Gartner says 63% of organizations have started implementing zero trust. Only 10% will have a mature program by 2026. The gap between those two numbers is an IS story.
Gartner's 2024 survey found that 63% of organizations have partially or fully implemented a zero-trust strategy. That sounds like real progress. The fine print is harder to feel good about.
Gartner also found that most of those organizations address only about half their environment and mitigate roughly 25% of enterprise risk through their zero-trust implementation. By 2026, Gartner predicts only 10% of large enterprises will have a mature zero-trust program. And 75% of US federal agencies will fail to meet their zero-trust implementation requirements through 2026. The question I keep asking is how you get to 63% adoption and 10% maturity at the same time. The gap between those two numbers is the IS story.
Zero trust as a security framework means something specific. The core idea is "never trust, always verify": no user, device, or network segment is trusted by default, even inside the perimeter. Access is granted based on continuous verification of identity, device health, and context. In practice, mature zero trust requires changes across identity and access management, network architecture, device management, data governance, and monitoring. It is not a product you buy. It is an architectural posture that requires sustained organizational change across multiple technical and operational domains.
What Gartner is describing when they say 63% have "partially or fully implemented" a zero-trust strategy is not that 63% have done this work. They have largely done what mimetic isomorphism predicts. DiMaggio and Powell (1983) described how organizations copy each other under uncertainty, particularly when copying is rewarded with legitimacy. Zero trust has become the dominant vocabulary in enterprise security. Vendors market their products as zero-trust solutions. CISOs are expected to have a zero-trust roadmap. Boards have begun asking about zero-trust posture because they have seen the term in enough board presentations and audit reports that it has become a legitimacy signal. Under those conditions, the institutional pressure to say you are implementing zero trust is enormous, whether or not the implementation is substantive.
Scott (1995) described the cultural-cognitive pillar of institutional theory as the quietest and most powerful: the point at which something becomes so taken-for-granted that alternatives are not meaningfully considered. Zero trust is not quite at the cultural-cognitive stage for most organizations, but it is deep into the normative stage. Professional associations, certification bodies, conference tracks, and vendor ecosystems have all coalesced around zero trust as the correct answer to the enterprise security question. That normative pressure makes partial adoption, putting up the right slides, procuring some zero-trust-branded products, writing a strategy document, feel like progress even when the operational reality is closer to 25% risk mitigation.
The federal case sharpens this considerably and I think it deserves its own treatment. Executive Order 14028, signed in May 2021, required federal agencies to develop zero-trust architecture plans. OMB memorandum M-22-09, published in January 2022, set specific zero-trust implementation requirements for agencies with a deadline of fiscal year 2024. We are now in May 2026. Gartner is predicting that three-quarters of US federal agencies will fail to implement zero trust through 2026 despite a mandate that is now four years old.
This is not an unfamiliar pattern in government IT. IS researchers have documented for decades that government IT projects face structural barriers that private sector implementations do not: procurement cycles that stretch years, workforce constraints that prevent building in-house capability, siloed agency architectures that predate interoperability standards, and political incentives that reward new project announcements over unglamorous implementation work. The zero-trust mandate followed the same trajectory as many previous government IT mandates: a clear policy directive, a deadline, agency plans produced in response to the directive, and then a slow divergence between the plans and the operational reality.
The coercive isomorphism at work here is real and formal. Federal law and OMB guidance carry legal authority. Agencies responded by producing zero-trust strategies and roadmaps, which is exactly what coercive isomorphism predicts: compliance at the level of visible artifacts. What it cannot reliably produce is the underlying capability change, because that requires sustained technical expertise, budget continuity across annual appropriations cycles, and willingness to disrupt existing systems that agencies depend on daily. The mandate creates the artifact. The artifact is not the capability.
I think zero trust is also a case where the construct mismatch between policy and practice is unusually large. Most IT mandates specify what to do, even if implementation is hard. "Encrypt data at rest" is a clear requirement with a clear compliance test. Zero trust is more of a posture than a requirement. "Verify continuously" describes a principle, not a configuration setting. That ambiguity is part of why 63% of organizations can claim to be implementing it while most of them are covering half their environment. The framework is permissive enough to accommodate partial implementation without the organization having to claim non-compliance. You can be on a zero-trust journey indefinitely without arriving anywhere.
Gartner's spending data provides the other side of this picture. Information security spending is expected to reach $213 billion in 2025. That is a large and growing number. If zero trust maturity is sitting at 10%, the resource allocation is happening and the capability is not following. This is the structural problem that the DeLone and McLean IS success model would describe as a quality-to-outcome gap: inputs are being invested, but the quality dimensions, in this case the technical completeness and operational integration of the zero-trust implementation, are not translating into the net benefits that would follow from genuine risk reduction.
The research question I keep circling is what distinguishes organizations that close the gap between adoption rhetoric and operational maturity. My guess, and it is a guess at this point, is that it comes down to absorptive capacity in the Cohen and Levinthal (1990) sense: the ability to recognize, assimilate, and apply new security knowledge in the organizational context. Organizations with strong prior security capability can build on it to implement zero trust substantively. Organizations that adopted the vocabulary without the prior capability find that the new architecture requires knowledge they have not built. You can buy a zero-trust product. You cannot buy the organizational learning that makes it work.
The 10% mature program figure may be the most honest thing Gartner has published about enterprise security in several years. Not because it is damning, but because it is precise. Most of the security industry communicates in adoption percentages, and adoption percentages reward the wrong behavior. Maturity percentages are harder to achieve and harder to fake. If the research and practitioner community shifted from tracking "implementing zero trust" to tracking "has achieved a specific measurable reduction in enterprise risk through zero-trust mechanisms," the 63% figure would look very different.
About the author
Share
More notes
Related notes