No Trust Podcast:Navigating the Zero Trust Landscape in 2026 with Chase Cunningham

No Trust Podcast: Zero Trust in 2026 — From Hype to Hard Truths

The first No Trust Podcast of 2026 set the tone for the year ahead: fewer buzzwords, fewer shortcuts, and far more accountability.

In this episode, Jaye and John welcome back Chase Cunningham for a wide-ranging, brutally honest conversation on where Zero Trust actually stands today — what worked, what stalled, and what still needs to change if organizations want real outcomes instead of better slide decks.

What follows isn’t a vendor pitch or a maturity-model checklist. It’s a reality check.

The Zero Trust Hype Cycle Is (Mostly) Over

Zero Trust has spent years riding a massive hype wave — conference buses, endless rebranding, and more “ZT-aligned” products than anyone could reasonably evaluate.

According to Chase, that phase is finally giving way to something more useful.

We’ve crossed the chasm.

That doesn’t mean Zero Trust is “done.” It means the conversation has shifted from marketing slogans to operational reality.

Internationally, that shift is becoming increasingly visible. Organizations across Japan, Europe, and Latin America aren’t asking what Zero Trust is anymore — they’re asking how far along they really are. And the answer, almost universally, is: earlier than they thought, but further than they feared.

Progress exists — especially around identity and access management — but progress doesn’t equal completion.

And that distinction matters.

The Myth of “We’ve Done Zero Trust”

One of the most common failure modes discussed in the episode is the idea that Zero Trust is a project you can finish.

Many organizations point to MFA rollouts, SSO adoption, or federated identity and confidently declare victory.

That’s not wrong — but it’s not sufficient.

Identity is a critical pillar, not the entire structure. Treating it as the finish line creates a dangerous illusion of completion that drains momentum just when the hard work should begin.

As John points out, this isn’t a project problem — it’s a leadership problem.

Projects end. Strategies don’t.

Zero Trust only works when leadership frames it as a continuous execution model, not a checkbox initiative with a celebratory close-out slide.

Why Momentum Dies (and How to Keep It Alive)

Organizations don’t usually fail at Zero Trust because they made bad early decisions.

They fail because they run out of steam.

Quick wins feel good. They create momentum. But when leadership oversells those wins as “mission accomplished,” teams lose the mandate — and the energy — to keep going.

Chase uses a simple analogy: physical health.

You don’t stop exercising because your last checkup looked good. You keep going because stopping reverses progress.

Zero Trust works the same way.

The uncomfortable truth is that real Zero Trust timelines are measured in years, not quarters. When leadership isn’t honest about that from day one, trust erodes internally long before it fails externally.

Incentives Are Broken — and That’s a Bigger Problem Than Technology

One of the strongest segments of the conversation focused on incentives — or more accurately, the lack of meaningful ones.

Right now, cybersecurity is still largely treated as a punitive cost center. Fines are small. Insurance absorbs pain. Breaches become budget line items.

That model doesn’t change behavior.

Chase argues that incentives — not punishment — are the lever that actually drives adoption. His proposed example is a cyber tax credit: reward organizations that fix known vulnerabilities instead of fining them after failure.

It’s the difference between carrots and sticks — and history shows carrots scale better.

Small and mid-sized businesses already understand this intuitively. For them, failure isn’t a fine — it’s existential. Large enterprises haven’t felt that pressure yet, which explains why progress is uneven.

Culture Isn’t the Answer (and Never Was)

One of the most provocative moments in the episode comes when the conversation turns to “security culture.”

Chase doesn’t mince words.

Security culture is often a distraction — and sometimes an excuse.

When security is designed properly, users shouldn’t feel it. They authenticate, they work, and the rest happens behind the scenes. Turning security into a cultural crusade usually just means more training, more friction, and more resentment.

People aren’t hired to “love security.” They’re hired to do their jobs.

Good security design reduces the need for culture change by removing unnecessary burden from users entirely.

Metrics That Actually Matter

Dashboards are everywhere. KPIs are endless. And yet boards still struggle to understand whether their organizations are safer than they were last year.

The episode makes a clear case for simplicity.

The only metric that truly matters is whether you can withstand a real attack — and recover.

Red team outcomes. Recovery time. Resilience under pressure.

Everything else is supporting data.

If your metrics don’t map back to survivability, they’re noise.

AI: Removing Excuses on Both Sides

AI shows up repeatedly in the discussion — not as a magic solution, but as an accountability accelerant.

For defenders, AI removes the last valid excuse for ignorance. Anyone can ask for explanations, models, or strategic framing in plain language. “I’m not technical” no longer holds.

For attackers, AI lowers the barrier to scale, automation, and experimentation.

The net effect is pressure — on executives, on boards, and on security leaders — to actually understand what they’re approving and funding.

In 2026, preparation matters more because ignorance is easier to detect.

Zero Trust Is Becoming the Default — Quietly

Whether organizations call it Zero Trust or not is increasingly irrelevant.

The strategy is becoming table stakes simply because the old perimeter model keeps failing.

Over time, larger enterprises will impose their security expectations on smaller partners. The market will enforce standards where regulation lags.

Zero Trust doesn’t need better branding. It needs consistent execution.

And as technical debt comes due, legacy environments will feel the pressure first.

One Piece of Advice for 2026

When asked for a single piece of advice, Chase keeps it simple:

If you’re not willing to operate this 24/7 — or let someone test you honestly — you’re not ready.

Zero Trust isn’t about perfection. It’s about commitment.

And commitment starts with leadership that’s willing to be uncomfortable long enough to get it right.

Final Thought

This episode doesn’t promise easy wins or overnight transformation.

What it offers instead is clarity.

Zero Trust in 2026 isn’t hype. It’s hard, it’s ongoing, and it’s necessary. And for organizations willing to treat it as a strategy instead of a slogan, the path forward is finally becoming visible.

Listen to the podcast here - https://on.soundcloud.com/lUbY3FyhS2qj9qMq5z

No Trust Podcast – Clean Transcript

Opening

Jaye:
Welcome to another episode of the No Trust Podcast. This is our first recording of 2026, and there’s no better way to start the year than welcoming back a friend of the show, Chase Cunningham. Today we’re talking about where Zero Trust really stands, what worked in 2025, and what the year ahead looks like.

Chase, before we dive in, how did 2025 look from your perspective?

2025: Global Adoption and Reality Checks

Chase:
2025 was eye-opening for me, particularly in terms of international adoption of Zero Trust strategy. I traveled to 14 countries last year — Germany, Japan, Taiwan, Colombia, Mexico — and what stood out was how seriously organizations are engaging with this now.

There’s a perception outside the US that America has “solved” Zero Trust. That’s not true. We’ve marketed it better, but we’re not fundamentally ahead. What we have done is make progress — especially around identity — and that’s encouraging globally.

Most organizations I spoke with are early in maturity, often focused on identity and access management. That’s good progress. Progress is progress. But no one has “finished” Zero Trust.

The Zero Trust Hype Cycle

John:
It feels like Zero Trust has been on a hype cycle for a long time. Where do you think we are now?

Chase:
We’ve crossed the chasm. The hype phase — the buses, the branding — that’s largely behind us. Now we’re in the practical phase.

What’s changed is the conversation. Organizations are asking, “Where are we actually?” instead of “What is Zero Trust?” That’s a big shift.

The Myth of “We’re Done”

Jaye:
A lot of organizations say, “We’ve done Zero Trust.” Where do you see that falling apart?

Chase:
Most of the time, they’ve done identity well — MFA, SSO, federated identity — and that’s important. But that’s one pillar.

The problem is psychological. People feel like they climbed the mountain, and then someone tells them there’s more climbing to do. That’s discouraging.

But Zero Trust isn’t a destination. It’s a method. Identity is a starting point, not the finish line.

Momentum, Leadership, and the “Project” Trap

Jaye:
We see a lot of organizations lose momentum after early wins. Is that something you see?

John:
Absolutely. It’s a leadership problem. Zero Trust isn’t a project — it’s a strategy. Projects end. Strategies don’t.

When leaders frame this as a project, teams run out of steam because they think there’s a finish line.

Chase:
I compare it to physical health. You don’t stop exercising because your doctor says you’re healthier now. You keep going, or you regress.

Zero Trust works the same way. And people need to be honest about timelines. If someone says they want to be “Zero Trust aligned” in nine months, that’s not realistic. Two to three years is a minimum.

Incentives Are Broken

Jaye:
Where do incentives work against Zero Trust?

Chase:
They’re misaligned. Security is still treated as punitive, but there’s no real punishment. Large companies budget for breaches and insurance absorbs the pain.

That doesn’t change behavior.

Incentives work better than fines. A cyber tax credit — rewarding organizations for fixing known vulnerabilities — would change behavior overnight.

Carrots scale. Sticks just numb people.

Culture vs. Design

Jaye:
Is Zero Trust more of a cultural challenge or a technology challenge?

Chase:
Honestly, I hate the “security culture” conversation. If security is designed correctly, users shouldn’t feel it.

Culture becomes a crutch when technology fails. We tell people to “care more” instead of designing systems that just work.

People aren’t hired to love security. They’re hired to do their jobs.

Metrics That Matter

Jaye:
What metrics actually demonstrate Zero Trust progress to a board?

Chase:
One metric: can you withstand an attack?

Red team outcomes. Recovery. Survivability.

Everything else is noise. Dashboards are for operators. Boards care about resilience.

AI Changes Accountability

John:
AI keeps coming up everywhere. How does it change Zero Trust?

Chase:
AI removes excuses. No one can say, “I don’t understand this” anymore. You can ask an AI to explain anything at any level.

That increases accountability — for executives, boards, and security leaders.

On the attacker side, it’s going to get worse. Automation, poisoning, and scale are coming fast.

But overall, AI makes Zero Trust more achievable — and more necessary.

Is Zero Trust Now Table Stakes?

Jaye:
Is Zero Trust becoming table stakes?

Chase:
Yes — whether people call it that or not.

The old perimeter model keeps failing. Organizations will move toward what works. Over time, larger enterprises will impose these expectations on partners.

Call it whatever you want. Just do the strategy correctly.

One Piece of Advice for 2026

Jaye:
If someone is starting Zero Trust in 2026, what’s your one piece of advice?

Chase:
Be honest. Are you willing to operate this 24/7? And are you willing to let someone attack you and see how you perform?

If the answer is no, you’re not ready.

John:
And it has to start with leadership. If you think this is a one-and-done project, step aside. It won’t work otherwise.

Closing

Jaye:
It’s clear we’re moving in the right direction — but progress requires commitment. Thanks again, Chase, for the honesty and insight. It’s always a great conversation.

End of Transcript