Zero Trust Is a Strategy, Not a Product: 7 Myths That Stall Programs
Zero Trust
Why Most Zero-Trust Programs Stall, and How to Get Past It
Zero trust turned 15 this year, and the distance between agreeing with it and operating it has only grown. Accenture reports that 88% of organizations hit significant obstacles putting zero trust into practice, and a Gartner survey found that 35% of teams who attempted a zero-trust initiative experienced failures that adversely affected the business. A recent CSO Online feature, “Zero trust isn’t broken. Most companies just do it wrong,” traces the cause to one thing: the principle is sound, but the guidance on how to execute it is thin.
That gap matters to the business, not just the security team. A SOC 2 questionnaire arrives from an enterprise customer, a board asks how exposed the company is to ransomware, or a breach exposes how freely an attacker can move once inside. Each of those is a zero-trust question with a financial answer. The good news is that most stalled programs trace back to a small set of durable myths. Clear them, and zero trust becomes a sequence of decisions you can plan, measure, and fund. Here are the seven that cause the most damage.
Make Zero Trust A Plan, Not A Wish
SideChannel brings the strategy and the infrastructure from the same team, so your zero-trust program has an owner and a roadmap.
Book a Consult Explore Enclave →Why Zero Trust Stalls
John Kindervag defined zero trust at Forrester as a way to replace the perimeter model with a “never trust, always verify” approach. Fifteen years on, the concept answers to many labels at once: strategy, philosophy, mindset, and architecture. That breadth is where confusion starts, and where vendors fill the silence with marketing. Morey Haber of BeyondTrust summarized the state of things in 2026 by noting that everyone agrees zero trust is necessary, yet the gap between intention and execution remains wide because teams have principles without enough guidance on implementation.
The seven myths below come straight from practitioners quoted in the CSO Online piece, including Kindervag, Haber, and University of Texas CISO George Finney. Each myth has a reality that experienced teams operate by.
| Zero-trust myth | What experienced teams know |
|---|---|
| Zero trust is a product | It is a strategy, process, and mindset. Products enforce controls; none deliver more than a fraction of zero trust on their own. |
| Zero trust is a technology | Microsegmentation and identity-based access are tactics. The strategy is a way of managing risk across teams and business units. |
| Zero trust is expensive | The first steps cost effort, not budget. Most organizations already own identity, multi-factor authentication, and firewall tools to build on. |
| Zero trust is hard to implement | It is methodical, not monolithic. Start with one high-value protect surface, prove the win, then expand. |
| AI breaks zero-trust network access (ZTNA) | AI reinforces the case for zero trust. Large language models and non-human identities get segmented, policy-controlled, and monitored like anything else. |
| Success cannot be measured | Outcome metrics work: reduced lateral movement, fewer account takeovers, faster compliance, contained breaches. |
| A zero-trust project has a finish line | It is a program that grows with the organization. You monitor, maintain, and add protect surfaces over time. |
The Two Myths That Do The Most Damage
The first two myths, that zero trust is a product or a technology, cause the most expensive mistakes because they let a purchase stand in for a plan. As Finney puts it, the hard part is rarely the technology. It is the people, the politics, and the silos between security, networking, application teams, and the business. Microsegmentation to block lateral movement and identity policy to govern access are tools that serve the strategy. They are not the strategy itself.
This is exactly where the two halves of a security program need to meet. Strategy without execution leaves risk unaddressed, and infrastructure deployed without direction gets pointed at the wrong problems. A virtual chief information security officer (vCISO) sets the protect-surface priorities and breaks down the silos, while a zero-trust platform such as Enclave enforces the segmentation, identity, and monitoring decisions that result. When a security leader identifies a segmentation gap, the infrastructure closes it.
The Five Pillars, And Where The Work Happens
Kindervag’s model gives zero trust the structure that the “it’s too hard” myth ignores. The sequence is deliberate, and most of the early work costs coordination rather than capital.
| Pillar | What it requires | Strategy or tooling |
|---|---|---|
| 1. Identify protect surfaces | Pinpoint the crown jewels. Business leaders, not only IT, define what is most valuable. | Strategy first, informed by asset intelligence |
| 2. Map transaction flows | Trace how traffic moves to and from those assets across on-premises, cloud, and containers. | Strategy plus network visibility |
| 3. Define the architecture | Write an architecture that fits your risk tolerance, industry, and infrastructure. | Strategy plus enforcement fabric |
| 4. Set and apply policies | Author and enforce access and identity policies down to the host. | Tooling, governed by strategy |
| 5. Monitor and maintain | Watch for policy violations and keep pace as the business changes. | Tooling plus ongoing program ownership |
Notice that pillars one through three are mostly thinking and coordination. They cost meetings, not money. Finney recommends starting small with a single protect surface, showing a quick win, and using real data on attacker behavior and internal weak points to decide what to tackle next. Gartner makes the same point from the failure side: programs that define an overly broad target state, with too many systems and overly granular policy on day one, run into cost and timeline problems.
Defense in depth is the reason this structure holds up even when a single control fails. Security researchers at DefCon 33 found bugs in several ZTNA products, which is a fair reminder that no product is flawless. Zero trust answers that with layers. If an attacker steals a credential, microsegmentation still limits lateral movement, session monitoring still watches the access, and egress controls still constrain what data can leave. One flaw does not hand over a flat network.
See It On One Protect Surface
Start With A Single Enclave
Enclave gives you microsegmentation, host firewall control, asset intelligence, and certificate lifecycle management in one platform, so you can prove a quick win on your highest-value asset first.
Try Enclave Free Explore Fractional Services →AI Does Not Break Zero Trust. It Raises The Stakes.
Generative AI and semi-autonomous agents have revived the claim that zero trust is outdated. The opposite is true. Kindervag, now chief evangelist at Illumio, argues that AI reinforces the fundamentals rather than changing them, because without segmentation, policy enforcement, and control over data flows, an AI system becomes another soft target. Finney frames it plainly: AI is not magic, and you secure it the same way you secure everything else by integrating it into the stack and monitoring it.
Non-human identities are the practical edge of this. Service accounts, machine identities, and AI agents now outnumber human users in many environments, and each one needs an identity, a policy, and a boundary. A zero-trust platform that treats non-human identities as first-class, giving each service its own credentialed and segmented identity rather than open network trust, applies the strategy to AI workloads without inventing a new one.
How To Measure A Zero-Trust Program
Any initiative that asks the board for support has to justify itself, and “we did not get breached” is a hard thing to chart. Gartner’s guidance is to use outcome-driven metrics tied to business objectives rather than activity counts. The metrics below give security and business leaders a shared scorecard.
| Outcome metric | What it tells the business |
|---|---|
| Reduction in lateral movement paths | How far an attacker could travel after a single compromise. Lower is better. |
| Account takeover and insider incidents | Whether identity and access controls are holding in practice. |
| Compliance readiness rate | How quickly the program answers SOC 2, NIST CSF, ISO 27001, or CIS Controls requirements. |
| Contained breach rate | Share of incidents held to a single segment rather than spreading. |
| Protect surfaces under policy | Coverage progress over time, which makes the program’s growth visible to leadership. |
These numbers also answer the last myth, that a zero-trust project ever finishes. Organizations grow, attackers evolve, and there is always another protect surface to bring under the umbrella. Kindervag’s final pillar, monitor and maintain, exists precisely because the work continues. A program that grows with the organization is the goal, not a one-time deployment with a closeout date.
Strategy And Infrastructure, From The Same Team
The throughline across all seven myths is that zero trust fails when a tool is asked to do a strategy’s job, and it succeeds when strategy and infrastructure move together. Decide what matters most, map how it is used, write the policy, enforce it at the host, and keep watching. That sequence resonates in the boardroom because it reads like any other business plan: clear priorities, measurable outcomes, and a program built to last.
SideChannel built its practice around closing the gap the CSO Online article describes. Fractional Security Services, led by vCISO leadership, set the strategy and align it to business objectives, while Enclave provides the zero-trust infrastructure, including microsegmentation, asset intelligence, and certificate lifecycle management, in a single platform. The strategy and the infrastructure, from the same team that built both.
Build A Zero-Trust Program That Lasts
Talk with a SideChannel trusted advisor about where your highest-value protect surfaces are and how to secure them first.
Book a ConsultSource: Neal Weinberg, “Zero trust isn’t broken. Most companies just do it wrong,” CSO Online, June 16, 2026. Statistics cited from Accenture and Gartner as reported in that article. Practitioner quotes attributed to John Kindervag, Morey Haber, and George Finney per the same source.
