Home About Projects Blog Subscribe Login

Why "Zero Trust" Is Still Just a Marketing Term for Most

If you still have a VPN, you do not have Zero Trust. Most implementations are just slightly less trust. Here is what the real architecture requires.

"Zero Trust" has become one of those phrases that sounds precise until you ask one simple question: what, exactly, stopped trusting what?

Most companies say they are doing Zero Trust because they added MFA, rolled out a VPN replacement, or put a shiny identity provider in front of a few internal apps. That's not Zero Trust. That's perimeter security with better branding.

If you still have a network model that says, "Once you're in, you're mostly fine," you have not eliminated trust. You have only moved it. Usually from the office firewall to an SSO login screen.

This matters because the threat model changed faster than the language. Work is distributed. Devices are unmanaged. vendors connect from everywhere. APIs talk to other APIs without a human ever touching the flow. And attackers no longer need to smash the front door. They borrow identity, ride a session, abuse a token, and look completely legitimate while they do it.

That's why I get skeptical when I hear vendors promise Zero Trust in a box. Trust is not a product category. It's an architectural discipline. And for most companies, it's still more aspiration than reality.

The original promise was right

The core idea behind Zero Trust is sound: stop treating network location as proof of legitimacy.

That was the old model. If traffic came from the corporate network, or over a trusted tunnel, it was considered safer by default. Applications trusted source ranges. Internal dashboards were exposed because "only employees can reach them." Flat networks made lateral movement easy. Shared credentials lingered for years. Machine identities were an afterthought.

In that world, compromise spread quietly. One phished account became a foothold. One weak bastion became an operations bridge. One forgotten service account became permanent access.

Zero Trust was supposed to kill that entire mental model. Verify every request. Scope access narrowly. Bind trust to identity and context, not location. Assume breach. Minimize blast radius.

That remains the right direction. But somewhere along the way, many organizations translated a strategic architecture into a procurement checklist.

Where most "Zero Trust" programs fail

In practice, I see five recurring failures.

The result is what I call "slightly less trust." Better than nothing, but not the model people think they bought.

What true Zero Trust actually looks like

A real Zero Trust architecture is not defined by one product. It's defined by how decisions are made at request time.

At a minimum, every access decision should be shaped by four things:

That context includes geography, device health, time, sensitivity of the action, workload identity, recent behavior, and whether the credential is fresh enough for the risk level involved.

Notice what's missing from that list: IP range as a primary trust signal.

In a true Zero Trust model, access becomes:

This is the difference between "trusted user on trusted network" and "specific identity on a healthy device performing a permitted action for a limited time."

The VPN test is crude, but useful

I often use a deliberately provocative shorthand: if you still depend on a VPN for broad internal access, you probably do not have Zero Trust.

That doesn't mean every tunnel is automatically wrong. Some legacy environments still need them. Some industrial systems cannot be modernized in one step. Some emergency paths must remain available when more elegant control planes fail.

But the VPN test is still useful because it exposes the architectural question: what happens after connection?

If the answer is "the user can now see a large internal surface area," you've preserved the old trust boundary. You've just moved it closer to the endpoint.

Zero Trust should make network access less meaningful, not more. The network should be transport. The actual trust decision should happen at the application, identity, and policy layer.

The overlooked half: workload identity

The next big shift is that Zero Trust can no longer be human-centric.

In modern infrastructure, machines outnumber people by orders of magnitude. Agents call APIs. CI pipelines deploy artifacts. microservices fetch secrets. edge nodes make autonomous routing and mitigation decisions. If those identities are coarse, shared, or static, you've built a human Zero Trust shell around a machine trust swamp.

This is why workload identity is becoming foundational. Every service should authenticate as itself. Every call should be attributable. Every machine credential should be short-lived and scoped to one role. And no system should be able to impersonate three others just because someone reused a secret six months ago.

For security teams, this is operationally harder than SSO rollout. But it is where the real reduction in blast radius happens.

Why most rollouts stall

Zero Trust projects don't usually fail because the principle is wrong. They fail because the migration touches power structures, legacy systems, and engineering habits.

Least privilege breaks convenience. Device compliance breaks bring-your-own-chaos. Short-lived credentials break brittle scripts. Micro-segmentation exposes undocumented dependencies. Stronger authorization reveals how many users had access they could never justify.

In other words: Zero Trust works by removing ambiguity. Organizations often discover they were relying on that ambiguity to move fast.

That's why successful programs are not framed as "install this platform." They are framed as a multi-quarter redesign of access, identity, and operational hygiene.

A practical sequence that actually works

If I were starting from scratch today, I would not begin with a giant transformation deck. I would begin with sequence.

That's not glamorous. But real security rarely is. It's disciplined reduction of unnecessary trust, repeated until the environment stops depending on blind faith.

The strategic payoff

Done properly, Zero Trust is not just a security upgrade. It's an operating model upgrade.

You get cleaner identity architecture. Better auditability. Faster incident containment. Safer automation. More confidence in distributed work. More resilience when a credential leaks, a device is compromised, or a third-party integration behaves unexpectedly.

Most importantly, you stop lying to yourself about what "internal" means. In 2026, internal is not a place. It's a policy outcome.

That is the mindset shift many organizations still haven't made.

Call it what it is

I'm not against the term Zero Trust. I'm against using it too cheaply.

If your architecture still grants broad standing access, trusts static credentials, ignores device state, and treats workload identity as optional, call it an access modernization program. Call it identity hardening. Call it a step in the right direction.

Just don't call it Zero Trust yet.

Because the real version is harder than the brochures suggest. It requires architectural honesty. It forces tradeoffs. And it asks leaders to give up the comforting fiction that once someone is "inside," they are safe enough.

They aren't. They never were.

The companies that understand this earliest won't just be more secure. They'll be structurally more resilient-because they built their systems around continuous verification instead of inherited trust.

That's the difference between marketing language and infrastructure reality. And in security, reality always wins.


Follow the journey

Subscribe to Lynk for daily insights on AI strategy, cybersecurity, and building in the age of AI.

Subscribe →