The foundational philosophy of zero trust can sound deceptively simple: Verify everyone, trust no one and keep attackers from moving freely. In practice, though, it’s not that neat. Businesses change, employees need access to new tools, cloud environments expand and attackers keep finding fresh ways to test old assumptions. New users, new systems, new attack vectors: The environment that zero trust is meant to protect keeps changing, which means it’s time to move beyond philosophies and frameworks and implement realistic, forward-thinking architectures.
The essential question is whether an organization can clearly see what’s happening across its systems, contain damage when something goes wrong, and keep operations running without forcing people to work around security controls to get their jobs done. The answer lies in shifting focus from implementation milestones to measurable outcomes: protecting the most critical assets, supporting the way people actually work, and measuring progress through outcomes rather than activity.
The goal of zero trust isn’t to prove that every possible risk has been eliminated. It’s to show that an organization is becoming harder to compromise, faster to respond and easier to operate securely. Members of the Senior Executive Cybersecurity Think Tank have years of experience and deep expertise in enterprise cybersecurity strategies, threat detection, risk management and zero trust architecture. Below, five of them discuss how to define “good enough” in practical terms when assessing zero trust and the real-world signals that tell leaders they’re reducing risk, not just adding friction.
“Since adversaries innovate daily, we must manage risk through continuous improvement. You achieve ‘good enough’ zero trust when security shifts from ‘perimeter’ to ‘asset’ and ‘identity.’”
Shift Your Thinking From Perimeter to Asset and Identity
David Etue, Chief Strategy Officer at Cyberbit, is a Senior Fellow at the National Security Institute’s Cyber and Technology Center and has spent his career helping organizations build more resilient security programs. He starts with a simple truth: Cybersecurity—and therefore zero trust—is a journey, not an end state.
“Since adversaries innovate daily, we must manage risk through continuous improvement,” Etue says. “You achieve ‘good enough’ zero trust when security shifts from ‘perimeter’ to ‘asset’ and ‘identity.’”
He outlines three required pillars: an identity control plane, blast radius containment and robust telemetry.
“An identity control plane entails automated provisioning and deprovisioning for users and identities, including multifactor authentication,” Etue explains. “Containing the blast radius means that systems don’t inherently trust each other. By reducing system and network-level trust, we ensure one compromised system or identity cannot compromise everything. Finally, robust telemetry demands near-real-time visibility of identity, application and system activity that’s fed into a SIEM platform to automate detection of incidents.”
Let Outcomes Do the Talking
As Cybersecurity Risk Management Leader, Financial Services, at Ernst & Young US LLP, Bhavya Bhandari works in one of the most heavily regulated and targeted industries in the world. His perspective on zero trust is grounded in practical accountability: It only matters if it actually reduces risk.
“‘Good enough’ is not about checking a box but ensuring the most important systems and data are protected and security measures don’t force people to work around them,” Bhandari says.
That last point is critical. A zero trust implementation that creates so much friction that employees route around doesn’t make an organization safer—it leads to new shadow workflows and new vulnerabilities. Bhandari is clear about what leaders should be watching instead.
“The signals leaders should look for should be outcome-based: a smaller attack surface, improved time to respond and fewer standing privileges, to name a few,” he says. “If security teams are spending more time managing friction than reducing impact, zero trust has missed the mark.”
“Traditional zero trust breaks in an agentic world. Static rules and one-time access checks were built for predictable users and systems, not autonomous agents that can make decisions, chain tools and act in ways that change from moment to moment.”
Focus on Visibility—and Brace for Agentic AI
Anand Salodkar, Co-Founder and COO of CompFly AI, views zero trust through a precision lens and has a distinctly pragmatic definition of when an organization has gotten it right.
“‘Good enough’ in zero trust is when you have reduced the chances of the wrong person or system doing the wrong thing at the wrong time—without slowing the business to a crawl,” Salodkar says.
In practice, he explains, success shows up in measurable operational changes: fewer standing privileges, better control over sensitive actions, and faster detection and mitigation when something looks off.
But Salodkar also flags a concern that many security leaders haven’t yet fully grappled with: today’s agentic AI environment, in which autonomous systems make decisions, chain tools together and behave in ways that static policies simply can’t anticipate.
“Traditional zero trust breaks in an agentic world,” he warns. “Static rules and one-time access checks were built for predictable users and systems, not autonomous agents that can make decisions, chain tools and act in ways that change from moment to moment.”
Salodkar’s bottom line? Visibility trumps volume.
“The real signal is not how many policies you write,” he says. “It is whether you can clearly see who or what took an action, why it was allowed, and whether risky actions are stopped before they turn into incidents.”
Make Zero Trust Work for Both Security Teams and End Users
Leonard Kleinman brings more than 35 years of IT and cybersecurity experience to his role as Chief Strategy and Technology Officer at FedCyber, which provides outcomes-based, strategic advisory services for the government and critical industries in Australia. He reframes the question around what a strong zero trust strategy actually looks like.
“Zero trust is dynamic, not static, and therefore needs to continuously evolve,” Kleinman says. “Rather than settling for ‘good enough,’ look for measures that are reflective of a good implementation.”
He recommends starting with identity as the main control point through modern authentication, with MFA, conditional access, single sign-on and least privilege all operational.
“Ensure that only compliant devices access needed resources and that network micro-segmentation prevents lateral movement (east-west traffic),” Kleinman says.
A key goal in Kleinman’s zero trust strategy is minimizing friction for both security teams and end users. He shares both a how-to guide and a stress-reducing ROI.
“Ensure your data is properly classified and monitored,” he advises. “Security telemetry should be unified and enriched with context, with automated responses in place to help teams take quick, appropriate action. This will manifest in overall risk reduction while your users experience secure, low‑friction access.”
“If teams can clearly explain who can access what and why as well as what happens when something breaks, you’re reducing real risk.”
Strive for Ongoing Clarity and Resilience
Scott Alldridge, President and CEO of IP Services, has a talent for cutting through security jargon to help business leaders understand what actually matters. On zero trust, he’s unambiguous: It’s not a destination.
“Zero trust isn’t a finish line—it’s a risk-reduction discipline,” Alldridge says. “‘Good enough’ is reached when your most critical assets are known, access is intentionally limited, and failures are contained instead of cascading.”
The evidence of an effective zero trust strategy he points to is similarly concrete—and notably, it’s not about tools or controls.
“The goal is fewer blast-radius incidents, faster detection and recovery, and simpler operations under pressure,” he says. “If teams can clearly explain who can access what and why as well as what happens when something breaks, you’re reducing real risk.”
For Alldridge, the ultimate measure of success for zero trust comes down to what teams see more—and less—of.
“When zero trust increases clarity and resilience—not friction—you’re doing it right.”
From Theory to Practice: A Zero Trust Roadmap
- Anchor zero trust in identity, not perimeter. Automated provisioning and deprovisioning, multifactor authentication, and least-privilege access aren’t nice-to-haves; they’re the foundation that prevents one compromised account from becoming an organizational crisis.
- Contain the blast radius before an incident occurs. Systems shouldn’t inherently trust each other; reducing network-level trust means a single breach stays isolated rather than cascading across the environment.
- Measure progress through outcomes, not activity. A smaller attack surface, faster response times and fewer standing privileges are the real indicators of zero trust maturity, not the number of policies written or tools deployed.
- Watch for the friction signal. If employees are working around security controls or teams are spending more time managing complexity than reducing risk, the implementation needs recalibration, not more controls.
- Plan now for agentic AI. Static rules and one-time access checks weren’t built for autonomous systems that chain tools and make real-time decisions. Organizations need visibility not just into who accessed what, but also why it was allowed and whether risky actions were stopped in time.
- Unify telemetry and automate response. Security data siloed across systems slows detection and response; unified, context-enriched telemetry with automated triggers helps teams act quickly and appropriately—without burning out.
- If your teams can explain it, you’re doing it right. The clearest sign of a mature zero trust posture is operational simplicity under pressure: teams that can clearly articulate who can access what and why, as well as what happens when something breaks.
Keep Moving: Zero Trust as a Long Game
Zero trust is only effective when it’s treated as a living discipline rather than a completed project. Getting it right doesn’t mean deploying the most tools or writing the most policies—it’s building ongoing visibility, containing exposure and making secure access the path of least resistance for the people doing the actual work.
The rules of the game keep changing. As agentic AI expands the definition of “who” is accessing systems and as attack surfaces continue to evolve, the zero trust frameworks of today will need to adapt accordingly. Leaders who build cultures of continuous improvement now—measuring outcomes, reducing friction and staying focused on real risk reduction—will be far better positioned to meet whatever threats come next.
