Zero Trust is the security model nobody argues against, but one that many organizations leave unfinished. In this case, unfinished means adopted in principle, but not properly matured into a working architecture.
That split shows up clearly in the data. Almost every organization reached the starting line. In StrongDM’s State of Zero Trust Security in the Cloud survey of 600 security professionals, published in January 2025, 81% of organizations claimed to have implemented Zero Trust in full or in part. But far fewer reached maturity, with only 30% running a unified solution, rather than a patchwork of disconnected tools. This is the critical difference between adopting the idea and operating the architecture.
For years, organizations could live with that gap between intent and execution. AI is making it dangerous to leave open.
Adoption Is Not Maturity
The gaps aren’t only in the tooling. In the same survey by StrongDM, almost half of organizations struggled with fragmented policies across multi-cloud environments, and while 89% were applying or building Zero Trust for database security, only 43% had strong measures in place.
The gap is where teams encounter difficulties. Forrester, the firm that coined the term, is blunt that Zero Trust is a strategy, not a product, and that teams get stuck on a complex technology landscape and organizational alignment, rather than on the idea itself. CISA’s Zero Trust Maturity Model exists for the same reason. It maps a journey from Traditional through Initial and Advanced to Optimal, where automation and continuous verification only become real in the later stages.
Most organizations, in other words, have the strategy on paper. Far fewer have the architecture to back this up.
AI Raises The Cost Of Waiting
The widespread access to AI is what turns a gap into a risk. Organizations that were slow to move away from traditional firewall and VPN architectures are accelerating now, and it’s their own AI rollout forcing the move.
Yaroslav Rosomakho, Zscaler’s chief scientist, told Expert Insights in an interview at Zenith Live, featured on the Expert Insights podcast, that security leaders can see their AI being tricked, abused through prompt injection, or simply malfunctioning, and they want guardrails around it. “We see a massive acceleration of interest in zero trust driven by AI use cases,” he explained. AI is doing what a decade of best-practice advice could not. It is making Zero Trust hard to defer.
Why The Gap Is So Hard To Close
We all know that there is a gap, and we all know that something has to be done about it. But the difficultly really presents itself when organizations try to implement the changes. With sprawling estates of users, devices and workloads, implementation of Zero Trust has to be targeted, specific, and accurate. The introduction of AI in recent years only raises the stakes. The burden of doing all this lands with the CISO.
The hold-up isn’t convincing anyone. It’s doing the work, and the work runs into people and process, not just technology.
Speaking to Expert Insights in the same podcast conversation, Swamy Kocherlakota, Zscaler’s EVP of agentic AI security engineering, argues that principles like least privilege and role-based access control existed in enterprises for years, but were never truly enforceable. “Zero trust is the one where you can take a philosophy and a principle and actually turn it into an architecture and an implementation,” he told Expert Insights.
The hard part was never the concept. It was making the concept real across a sprawling estate of users, devices, and workloads. AI raises the stakes on getting that right, and it lands on the CISO at an awkward moment.
As Kocherlakota describes it, security leaders are squeezed between a board demanding AI-driven revenue and productivity, and employees who already use tools like ChatGPT and Perplexity in their personal lives, expecting to use them at work. The job shifts from gatekeeper to enabler. The CISO becomes, in Kocherlakota’s words, a protector of business growth, the person who lets AI be deployed while keeping it safe.
That reframing matters. There is no zero risk, only calculated risk supported by the right controls. Zero Trust is how you earn the right to say yes to AI without losing control of it.
The Constant Through Every Disruption
Zero Trust endures because it is an approach, a philosophy, that can be applied to any technological shifts, no matter their nature. It doesn’t matter what the new technology is doing, so long as Zero Trust demands that we don’t presume trust. This will keep users and organizations safe throughout technological advances. Authentication and authorization for every workflow, inspection, least privilege, a smaller attack surface.
“Time and again, following zero trust principles is what helps us, and will keep helping us,” Rosomakho told Expert Insights. The next wave is already visible, with Gartner predicting that by 2028, half of organizations will adopt zero-trust data governance as unverified AI-generated data floods their environments.
Zero Trust is now being applied in more contexts than ever before; to the data and identities that AI runs on, where continuous verification is becoming the baseline.
Done properly, Zero Trust won’t stop every attack, but it limits the damage when one gets through, and gives security leaders the confidence to keep saying yes to the technology their business depends on.