All writing
Zero Trust

Zero Trust Is an Identity Problem

Strip away the marketing and Zero Trust reduces to a single discipline: making access decisions per-request, based on verified identity and context. Everything else is plumbing.

7 April 2026·3 min read·Aditi Shah

Zero Trust has been thoroughly diluted by vendors who attach the label to whatever they were already selling. But underneath the noise is a genuinely useful principle, and for those of us in identity it is unambiguous: Zero Trust is the practice of making every access decision explicitly, per-request, on the basis of verified identity and current context — never on the basis of network location. "Inside the firewall" stops meaning "trusted." Identity becomes the control plane.

Try it

Want to feel how a per-request decision actually works? Play with my Zero-Trust Decision Simulator — change the device, network, MFA and privilege and watch the verdict flip between allow, step-up and deny in real time.

The perimeter didn't disappear — it moved to identity

For decades, network position was a proxy for trust: get inside the corporate network and you were implicitly authorised. Cloud, SaaS, remote work, and supply-chain attacks demolished that assumption. The new perimeter is drawn around each identity and each resource, enforced at the point of access. This is why identity teams have quietly become the centre of gravity for Zero Trust programmes — we own the control plane everyone else now depends on.

The anatomy of a per-request decision

A Zero Trust access decision combines several signals at the moment of the request:

  • Who — a strongly authenticated identity, ideally with phishing-resistant MFA.
  • What — the specific resource and the sensitivity of the action.
  • Context — device posture, location, time, and behavioural risk signals.
  • Entitlement — does this identity actually have authorised, least-privilege access to this resource?

The decision is made by a policy engine and enforced at a policy enforcement point in front of the resource. Critically, it is re-evaluated continuously, not once at login. Trust is a state that can be revoked mid-session when context changes.

Practitioner's caution

Zero Trust is a destination, not a project with an end date. Anyone selling you "Zero Trust in a box" is selling you a component. The architecture is the integration of identity, device, network, and data controls around per-request decisions — and you assemble it incrementally.

Why least privilege is the prerequisite, not a nice-to-have

You cannot make a good per-request authorisation decision if everyone has access to everything. Zero Trust authentication on top of over-provisioned access just means attackers need a valid session to reach the same sprawling permissions. The unglamorous IGA work — least privilege, role hygiene, just-in-time elevation, ruthless de-provisioning — is what makes Zero Trust meaningful. Strong authentication guards the door; least privilege determines how much damage someone does once through it.

Start where the leverage is

Boiling the ocean fails. I start Zero Trust programmes at the intersection of highest value and highest exposure: privileged access to crown-jewel systems. Put those behind strong, contextual, continuously-evaluated, least-privilege access first. Prove the model, build the muscle, then extend the pattern outward to the broader application estate. The identity team that owns this well doesn't just enable Zero Trust — it becomes indispensable to it.

Zero TrustIdentityArchitectureAccess Control
Aditi Shah
Aditi Shah
Cybersecurity & IAM Specialist, Melbourne — 12+ years across regulated finance, government & telecom. About →

Looking for an IAM lead who thinks this way?

I help regulated enterprises govern identity at scale — from SailPoint to PAM to audit.

Get in touch