Trust & Security

Zero Trust Security: Why 'Never Trust, Always Verify' Is Harder Than It Sounds

Zero trust is an architecture philosophy, not a product. Buying a zero trust solution and having zero trust architecture are not the same thing.

2026-05-14 · 6 min read Trust & Security
ZeroPart 4 of 6
Zero Trust Data GoveZero Trust Data GoveZero Trust Everywher4Zero Trust Trust CalZero Trust Vendor Ma

The traditional model of enterprise network security was built on a perimeter assumption. Inside the network is trusted. Outside the network is not. You build a strong wall, you put guards at the gates, and everything inside is treated as safe. This model made sense when employees worked in offices, used company-managed computers, and accessed data through systems that sat inside a physical data center. By the time remote work became standard, cloud services became the dominant way organizations ran software, and employees started accessing work systems from personal devices on home networks, the perimeter had been so thoroughly blurred that calling it a perimeter at all was mostly metaphor. The "inside the network" assumption was still there. The network it described had largely stopped existing.

Zero trust is the response to that problem. The core principle is that no entity inside or outside the network perimeter is trusted by default. Every request for access must be authenticated, authorized, and continuously validated. The question is not "is this request coming from inside the corporate network?" The question is "can this specific user, on this specific device, from this specific context, be verified as authorized to access this specific resource right now?" NIST Special Publication 800-207, published in 2020 and publicly available from the National Institute of Standards and Technology, formally defines zero trust architecture and identifies three core tenets. Verify explicitly: every access request is authenticated and authorized based on all available data points. Use least privileged access: permissions are granted at the minimum level necessary for the task. Assume breach: the system is designed under the assumption that the perimeter has already been compromised, so that a successful breach in one area does not automatically propagate to everything else.

The vendor marketing around zero trust has complicated the concept considerably. Because "zero trust" became a widely recognized term, vendors of identity management tools, endpoint detection products, microsegmentation platforms, and network access control systems all began attaching the label to their products. Each of these products might implement a genuine piece of zero trust architecture. None of them, alone or even together in an uncoordinated stack, delivers zero trust architecture. NIST SP 800-207 is explicit on this point: zero trust is an architecture philosophy and a set of design principles, not a product category. Organizations that purchase a product labeled "zero trust" and consider the job done have not implemented zero trust. They have purchased a component that could contribute to a zero trust architecture if they also redesign how every application, user, device, and network segment interacts with every other part of the system. The redesign is the actual work.

Gartner has described zero trust as a strategic security priority and has tracked vendor capabilities in the space for several years, noting that adoption has been widely discussed but that genuine full implementation remains challenging for most organizations, according to research covered in their newsroom. I read that as consistent with what I see in practice: organizations that claim to be implementing zero trust are frequently implementing zero trust at the identity and endpoint layers while their core application stack continues to operate on the old perimeter assumptions.

Legacy systems are where the gap is most obvious. An application designed in the 1990s or early 2000s assumes that users who can reach it are authorized to use it. Authentication, if it exists at all, is a login screen at the front door. There is no mechanism for continuous validation, no API for context-aware access decisions, no ability to revoke a session based on a change in device posture or user behavior. Retrofitting these systems for zero trust architecture is expensive and technically complex. The organization must either rebuild the application, which is a major investment, wrap it in a proxy that can handle the authentication logic externally, which is an approximation rather than a full solution, or continue running it on the old model while the rest of the environment moves toward zero trust. In practice, most organizations choose the third option, which means their zero trust architecture has a large exception carved out for exactly the systems that hold the most sensitive data and have the least security flexibility.

This is not a criticism of the organizations making that choice. Rebuilding a thirty-year-old application that runs core business processes to support continuous authentication is a multiyear, multimillion-dollar project that competes for budget against every other IT priority. The economics almost never pencil out in favor of doing it all at once. But it does mean that "we are implementing zero trust" and "we have zero trust architecture" are not the same statement, and conflating them creates a false sense of security that can actually make things worse. I wrote about how preemptive cybersecurity strategy maps to protection motivation theory, and the same issue applies here: the organization needs to have an honest assessment of what it has actually implemented versus what it is working toward.

The identity layer is where most zero trust implementations start and where most of the genuine value is delivered first. Multi-factor authentication, identity-aware access proxies, and conditional access policies that evaluate device compliance before allowing access are all well within current tooling capabilities and do not require replacing legacy applications. They also address a large proportion of actual attack vectors, since credential theft and identity-based attacks are among the most common entry points for breaches. Starting with identity and working outward is the architecture decision that makes progress possible without waiting for the legacy modernization budget to appear.

What I think is underappreciated in the zero trust conversation is how much of the work is organizational rather than technical. Least privileged access requires the organization to define what the minimum necessary privileges actually are for each role and system, which requires a level of access governance that most organizations have never done rigorously. Assume breach requires the security team to build detection and response capabilities that treat lateral movement as inevitable rather than exceptional, which requires a different operating model than traditional perimeter defense. These are not configuration tasks. They are process redesign tasks with significant cultural and political dimensions. The technology that supports zero trust is available and relatively mature. The organizational will to operate under the discipline zero trust requires is the more common constraint.

About the author

A
Ali Safari
PhD Student in IS, University of North Texas

Researching AI governance, trust in intelligent systems, and agentic AI. Writing while studying for comps.

in gs

Share

More notes

← Previous
Zero-Trust Architecture Is Already Founded on Trust Research
Next →
Zero Trust Is Everywhere and Almost Nowhere at the Same Time

Related notes

IS Theory
Protection Motivation Theory Is Trapped in Cybersecurity
5 min read
IS Theory
Cybersecurity Economics Is an IS Problem Hiding in Plain Sight
8 min read
IS Theory
Trust Calibration for AI Is Not Trust Calibration for Humans
7 min read