Zero Trust Is Not a Product. It’s an Operating Model

If you spend enough time talking about Zero Trust, as we do, you will start to see a pattern emerge.

It does not matter whether you are in a boardroom talking to executives, talking to people in a SOC, or in a factory floor, or recording a podcast. The same frustrations come up again and again. Organizations want Zero Trust to be something they can buy, deploy, and move on from. Vendors are often happy to encourage that idea. Practitioners know it never works out that way.

This is something we talk about constantly at the Zero Trust Forum and on the No Trust podcast. The gap between how Zero Trust is marketed and how it actually shows up in the real world is still wide. That is why Gartner’s latest research, “How to build a Zero Trust Architecture” resonates so strongly (link is here and yes, it’s behind their paywall - https://www.gartner.com/document-reader/document/6060163). It validates what many of us have been seeing and hearing for years.

Zero Trust is not a product. It is not even a single architecture. It is an operating model for how access decisions are made, enforced, monitored, and adjusted over time.

Or, to borrow Gartner’s simplest explanation, it is about securely connecting subjects to objects. Everything else flows from that.

What people in the field are really struggling with

Across the Zero Trust Forum community and through conversations on the No Trust podcast, a consistent theme comes up again and again. Most organizations did not fail at Zero Trust because they chose the wrong tools. They failed because they never agreed on what problem they were trying to solve.

Many started with remote access. Some started with micro segmentation. Others started with identity. Very few stepped back and asked how trust decisions should work across the organization as a whole.

Gartner calls this out directly. Deploying controls without defining a clear Zero Trust strategy almost always leads to complexity, friction, and disappointment. This mirrors what we hear from practitioners who are a year or two into their journey and already exhausted by exceptions, workarounds, and user complaints.

Zero Trust only works when it is aligned with business outcomes and deployed iteratively. That line could have come straight from one of our podcast episodes.

Identity is where the theory meets reality

One of the most frequent topics on the No Trust podcast is identity. Not identity as a technology, but identity as an operating discipline.

Gartner’s research reinforces this point. Most organizations still do not have a clear understanding of who should have access to what. Roles are loosely defined. Entitlements accumulate over time. Privileged access quietly spreads.

When guests talk about Zero Trust stalling, identity is almost always at the root of the problem.

Continuous Adaptive Trust is a concept Gartner uses to describe what many practitioners are already trying to do. Reduce friction for low-risk access. Increase assurance for high-risk access. Adjust dynamically as context changes.

This aligns perfectly with what we hear from security teams trying to balance user experience with risk reduction. Zero Trust should not feel like security saying no more often. It should feel like security saying yes with confidence.

Applications first, not networks

Another strong alignment between Gartner’s guidance and real-world experience is the emphasis on applications.

Some of the most productive discussions happen when teams stop talking about networks and start talking about applications. What data does this app hold? Who really needs access? What happens if it is compromised?

Gartner’s insistence on building an application catalog may sound unglamorous, but it is foundational. Many organizations only discover the true scale of their application sprawl when they try to apply Zero Trust principles. Shadow SaaS, legacy systems, user-built tools, all suddenly matter.

This is echoed repeatedly by podcast guests who describe Zero Trust as a forcing function for visibility. You cannot protect what you cannot see. You cannot apply least privilege to something you do not know exists.

Once applications are understood, Zero Trust stops being abstract. Access policies become tangible. Logging becomes purposeful. Encryption decisions are tied to data value rather than blanket rules.

ZTNA is important, but it is not the destination

ZTNA comes up in almost every Zero Trust conversation, and for good reason. It is one of the clearest examples of Zero Trust principles applied in practice.

However, we often hear people challenge the idea that ZTNA equals Zero Trust. Gartner is very clear here. ZTNA is a policy enforcement mechanism, not the strategy itself.

Used well, ZTNA reduces attack surface, limits lateral movement, and replaces broad network access with precise application access. Used poorly, it becomes a VPN with a new badge.

What is encouraging is Gartner’s view that ZTNA is evolving beyond remote access. Universal ZTNA, where access decisions are consistent whether users are on-prem or remote, aligns strongly with what we hear from organizations trying to simplify their operating model.

Segmentation and the assumption of failure

One of the most grounded parts of Gartner’s research is its treatment of segmentation. This is an area where theory often collides with operational reality.

The Titanic analogy resonates because it reflects how experienced practitioners think. Breaches will happen. The goal is not perfection. It is containment.

Macro segmentation first. Micro segmentation, where it makes business sense. Protect what matters most. This mirrors the advice shared by many Zero Trust Forum guests who have learned the hard way that trying to segment everything at once rarely succeeds.

Zero Trust is not about eliminating risk. It is about limiting the blast radius.

Monitoring, analytics, and why Zero Trust never ends

A recurring theme on the No Trust podcast is that Zero Trust does not end at access. Gartner reinforces this strongly.

Assume you are breach-able. Monitor continuously. Detect anomalies. Remove threat actors when they appear. This is where UEBA, NDR, and threat intelligence move from buzzwords to essential capabilities.

Several podcast guests have described Zero Trust as a feedback loop. Context informs access. Behavior informs trust. Trust decisions change as conditions change.

Automation is what makes this sustainable. Without it, Zero Trust becomes operationally overwhelming. With it, Zero Trust becomes part of how the organization functions rather than a special project run by a small team.

Why this matters

What stands out about Gartner’s paper is how closely it mirrors what practitioners are already saying when given space to be honest.

Zero Trust is hard. It takes time. It requires cultural change. It creates tension around access and privilege. None of that is a failure. It is the work.

At the Zero Trust Forum and on the No Trust podcast, the most successful stories are not about perfect architectures. They are about progress. Clear intent. Better decisions. Reduced blast radius. Fewer blind assumptions.

Zero Trust is not about trusting nothing. It is about understanding trust, measuring it continuously, and granting it deliberately.

That is not a product. It is an operating model.