Zero Trust assumes a strong, unified source of identity and policy. Most enterprises have the opposite. Create a cross-functional “Zero Trust Council” with shared KPIs tied to business outcomes to fix the situation.
Zero trust networking, a security model based on the principle of “never trust, always verify,” continues to present significant implementation challenges for organizations, despite being a concept now more than 15 years old. Nearly nine out of every 10 security leaders have faced significant challenges in their attempts to implement zero trust, according to a recent report from Accenture.
This struggle is often due to the fact that zero trust involves an organization-wide transformation, touching everything from infrastructure to culture. Factors such as legacy infrastructure, fragmented tooling, skills and budget gaps, and significant cultural resistance are among the issues that may slow progress. Addressing these critical obstacles is essential to understanding why a technology with such clear benefits is so challenging to adopt.
See also: What Is Sovereign AI? Why Nations Are Racing to Build Domestic AI Capabilities
Zero trust is often treated as a slogan, rather than a design decision. Many organizations “declare” a zero trust initiative without defining what it means in concrete terms for the network: which user-to-app flows should be locked down, what “never trust, always verify” looks like for east–west traffic, how partner and contractor access should change, etc. This makes ZT feel vague, unending, and impossible to measure. Zero trust becomes manageable only when you stop treating it as a philosophy and start treating it as a specific set of guardrails around your most critical business flows.
To combat this, one must start with 3–4 outcomes (e.g., developer access to production, traders accessing trading platforms, third-party access to core systems) and define what “zero trust” concretely means for those flows. Then, anchor the outcomes to NIST ZTA-style principles (strong identity, continuous verification, least privilege, and segmentation) and measure progress in terms of coverage of those flows, rather than generic “zero trust maturity.”
Most enterprises don’t start from a greenfield. They inherit overlapping IP ranges, flat networks, brittle firewall rules, and legacy apps no one wants to touch. Trying to enforce granular segmentation on this foundation slows—or outright stalls—Zero Trust programs.
The answer isn’t a five-year re-plumbing project.
You need logical overlays and cloud-delivered fabrics that can implement segmentation independent of underlying IP addressing and hardware. Start with one high-risk domain—partner/extranet access or privileged admin environments—and make that your repeatable blueprint.
Zero Trust assumes a strong, unified source of identity and policy. Most enterprises have the opposite: multiple IDPs, per-cloud firewall deployments, and SaaS-specific permissions. This fragmentation creates more distributed security enforcement points, which can lead to security holes within the enterprise network. Enterprises need a single source of truth for network access policy—a place where a statement like:
“Only finance staff in region X can access application Y on compliant devices.”
can be authored once and pushed consistently across clouds, data centers, and SaaS. Policy-as-code, coupled with centralized identity, is essential. Without it, Zero Trust fails before it even begins.
The hardest challenges are organizational. Networking optimizes for reliability. Security optimizes for risk reduction. Cloud teams optimize for speed. Each uses different tools, budgets, and KPIs. Zero Trust requires them to operate from a unified model—and many enterprises aren’t structured for it.
A practical fix:
Create a cross-functional “Zero Trust Council” with shared KPIs tied to business outcomes—secure partner onboarding time, incident containment time, privilege reduction coverage—not abstract security metrics. Treat the network as a shared platform that teams consume as a service, not a set of disconnected point tools.
Third-party and partner access remains the soft underbelly. The trouble is that many organizations start zero trust with employee access and stop there, while business partner, supplier, and contractor connectivity is still handled via legacy VPNs, shared accounts, and broad network access. That’s a major blind spot given the rise in third-party incidents. If your zero-trust story doesn’t include how you connect to customers and partners, you’ve left the door open at the side of the house.
The solution is to treat partner connectivity as a first-class zero trust use case, with its own segmented zones, per-partner policies, and strong identity (no shared credentials, no flat network access). Then, to measure success by time to onboard a new partner with least-privilege access, and by the ability to instantly revoke or isolate a specific partner without impacting others.
Fear of breaking the business and degrading performance often leads to analysis paralysis. Many CISOs know what “good” looks like on paper, but they’re wary of changes that might break brittle legacy apps or add latency to revenue-critical workflows. That risk aversion often leads to endless design cycles and half-implemented pilots. CISOs will move faster toward zero-trust when they can prove, in advance, that the right users still receive a great experience and the business continues to run smoothly.
Instead, design zero-trust networking with explicit performance SLAs and pre-production testing—including fail-open / fail-safe behaviors for critical flows. Start with visibility and policy simulation (“what would happen if we enforced this?”) before flipping enforcement on, so teams can see the blast radius ahead of time. For both use cases, leverage AI to help simulate network designs and policy decisions.
Organizations fail when they treat Zero Trust as an abstract, multi-year transformation. They succeed when they treat it as a sequence of concrete design decisions tied to measurable business outcomes.
The path forward requires:
Zero Trust is hard for real reasons—but it becomes achievable when enterprises stop treating it as a philosophy and start treating it as a practical, outcome-driven architecture that can be deployed incrementally and measured continuously.
Misbah Rehman is VP of Product Management and Compliance at Alkira.
Cloud Data Insights is a blog that provides insights into the latest trends and developments in the cloud data space. We cover topics related to cloud data management, data analytics, data engineering, and data science.
Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
