- Zero trust adoption requires more than tool investment; organizations need sustained discipline and ongoing effort to ensure success
- Effective programs start with a complete and honest assessment of the current state and existing gaps
- Organizations commonly focus too much on identity while undervaluing other areas such as network segmentation
Walk into any commercial gym in January and you will find it packed. New members, new gear, fresh motivation. By April, it is back to the regulars. The people who got results were never the ones with the best equipment. They were the ones who showed up consistently, worked every muscle group, and never confused owning a membership with being fit.
For many organizations, zero trust security has the same problem. Those that bought the product and called it a program were easy for adversaries to identify a long time ago.
In truth, zero trust is a continuous discipline built on three principles: verify explicitly, use least privilege, and assume breach. Most organizations already have the tools. What they lack is the consistent, cross-pillar work that turns those tools into an actual security posture. After all, maturity is measured in reps, not receipts.
Most Zero Trust Programs Stall After the Initial Investment
Every year, organizations invest in new products, update their board decks, and announce their zero trust journey. And every year, adversaries find the same gaps: flat networks with implicit east-west trust, service accounts that have never been rotated, and privileged access that accumulated over years without review.
The membership is paid up, but nobody is training.
However, this is not a failure of intent. Zero trust is genuinely difficult to implement comprehensively. Instead, it’s a failure of execution. A zero trust network access (ZTNA) tool is equipment. Micro-segmentation is equipment. A long list of vendor logos is a very expensive gym bag. Like at the gym, none of it produces results without consistent effort across every pillar. That’s the work most organizations have not yet operationalized.
Zero Trust Maturity Comes from Repetition, Not Configuration
Effective programs do not start with tools. They start with an honest assessment of current state, gaps, and what sustained execution requires.
Verify explicitly is a continuous process applied to every access request and every session. It integrates identity, device health, network context, and behavior on an ongoing basis, rather than relying solely on initial login.
Least privilege is an ongoing practice of granting only what is required for a specific task and regularly removing excess access. In most environments, access accumulates over time because it is rarely reviewed. That accumulation is where risk lives.
Assume breach is the mindset that holds the program together. It shifts the focus from perimeter defense to containment and resilience. Organizations that internalize this do not design for ideal conditions. They design for compromise.
Most Organizations Overdevelop Identity and Underserve the Rest
Across zero trust assessments, the pattern is consistent. Identity is usually the most mature pillar. MFA is deployed. Governance exists. Privileged access management is in place. It is visible progress and easy to communicate.
Other areas lag behind.
Network segmentation remains one of the most common gaps. Many environments still rely on flat architectures with implicit trust between systems. Device posture is often collected but not enforced in real time. Application and workload controls exist in isolation but are not fully integrated into access decisions.
The issue is a lack of coordinated execution.
Frameworks such as CISA’s Zero Trust Maturity Model define five pillars: Identity, Devices, Networks, Applications and Workloads, and Data. Most organizations show strength in one or two and inconsistency across the rest. That imbalance limits the effectiveness of the entire program.
Organizations That Succeed Treat Zero Trust as Ongoing Training
The organizations making real progress approach zero trust the same way high-performing teams approach training. They follow a program, measure honestly, and avoid shortcuts.
They establish identity as the foundation—the equivalent of building core strength—because every access decision depends on it. They conduct access reviews before enforcing least privilege, understanding that the real permission landscape is often more permissive than intended. That baseline is uncomfortable, but necessary to improve.
They also maintain discipline when it matters most. Enforcement is where many teams fall off. It requires denying access that does not meet policy, even under pressure. It requires removing legacy pathways that are convenient but insecure. Like training, progress comes from consistent reps, not occasional effort.
There is no finish line. Zero trust is not a program you complete. It is a continuous progression toward higher levels of maturity, built through repetition, adjustment, and sustained discipline.
Organizations that commit to that process build resilience over time. Those that do not remain stuck with the appearance of security and the gaps adversaries continue to exploit.
A: Zero trust is an architectural training discipline built on three principles: verify explicitly, use least privilege, and assume breach. ZTNA is a specific technology that replaces VPN with identity-aware, application-specific remote access—one piece of equipment in a much larger program. Having ZTNA deployed is like owning a great pair of running shoes. It is necessary. It is not sufficient.
A: There is no completion date: zero trust is a continuous training program. Most enterprises build foundational enforcement across identity, endpoint, and network in 18 to 36 months. Full program maturity across all five CISA pillars typically takes 3 to 5 years in complex environments. The organizations that try to shortcut the timeline consistently find themselves back at the beginning after a breach reveals how much of the program existed only on paper.
A: An honest assessment. Understanding who and what has access to what—across human and machine identities—is the equivalent of taking baseline measurements before starting a program. You cannot design the right training plan without knowing current state. Organizations that skip this step and go straight to enforcement almost always discover, expensively, that the access landscape they thought they were controlling looked nothing like what was actually in place.
A: No—and this is one of the most common misunderstandings. Zero trust adds identity-aware enforcement to the architecture. Micro-segmentation, traffic inspection, and network detection and response remain essential components. Think of it like adding strength training to a program that already includes cardio. You are not replacing one with the other. You are building a more complete athlete. Every pillar reinforces the others.
