When former Forrester analyst John Kindervag first created the zero trust cybersecurity model in 2009, the core idea was simple: Don’t trust anything inside the firewall.
But nearly two decades later, the concept of zero trust has evolved as remote working and novel threats such as AI expand the surface for attack. It is with this in mind that the US National Security Agency (NSA) has released Phase One and Phase Two of its Zero Trust Implementation Guidelines.
The guidelines cover what’s needed to achieve the US Department of War’s (formerly Department of Defense) targets for zero trust maturity. This is mandatory for US-based organizations in critical sectors but in the face of modern threats, its principles apply to the UK and beyond too.
So, what do the guidelines say and how can firms ensure their own zero trust model is set up to mitigate today’s evolving threats?
A very modern security model
Nearly 80% of detections in CrowdStrike’s 2025 Global Threat Report were malware-free, demonstrating that attackers increasingly exploit stolen credentials, social engineering and privilege misuse, rather than perimeter vulnerabilities.
As hybrid, multi-cloud and AI-enabled infrastructures expand, every user, device and non-human account represents “a potential entry point”, says Darren Guccione, CEO and co-founder of Keeper Security.
Yet it is the non-human “users” that pose the most pressing threat, according to experts. “AI agents, automated workflows, and machine-to-machine API calls are becoming a significant share of network traffic, and these non-human entities need to be governed under zero trust principles as well,” says Tom Vazdar, professor of cybersecurity and AI at OPIT – Open Institute of Technology. “That is a dimension the original concept never anticipated, and it represents the next major frontier for the framework.”
The most important evolution in the zero trust mindset is happening “right now”, according to Vazdar. In 2026, there is a shift from verifying identity to verifying intent, he says. “Traditional zero trust asks, ‘can you prove who you are?’. That is necessary, but no longer sufficient. Credentials can be stolen, biometrics get deepfaked and devices get compromised.”
But user behavior cannot be easily counterfeited at scale, he says. For example, the way a legitimate user navigates an application, the rhythm of their keystrokes and their decision-making patterns. “Modern zero trust must incorporate continuous behavioural verification throughout entire sessions, rather than just a one-time check at the door.”
The NSA’s guidelines
The NSA’s Zero Trust Implementation guidelines reinforce a structured maturity model built around five pillars: Identity, devices, networks, applications and data. “The emphasis is on measurable progress, continuous monitoring and enforceable access controls,” says Guccione.
Identity governance is positioned as foundational. “Without consistent multi-factor authentication (MFA), strong privileged access management (PAM) and comprehensive audit logging, organizations cannot achieve meaningful zero-trust maturity,” Guccione explains.
The practical guidelines organize 152 distinct zero trust activities into five phases: AaDiscovery phase for establishing baseline visibility, followed by Phase One, consisting of 36 activities supporting 30 capabilities. Phase Two comprises 41 activities supporting 34 capabilities for reaching target-level maturity, while two future advanced phases are yet to be published.
To reach the target level maturity by the fiscal year 2027 deadline, organizations in the report’s scope must successfully shift from “a perimeter-based defense” to “a model of continuous, context-aware verification”, says Mike Driscoll, senior managing director in the cybersecurity practice at FTI Consulting.
This involves moving “beyond simple login checks” to “a state where every access request, whether for a user, device, or application, is authenticated and authorized in real-time, based on data-centric policies and automated threat analytics”, he says.
Zero trust challenges in 2026
While many firms have already moved to zero trust models, for some it may be a leap to reach the level of maturity outlined by the NSA.
The move can present several challenges. Legacy infrastructure is “the most persistent obstacle”, according to Vazdar. “Many critical business systems were designed for implicit trust. They lack modern authentication mechanisms or APIs that integrate with contemporary identity platforms. Retrofitting zero trust onto these systems without breaking operations requires careful phasing and compensating controls.”
Widespread skill gaps compound the problem. Implementing zero trust across the NSA’s seven pillars demands expertise in identity management, network architecture, data classification, application security and increasingly, AI and automation, says Vazdar.
At the same time, firms often underestimate the user friction they will face. “Zero trust inherently means more verification,” adds Vazdar. ”If this creates excessive friction, users find workarounds, which can actively undermine your security posture.”
There can also be logistical issues. Firms cannot simply “pause operations” to “rebuild their entire IT architecture around zero trust”, says Paulo Cardoso do Amaral, author of Business Warfare, strategist and expert in competitive intelligence. “Transformation must occur while systems remain in production. This creates tension between operational continuity and architectural change.”
Benefits to everyone
However, experts say the effort of moving to zero trust will benefit all businesses, regardless of size.
Every organization benefits from verifying explicitly, enforcing least-privilege access and assuming breach, says Vazdar. “These are sound security fundamentals that improve posture, regardless of size or sector.”
However, the implementation depth must match the context. A multinational bank will execute zero trust very differently from a 200-person manufacturer. “The NSA’s 152 activities across five phases are designed for defense and critical infrastructure, and not every organization needs that level of granularity,” Vazdar points out.
Larger organizations typically have the scale and risk exposure that justify full zero trust programs. Meanwhile, smaller organizations may not implement a complete architecture themselves, but can still benefit through cloud and managed service providers that embed zero trust principles into their platforms, says Cardoso do Amaral.
Over time, packaged and simplified solutions will continue to make zero trust more accessible to smaller firms, he predicts.
Evolving to modern zero trust
Moving to zero trust might seem complex, but there are a few steps you can take to ensure you get the best results from the approach.
The first priority is discovery, says Vazdar. “Before deploying any new technology, organizations need complete visibility into their environment: What data they hold, where it lives, who accesses it, what applications process it, and what devices connect to the network. The NSA formalised this as the mandatory first phase for good reason.”
The second priority is identity and access management, says Vazdar. “Compromised credentials remain the primary attack vector globally. Organizations should deploy phishing-resistant MFA across all critical systems, enforce least-privilege access rigorously, and start moving towards continuous authentication, with verification throughout the entire session.”
Firms must also ensure they are phasing their zero trust implementation around risk. “Attempting a comprehensive zero trust transformation overnight leads to implementation failure and user resistance,” says Vazdar. “Start with the crown jewels, the most critical data and systems, and expand outward.”
