Zero Trust Is a Discipline, Not a Product
Zero trust has become widely used — and widely misunderstood. It is marketed as an architecture or a suite of tools. In practice, it is a discipline of reasoning about systems operating in environments that cannot be assumed safe.
The Original Insight
Zero trust rejects the assumption that trust can be inferred from location, identity, or past behaviour. Systems drift, credentials leak, users make mistakes, and attackers adapt. Zero trust insists on continuous scepticism.
The Productisation Problem
No tool can eliminate trust. Tools can enforce rules and collect signals, but they cannot decide when scepticism is warranted in novel situations.
Trust Has Not Disappeared — It Has Moved
Instead of trusting networks, organisations trust identity assertions, risk scores, policy engines — and increasingly AI-driven decisions. These are rarely scrutinised with the same scepticism applied to endpoints and users.
AI Complicates the Picture
AI-driven scoring promises scale but introduces opacity, uncertainty, and new attack surfaces. A zero-trust discipline treats AI as a source of hypotheses, not a source of truth.
Practising Zero Trust
Define what is being trusted and why. Identify where trust decisions are made. Understand failure modes. Ensure humans retain meaningful authority. Zero trust is not achieved at deployment; it is maintained through continuous reasoning.
Zero trust does not mean “trust nothing”. It means trust nothing without justification.