The zero trust approach cybersecurity access control is more than 15 years old but organizations continue to struggle with its implementation due in large part to fragmented tooling and legacy infrastructure.
A recent report from Accenture paints a picture of widespread industry struggles in rolling out zero trust technologies, a perspective in line with the experiences of experts and security practitioners quizzed on the topic by CSO.
Zero trust networking involves applying a security framework where no user or device is trusted by default. Under zero trust, every access attempt is accompanied by authenticating identity and device compliance regardless of whether or not it originates within an organization.
The approach contrasts with traditional “castle and moat” models where devices within an enterprise network were trusted by default.
Many enterprises have progressed slowly on their zero trust journeys largely because implementation requires a fundamental shift in both mindset and infrastructure. Key roadblocks include:
- Legacy systems that weren’t designed for zero trust principles,
- Fragmented identity and access tools that make unified enforcement difficult, and
- Cultural and organizational resistance to changing long-standing trust models.
Kyle Wickert, field CTO at AlgoSec, says zero trust remains one of the most misunderstood transformations in cybersecurity.
“Many organizations still hesitate to pursue it because they associate zero trust with rigid architectures, operational complexity, and high implementation costs,” Wickert says. “That perception is rooted in the legacy days of reassigning IPs, redesigning routing, re-plumbing VLANs, or physically rewiring environments just to enforce segmentation policies.”
The industry-wide shift to software-defined and cloud-driven data centers has lifted legacy challenges while creating new issues in the shape of growing policy and application complexity.
“One of the biggest obstacles to zero trust at scale is no longer the infrastructure — it’s the challenge of defining, governing, and maintaining policies that adapt across hybrid networks, spanning on-prem firewalls, cloud-native controls, SDN, SD-WAN, and SASE technologies,” Wickert says. “The most effective way to overcome these challenges is to shift the focus of segmentation from ‘devices and subnets’ to applications and their connectivity.”
Richard Holland, field CISO at threat-led cybersecurity firm Quorum Cyber, argues that zero trust represents a method to mature an organization’s security health rather than a set of products and services.
“I would argue that the technology to achieve zero trust has been in existence for some time and CISOs and CIOs may have already found themselves on a roadmap without realizing it is zero trust,” Holland says. “By treating zero trust as a journey to improve cybersecurity health, and by taking small bite-size chunks, you can iterate through a series of improvements in relatively quick succession.”
Other cybersecurity experts contend that zero trust migrations offer an opportunity to support more ambitious IT transformation projects.
Stephen Fridakis, CISO in residence at Cyderes, says the shift from network-based rules to identity-based rules inherent in zero trust implementations offers a roadmap to “safer, simpler, and more durable” enterprise architectures.
“IP ranges, VLANs, and physical locations are brittle and age badly, especially with M&A churn and cloud adoption,” Fridakis explains. “Identity-based access follows the user and device, not the network.”
He adds: “It eliminates firewall sprawl, reduces engineering overhead, and enforces intent instead of infrastructure.”
Wise up
University of Texas CISO George Finney has discussed zero trust with hundreds of security leaders. Those conversations have uncovered several common denominators on why zero trust projects fail.
Firstly, internal politics has the potential to derail zero trust implementations. “Technology in a company is generally operated and supported in silos,” Finney says. “These different areas may not understand the big picture of how much risk a cybersecurity breach could represent and resist change.”
Conversely, in organizations that have successfully shifted to zero trust, “leadership in every area agree that security is a core part of the success of the organization as a whole,” Finney says.
Insufficient education can also act as a barrier preventing the successful rollout of zero trust technologies, according to Finney.
“Starting a zero trust project requires more than just changing the design of a network or modifying some settings in an application,” he says. “Everyone on the team needs to understand what zero trust is, why the organization is doing it, and what role they’ll play in supporting it.”
“This means that every zero trust project needs to begin with education to help change not just the technology, but the culture of the organization as well,” he adds.
Gary Brickhouse, CISO at GuidePoint Security, notes that an “overly-complex approach” to zero trust has driven up costs and timelines as organizations pursue overly strict alignment with zero trust principles.
“Most organizations would benefit from a simplified risk-based approach, identifying critical use cases that are achievable and deliver the desired outcome of risk reduction,” Brickhouse says. “Early wins improving the security of the organization and moving the ZT [zero trust] needle forward builds confidence across the organization.”
Rob Forbes, CISO at Stratascale, advises security leaders to develop a strategic roadmap before embarking on any zero trust project.
“[CISOs should] start with a comprehensive assessment of their current security posture and assets,” Forbes counsels. “Next, develop a roadmap for zero trust implementation, prioritizing critical assets and high-risk areas.”
These steps should be followed by investments in training and tools to support the transition to a zero trust model, which ought to be left open to further refinement as requirement evolve.
“[Companies should] regularly review and update their zero trust strategy to adapt to new threats and technologies,” Forbes adds.
AI ‘reinforces’ zero trust paradigm
As agentic AI becomes increasingly embedded in the business, standard zero trust principles must be extended to keep the enterprise secure.
By 2027, growth of AI agents will push 50% of CIOs to restructure and automate identity and data access and authorization management to reduce misuse and leakage as part of a zero trust architecture, according to industry analyst firm IDC.
Security experts call on organizations to implement a new wave of zero trust, extending beyond people and devices to include AI agents. In practice, this means enforcing strict context boundaries, trusted domain controls, and AI-specific security reviews.
John Kindervag, chief evangelist officer at Illumio, tells CSO that “AI doesn’t change the zero trust paradigm — it reinforces it.”
“AI operates within the constraints of cybersecurity’s foundational rules, and attacks only work if there’s an open door,” Kindervag argues.
The bigger risk is from AI models, according to Kindervag.
“AI models can become a liability if not governed by zero trust,” he says. “If an organization doesn’t treat its AI models as protect surfaces, they risk manipulation, poisoning, or theft.”
In most cases, AI supports zero trust implementation.
“Good AI highlights high-risk communication patterns, surfaces unusual behaviour, and accelerates processes like labeling and policy implementation,” Kindervag explains. “AI can help in every step of the zero trust five-step methodology, but it really helps organizations to push beyond resilience into anti-fragility.”