploy it until 2025 or 2026. The Federal Acquisition Regulation, which governs most federal procurement, requires competition, review periods, protest rights, and documentation at every stage. These requirements serve legitimate purposes of fairness and accountability. They also make rapid technology adoption structurally difficult in a domain where the threat environment changes faster than the procurement cycle. By the time a system procured to address a specific zero-trust gap is deployed, the relevant threat landscape may have shifted significantly.

Contractor fragmentation compounds the governance problem. Federal agencies do not primarily operate their own IT. They contract to systems integrators and managed service providers who maintain distinct system domains, often under separate contracts with different periods of performance. Zero trust, by definition, requires consistent policy enforcement across all systems. An agency whose network includes multiple contractor-managed enclaves, each with its own security architecture and contract terms, faces a coordination problem that no single technology decision can solve. Every contractor must update their systems, adopt compatible identity standards, support the agency's policy enforcement infrastructure, and do it on a timeline that aligns with their contract terms. This is an organizational challenge that is an order of magnitude harder than the underlying technical one, and the contracts that govern the relationships often do not give agency CIOs the authority to require it unilaterally.

Sociotechnical systems theory (Trist and Bamforth, 1951) is useful for understanding why this kind of mandate so frequently fails in implementation. Zero trust is not just a security technology change. It is a change to how people in the organization work. Every access request requires authentication. Every system boundary requires a policy enforcement point. Human workflows that currently rely on implicit trust within the network perimeter need to be redesigned around explicit verification. The social side of the organization, the people, their routines, their expectations about how systems work, has to change alongside the technical side. Mandates that treat zero trust as a technology deployment rather than a sociotechnical transformation underestimate the organizational change required.

The political continuity problem is real and underappreciated. Federal IT strategy depends on executive leadership that sets priorities and sustains pressure on implementation. EO 14028 was issued under one set of political conditions. Leadership of agency CIO offices changes with administrations. Budget priorities shift. The continuity of strategic direction between the mandate and the implementation is not guaranteed in a way that a private-sector board's strategic priorities usually are. An agency CIO who deprioritizes zero trust in response to a new political priority is making a rational response to their governance environment, even if it produces implementation failure from the perspective of the original mandate.

What worries me most as an IS researcher is not that 75 percent of agencies will miss the target. That outcome was foreseeable from the structural conditions. What worries me is the absence, in the policy discourse, of an honest account of why this keeps happening. The ERP implementation literature documented for three decades that large-scale IT mandates without commensurate support for process change, workforce capacity, and organizational redesign produce compliance documentation rather than operational transformation. Federal zero trust is following the same pattern. The mandate was detailed. The technology guidance was good. The structural conditions that would have made implementation possible, stable funding, procurement flexibility, contractor coordination authority, workforce capacity, were not built alongside the policy.

The research question I want to pursue is what distinguishes the 25 percent of agencies that will achieve meaningful zero-trust implementation from the 75 percent that will not. My hypothesis is that the difference is not in technology access or policy clarity. It is in organizational factors: internal cybersecurity expertise, leadership continuity, procurement flexibility at the margin, and the quality of contractor coordination mechanisms. If that hypothesis holds, then the policy implication is not more detailed mandates. It is investment in the organizational infrastructure that makes implementation possible. That is a harder argument to make in a budget environment than purchasing a security tool, but it is the honest one.

---
claims_checked:
- "75% of US federal agencies will fail to implement zero-trust security policies through 2026": "https://www.gartner.com/en/newsroom/press-releases/2026-04-07-gartner-forecasts-worldwide-it-spending-to-grow-9-8-percent-in-2026"
- "Only 10% of organizations will reach zero-trust maturity by end of 2026": "https://www.gartner.com/en/newsroom/press-releases/2026-04-07-gartner-forecasts-worldwide-it-spending-to-grow-9-8-percent-in-2026"
- "Executive Order 14028 signed May 2021 mandating zero trust": "public fact"
- "OMB M-22-09 set zero-trust maturity goals for FY2024": "public fact"
- "NIST SP 800-207 zero trust architecture standard published 2020": "public fact"
- "Cohen & Levinthal 1990 absorptive capacity": "academic reference, consistent with field knowledge"
- "Trist & Bamforth 1951 sociotechnical systems": "academic reference, consistent with field knowledge"
claims_unverified:
- "Agencies furthest behind tend to have largest legacy system portfolios and thinnest cybersecurity teams: directional pattern, not from a single cited source"
- "25% vs 75% differentiation hypothesis: original research conjecture, not from an empirical study"
sources_used:
- "https://www.gartner.com/en/newsroom/press-releases/2026-04-07-gartner-forecasts-worldwide-it-spending-to-grow-9-8-percent-in-2026"
word_count: 1110

About the author

A
Ali Safari
PhD Student in IS, University of North Texas

Researching AI governance, trust in intelligent systems, and agentic AI. Writing while studying for comps.

in gs

Share

More notes

← Previous
Your Regression Can't Explain a Divorce
Next →
The CIO's Background Is Part of the IT Strategy

Related notes

IS Theory
Data Governance Is Institutional Work, Not IT Administration
6 min read
IT Governance & Strategy
Healthcare IS Research Needs to Stop Counting Breaches
7 min read
IT Governance & Strategy
Vendor Lock-In Is Not a Problem. It Is a Strategy.
7 min read