Zero trust architecture is not a product you can buy
Zero trust has been absorbed by the security vendor market so thoroughly that it is now possible to buy a zero trust product without making a single zero trust architecture decision. The product gets deployed, a dashboard turns green, and the organisation continues to operate on implicit trust assumptions that zero trust was supposed to eliminate.
Zero trust is an architecture principle, not a product category. It means no user, device, or system is trusted by default, regardless of network location. Access is granted based on verified identity, device health, and least privilege, and it is continuously verified, not assumed after initial authentication.
Where most zero trust implementations fail
The most common zero trust implementation failure is perimeter thinking with a zero trust label. The organisation deploys identity-aware proxies for cloud applications but leaves the internal network operating on the assumption that anything inside the firewall is trusted. The legacy estate, the on-premise systems, the service accounts continue to use implicit trust. The attack surface reduction is partial. The compliance box is ticked.
The second most common failure is treating zero trust as an identity problem only. Identity is a necessary component: strong authentication, device management, conditional access. But zero trust also requires network micro-segmentation, application-level access controls, and continuous monitoring. Deploying an identity provider and calling it zero trust leaves most of the attack surface unchanged.
The architecture decisions zero trust requires
Moving to zero trust requires explicit decisions about how devices are enrolled and health is verified; what the authoritative identity source is and how it connects to resource access; how service-to-service communication is authenticated; and how network access is segmented so that a compromised account cannot move laterally across the estate.
Start with identity, extend to everything else
The practical path for most organisations is to establish a strong identity foundation first: unified directory, MFA everywhere, conditional access. Then use that foundation to progressively extend zero trust principles to higher-risk systems and access patterns. Do not declare zero trust complete when the identity layer is in place.
