Zero trust is a cybersecurity framework built on the principle of "never trust, always verify." No user, device, or system is trusted by default, regardless of whether they are inside or outside the corporate network. Access is granted only after identity, device posture, and context have been verified, and that verification is continuous rather than one-time. Zero trust reduces the risk of unauthorized access, limits lateral movement after a breach, and supports compliance with major regulatory frameworks including NIST, HIPAA, and SOC 2. Organizations implement zero trust through five pillars: identity, device, network, applications and workload, and data.
Zero trust is a cybersecurity framework that assumes all users, devices, and systems are potentially compromised, whether they are operating inside or outside a corporate network. In a zero trust architecture, no connection is trusted by default. Every request for access must be authorized, verified, and authenticated before it is granted, and that verification is continuous rather than a one-time event at login. Compliance frameworks including NIST SP 800-207, HIPAA, and GLBA all reflect zero trust principles in their access control requirements. Zero trust is deeply connected to identity governance, because identity is the primary control plane through which access decisions are made.
The five pillars of zero trust#
Identity: Verify the digital identity of every user, service, and device before granting access to any resource. This includes strong authentication through MFA, integration with a trusted identity provider, and continuous monitoring of identity risk signals.
Device: Every device requesting access must be verified for health and compliance. Device verification involves maintaining an inventory of all authorized devices, assessing posture, and blocking devices that fall below security thresholds.
Network: Network segments are isolated to prevent lateral movement. Access is granted only to the specific resources a user or device needs. Micro-segmentation enforces these boundaries at a granular level.
Applications and workload: Access to applications is governed by identity and context, applications are monitored continuously for anomalous behavior, and APIs are authenticated and authorized rather than assumed to be trusted.
Data: Data is classified by sensitivity, and access policies are enforced at the data level. The principle of least privilege governs who can access which data, under what conditions, and for how long.
Why zero trust is important#
Protection against modern threats: Modern attacks originate from within trusted network segments through credential theft, supply chain compromises, and insider threats. Zero trust eliminates the implicit trust that makes those attacks effective.
Compliance with regulatory requirements: HIPAA, GLBA, and NIST SP 800-207 all reflect zero trust principles in their access control requirements.
Reduced attack surface: Zero standing privilege is the access corollary of zero trust. When users hold only the access they need at any given moment, the available attack surface shrinks dramatically.
Operational efficiency through automation: Zero trust is not operationally feasible without automation. Automated access controls, access reviews, and provisioning automations make zero trust scalable.
Zero trust and least privilege#
Zero trust establishes the posture: no user, device, or system is trusted by default. Least privilege establishes the scope: even verified users receive only the minimum permissions required for their specific task. In a zero trust architecture, least privilege is applied dynamically through just-in-time (JIT) access. A user who needs elevated access requests it explicitly, receives it for a defined period, and has it revoked automatically when the period ends. See also: Authentication vs. Authorization.
Implementing zero trust: 7-step approach#
- Establish identity security. Deploy MFA, enforce least-privilege access through an identity provider, and integrate identity lifecycle management.
- Implement network segmentation. Divide the network into segments that isolate sensitive resources. Remove broad VPN-based access grants.
- Enforce device trust. Build and maintain an inventory of all authorized devices. Block access from devices that fail posture requirements.
- Apply micro-segmentation. Define granular security policies for specific users, devices, and applications enforced at the application and workload level.
- Govern non-human identities. Apply zero trust principles to service accounts, API keys, and machine credentials through credential governance, access reviews, and automated rotation.
- Monitor continuously. Establish baselines for normal access behavior and alert on deviations. AI Access Management applies intelligence to access event data to identify risk signals.
- Review and update access policies. Access reviews keep entitlements accurate. Automations handle routine policy enforcement.
Zero trust and compliance#
- NIST: NIST SP 800-207 is the federal reference architecture for zero trust.
- HIPAA: Requires access controls, audit controls, and transmission security for ePHI — all addressed by zero trust implementation.
- GLBA: Requires administrative, technical, and physical safeguards. Zero trust provides the technical safeguard layer.
- SOC 2: Zero trust controls align with SOC 2 Trust Service Criteria for security and availability.
How C1 enables zero trust#
- Just-in-time access eliminates standing privileges by provisioning access on demand, for a defined window, with automatic revocation
- Access Reviews provide the continuous certification process zero trust requires
- Access Controls enforce least-privilege policies across the application portfolio
- Non-human identity governance extends zero trust controls to service accounts, API keys, and machine credentials
- Automations handle the operational work of zero trust at scale
See also: Zero Standing Privilege, identity governance best practices, IAM frameworks, and IAM roadmap.

