Ask ten experts to describe the current state of zero trust and you will get ten different answers. We asked dozens of experts.
Zero trust is not a thing; it is an idea. It is not a product; it is a concept – it is a destination that has no precise route and may never be reached. But it is described very succinctly: trust nothing until the trust is justified.
Justification starts with verifying every subject’s identity and authority. This is the single constant in all zero trust journeys: they start with the subject’s identity.
Zero trust’s reliance on identity, and identity’s reliance on AI
Two questions. Can you have zero trust without effective identity verification? No. Can you have effective identity verification in the age of AI? Maybe, and maybe not.
There is universal agreement that you cannot have zero trust without effective identity management. “Zero trust is not possible without an identity-first approach – they are fundamentally interconnected. Trust cannot be verified if the identity itself cannot be verified,” says Rob Ainscough, chief identity security advisor at Silverfort.
“Zero trust and identity management are inseparable. Without trustworthy, continuously verified identities, the whole model collapses,” adds Avinash Rajeev, cyber, data & tech risk leader, PwC US.
But identity is no longer a simple concept in cyber. It could be human or a machine or a process. “Traditional IAM systems, built for humans, struggle to manage this explosion of non-human identities, blurring the line between trusted and untrusted entities,” comments Mick Leach, field CISO at Abnormal AI.
One growing complexity comes from the continuing convergence of OT and IT. “In OT, managing identities across distributed, disconnected, and often credential-less systems remains a major hurdle,” explains Raed Albuliwi, CPO at Xona.
“To truly achieve zero trust, organizations must extend identity-based security to the machines and services operating inside OT environments,” says Anusha Iyer, founder and CEO at Corsha.
“The real breakthrough will be identity solutions that are OT-native: low-friction, infrastructure-agnostic, and enforceable at the session layer without rewriting plant architectures,” adds Albuliwi.
“Zero trust for OT is not simply IT policy pushed down to OT. It is a new foundation for safe, resilient, and automated industrial operations,” continues Iyer.
Beyond OT, identity is also being disrupted by the same disruptive force affecting the entirety of business and society: the rise of artificial intelligence (AI). And as elsewhere, AI can both assist and hinder defenders and assist attackers.
Since identity is the fount of security, it is also the primary target of attackers. Phishing is a major attack method used by attackers to steal identities. The quality of phishing attacks has been supercharged by AI. This includes compelling backstories and very realistic voice and video deepfakes.
John Kindervag, chief evangelist at Illumio (and often described as the ‘father of zero trust’), warns, “As deepfakes proliferate, cybercriminals will easily exploit authentication systems, especially since protocols like FIDO were never designed to counter such threats. In response, organizations will add new layers of control to make identity harder to bypass, but this will create so much friction that many will eventually rethink or even abandon traditional identity models altogether.”
His concern is that AI will enable attackers to break the authentication of identities. “The core weakness of identity today is its inability to prevent attacks after authentication.”
However, AI is not merely an attackers’ advantage, it is a defenders’ nightmare. The culprit here is the advance of agentic AI. “Today, few organizations have deployed agentic AI in production. But, as more companies begin to operationalize agentic AI at scale, its unpredictable interactions will expose a new class of identity and access management challenges,” explains Anand Srinivas, VP product and AI at 1Password.
“Until now, identity, secrets and access management solutions have been siloed across different organizations responsible for application or workforce identity security,” he continues. “That worked when applications were deterministic, well-bounded entities all operating within centralized policy frameworks. However, agentic AI behaves as both traditional software and as a user that operates outside existing identity systems, thereby introducing new identity threat vectors.”
That said, opinions on the state and promise of zero trust today and going forward will vary between different experts, largely depending upon whether they are glass half full or glass half empty people.
Murat Balaban, CEO at Zenarmor, comments, “Without validated identity, context, and behavior, ‘never trust, always verify’ collapses. AI makes this harder and easier all at once; harder because synthetic identities and deepfakes distort signals, and easier because AI-driven analytics can detect behavioral anomalies faster than humans ever could.”
Rajeev adds, “The rise of AI introduces both risk and opportunity. Deepfakes and synthetic identities can undermine trust, but AI-driven behavioral analytics and continuous authentication can strengthen it. Risk-based approaches – evaluating location, device health, and user behavior – let us scale protection intelligently.”
David Bellini, CEO at CyberFOX, continues, “We can use AI to automate the very controls that overburden IT teams. Instead of relying on manual processes, we can use intelligent systems to manage privileges, verify identities, and block suspicious activities. The goal isn’t to add more work; it’s to make security invisible and effective.”
The most common view is that recent and ongoing complications to identity management can be solved with modern technology, but only with care and commitment. There will always be failures, so identity management must project itself beyond the point of failure (the old perimeter). Microsegmentation within the network can enforce ongoing authentication and limit traversal to authorized areas, while anomaly detection can spot an identity doing something unusual for an authorized identity.
“I believe by combining AI based behavior anomaly with identity and microsegmentation we are probably doing better than the attackers,” says Agnidipta Sarkar, chief evangelist at ColorTokens.
Obstacles to achieving zero trust
“Most organizations only start working toward zero trust after an auditor, insurance requirement, or compliance standard forces them to. That approach misses the point,” says Chris Boehm, field CTO at Zero Networks. “When security becomes about passing an audit, companies start checking boxes instead of changing habits. They implement multi-factor authentication, close a few ports, or segment part of the network, then declare success. It looks good on paper but rarely holds up in reality.”
This is worth considering, since – as we shall see – there is a body of opinion that believes current delays in progressing zero trust will be minimized over the next few years through the force of compliance requirements and cyberinsurance instructions.
Boehm warns that this may be a risky cause and effect. “It’s like a diet. You can start it because someone told you to, or you can live it because you want to be healthy. Only one approach lasts. We may never reach perfect zero trust, and that is fine. The point is not to finish but to stay consistent. Like a diet, the value comes from maintaining the practice, not from declaring it complete.”
But what are those obstacles that will only be truly overcome by a complete change to our current security lifestyle? The first is simple: an ingrained belief that zero trust is an achievable destination. It isn’t.
“We’ve been discussing zero trust for a long time as if it were a destination – like a secure digital city we could create and move into, protected from every form of danger. This couldn’t be further from the truth,” says Bellini. “For most companies, whether in the midmarket or in public institutions, true zero trust remains a form of nirvana, a goal that’s true but impossible to achieve.”
He suggests that in 2026, “It is time we shift our discourse from perfection to progress. Working toward a state of zero trust is a journey – a day-by-day task – not a destination.”
Zero trust may be a destination condition, but it will never be a box which we can check and from which we can move on. The route is riddled with obstacles. We know the current obstacles, but we should assume that there will be new obstacles even while we work on solving those we already face.
Dario Perfettibile, VP and GM of European operations at Kiteworks, explains one of the most intractable – the legacy perimeter. “We will eventually get there, but timelines extend well beyond 2026 due to fundamental structural barriers. Private data exchanges must simultaneously secure data flows across partners’ legacy systems, cloud environments, and on-premise infrastructure, while maintaining operational compatibility with hundreds of exchange participants at varying security maturity levels.”
He continues, “The perimeter remains organizationally embedded despite being technically dead. Forty-eight percent of businesses report difficulties integrating zero trust across hybrid environments because security teams, procurement processes, and partner contracts still assume network boundaries define trust zones.”
The perimeter problem encompasses many of the difficulties that delay the journey to zero trust: lack of budget and reluctance to swap out legacy equipment and attitudes; security professionals’ failure to adequately explain the necessity for physical, attitudinal and organizational change; the complexity of what is required; and an ongoing user resistance to any change.
“Many companies are facing budget constraints that limit their ability to invest in new technologies like ZTNA (zero trust network access) if they already have current solutions working, such as VPNs,” comments Jesus Cordero-Guzman, director at Barracuda. “Security budgets are commonly allocated to immediate needs rather than long-term strategic initiatives.”
Balaban adds, “Legacy infrastructure resists segmentation, budgets favor visibility tools over architecture redesign, and users resist anything that slows them down.”
Dwayne McDaniel, senior developer advocate at GitGuardian, notes that while everyone accepts the perimeter is dead, most organizational charts and budget lines reflect its continued existence. “Even more than a lack of funding, the thing holding most teams back from embracing new ways to work with identity is legacy architecture. We have a comfort level with old patterns, and users push back when access feels slower,” he says.
Paul Nguyen, co-founder and co-CEO at Permiso, suggests that the necessary organizational change is more disruptive than any technology implementation. “CISOs must restructure teams, redefine responsibilities, update hiring practices, and change how teams collaborate.”
The complexity of the ’new ways’ is seen in the need for ‘identity’ to expand from people to everything. “Workloads need cryptographic identities that are automatically issued and managed at scale. Every call between services needs to be authenticated and authorized based on that identity, not on network location. We are seeing wider adoption of frameworks like SPIFFE point in the right direction, where baked-in, workload-centric identity travels with the service, regardless of where it runs. Without that level of workload identity, zero trust collapses back into IP ranges, hostnames, and one-off exceptions, which is just the old perimeter model in new clothes,” he explains.
Another reason for a delayed implementation is a resistance to change based on the comfort level of IT staff with their existing technologies, suggests Cordero-Guzman. But he adds, “The strongest resistance may come from ordinary employees who resist changes to their access methods, especially if they perceive ZTNA as cumbersome or if it disrupts their habits and workflows. This can often lead to pushback against new security implementations.”
However, despite the overwhelming recognition of the blocks on the road toward zero trust, and the time it has taken to reach the current stage (remember that John Kindervag published his paper, No More Chewy Centers: Introducing The Zero Trust Model of Information Security 15 years ago), most security experts are confident that huge progress will be made in the coming years.
Some believe the progress will be an organic recognition of the necessity, but many believe the progress will be forced.
“These barriers will decline as modern identity-first platforms mature and as regulation and cyber insurance increasingly demand measurable zero trust progress,” says Nigel Gibbons, director and senior advisor at NCC Group.
“An uninformed or confused customer does not buy. However, when an incident occurs that wakes them up, suddenly security becomes a priority. The same applies when an insurance policy renewal has new audit requirements. The purchase is then made for compliance reasons. If the insurance requirements continue on their path of sophistication, that is the best hope for SMBs to obtain better security. Just ask anyone why / when they finally applied MFA, and it will be one of the above reasons only,” expands David Redekop, CEO at ADAMnetworks.
“I have also seen more budget reallocations over the last 12 to 18 months, as companies begin to invest in solutions that help with compliance and regulatory demands,” agrees Cordero-Guzman.
“The catalyst in 2026 is regulation, insurance pressure, and board liability,” adds Aaron Painter, CEO at Nametag.
There is a potential problem here. If the advance of zero trust is based on organic recognition of its benefits, that is good. But if the advance is forced solely by compliance necessity, it could be very bad. Regulations tend to lag behind necessity and also encourage check-box compliance. Check-box compliance tends to be the minimal necessary rather than the best solution. It reflects Boehm’s earlier diet metaphor: the danger of checking boxes rather than changing habits.
The zero trust journey
Most people believe in zero trust, and that is admirable. Many people believe it is achievable, and that is questionable. Some people believe they have achieved it, and that is doubtful.
Zero trust is an aspiration at the end of a road that keeps shapeshifting. If we accept the premise that full zero trust cannot be definitively achieved, zero trust can only be measured as a position along the road; that is, partial zero trust.
This raises a double-barreled question: is partial zero trust worth the effort, and / or does it encourage a false sense of security?
Chris Radkowski, GRC Expert at Pathlock, has no doubt. “Yes, partial zero trust is absolutely worth the effort! Genuinely securing critical assets is important, even if you can’t secure everything. This dramatically improves your posture. Attackers might be able to gain access to your corporate networks, however with zero trust you might be able to prevent access to your crown jewels.”
While most experts agree the journey is essential, and partial is better than nothing, that advice comes with a proviso: it can promote a false sense of security when a little zero trust is treated as full zero trust.
“Organizations must remember that zero trust is not a single product; it’s a framework. The mistake that imbues a false sense of security is believing that one product fits all zero trust needs or that once you implement it, you don’t need to revisit it. That static thinking is where the real danger lies. Zero trust is a framework that needs to be continuously reviewed and adapted as users, applications, and threats change,” warns Negin Aminian, senior manager of cybersecurity strategy at Menlo Security.
“Partial zero trust is like partial containment in a fire,” suggests Xona’s Albuliwi. “It may slow damage but won’t stop it. In OT especially, half measures can be dangerous. If you apply zero trust to remote access but still allow unmanaged OEM software or shared credentials inside the perimeter, you’ve created a soft underbelly. That said, incremental progress is better than inertia if leaders are clear-eyed about the remaining risk.”
Asha Aminian, VP of marketing at Zenarmor, suggests, “Partial zero trust is infinitely better than none if it is intentional. The danger isn’t being incomplete; it is being inconsistent. Too many organizations stop at MFA or SSO and mistake access control for zero trust.”
This is the crux. Not attempting zero trust because it is too difficult, too complex, or too costly, is dangerous. Companies should always attempt to migrate to zero trust, acknowledge that it is a long journey, acknowledge that there will always be more to do, and be fully aware of what remains to be done. Without this, there is a distinct danger of a false sense of security.
“Partial zero trust is not a failure: it’s a foundation. While it can create a false sense of security if misunderstood, even limited implementations like least privilege access or segmented networks offer meaningful protection. The key is to validate posture continuously and close gaps as they emerge,” explains Garrett Hamilton, CEO & founder at Reach Security.
“Treat zero trust like safety in aviation. You build procedures, you verify identity, and you learn from every incident. Perfection is not the goal. Continuous proof is,” adds Painter. “Partial zero trust is not a false sense of security if it is measurable. Publish the blast radius you reduced and the pathways you closed. If you cannot measure it, you are decorating. Just be honest about what remains open and make that list shorter every quarter.”
Zero trust going forward
Despite the impossibility of a definition of zero trust suitable for all companies in all industry verticals, confidence in its eventual achievement is high among many security experts – although what is meant by zero trust is ill-defined.
“The era of implicit trust will end with 2025. In its place will be a culture of continuous verification and intelligence authentication. Forward thinking organizations will recognize identity as the new perimeter and understand that safeguarding it – as well as that of every vendor, partner and supplier they work with – is fundamental to reputation and growth,” says Dan Schiappa, president, technology and services at Arctic Wolf.
“In 2026, zero trust won’t just be a security model, it will be a corporate lifestyle and a defining principle of digital leadership,” he adds.
“In 2026, zero trust will be less about conceptual frameworks and more about operational architecture, especially within the LAN. Enterprise networks will enforce identity, segmentation, and policy as continuous behaviors rather than scheduled tasks. The LAN itself will become intelligent and adaptive – managed as a service where AI continuously verifies trust, optimizes performance, and mitigates anomalies,” says Shashi Kiran, chief go-to-market officer at Nile.
“Successful identity management is possible in 2026, but only through a layered approach. Organizations will need adaptive authentication that verifies the elements that make us human through multi-factor authentication and risk scoring,” says Adam Boynton, senior security strategy manager, EMEIA at Jamf.
“True zero trust requires comprehensive identity security: continuous discovery of all identities (human, non-human, AI), verification of every access request, enforcement of least-privilege across all identity types, behavioral monitoring for all identities. Few organizations will attempt this in 2026,” warns Nguyen.
“Will they get there? Yes, but over a longer timeline. Organizations will achieve comprehensive zero trust by 2027-2029, not 2026. The journey is longer because the organizational and technical complexity exceeds most expectations,” he adds.
Bert Kashyap, co-founder and CEO at SecureW2, says, “In 2026, the internal debate will no longer be ‘Should we do zero trust?’. It will be ‘How fast can we remove each remaining pocket of implicit trust?’. Teams that rely on legacy models will fall behind. Teams that build continuous verification into their architecture will see a smaller blast radius, faster detection, and more predictable operations.”
Keith McCammon, co-founder at Red Canary (acquired by Zscaler), sees necessity forcing a change of pace. “In 2026, zero trust principles and implementation will shift from ambition to necessity. Security budgets are tightening, SOC teams aren’t growing, and identity-based threats are multiplying. The pressure to do more with less will force organizations to simplify, not expand toolsets or headcount. As a result, zero trust will move from a long-term aspiration to the first practical step in defense.”
Ariel Parnes, former IDF 8200 cyber unit colonel and COO at Mitiga, is less confident of success. “The biggest security incidents in 2026 will stem from compromised identities within supposedly zero trust environments.”
He continues, “The illusion of control will persist until identity management becomes contextual and adaptive, powered by AI that can interpret intent, not just credentials. This will redefine what ‘trust’ means in a world where access is always conditional, and compromise often comes from within.”
All of these different expectations for zero trust now and into the future, where nobody is wrong and nobody can be completely right, stem from the difficulty in explaining the nature of zero trust.
We describe zero trust as a concept, as a destination, as an aspiration, as a journey. The truth is it is none (and all) of these. Zero trust is a way of life – a constant acceptance that all implicit trust must be replaced by explicit trust, wherever, whenever, and however it occurs. There is no single product nor final destination for a way of life – it is continuous, ongoing, forever – and essential.