Top zero-trust use cases in the enterprise
When applied correctly, zero trust can minimize an organization's attack surface. Experts weigh in on the best use cases where zero trust can deliver results.
Most organizations have embraced zero trust, but many are early in their adoption journey. Yet with the rising volume, velocity and sophistication of attacks, security teams are under pressure to accelerate those journeys.
"We're definitely seeing higher rates of adoption today than one or two years ago," said Jimmy Nilsson, vice president of professional services at Kyndryl, a security consulting firm.
Zscaler's ThreatLabz 2026 VPN Risk Report found that 84% of surveyed organizations had or were planning to implement a zero trust, up from 81% the prior year and 78% the year before that.
Those figures, however, tell only part of the story. Researchers, security advisers and others in the field say enterprise security teams have just begun to take advantage of what zero trust can do to counter the many threats they face.
Let's examine what zero trust is capable of and the specific uses cases where it can be put to work.
Zero-trust's capabilities
Cybersecurity professionals view zero trust as an approach, a framework, a philosophy and a security model. Mike Monday, managing director of security and privacy at global business consulting firm Protiviti, called it an "engineering strategy."
Zero trust is built on the idea that no user, device, system, workload or network segment -- even if it sits within an enterprise perimeter -- should be inherently trusted. Instead, the zero-trust security model requires entities to be authenticated and verified before they can access resources. Every access request must be authenticated, authorized and continuously validated based on identity, device health, context and risk signals.
"That whole authentication has to happen through that end-to-end process," Monday explained.
By removing inherent trust and adding authentication requirements and continuous validation, zero trust helps ensure that only authorized, authenticated entities are permitted access to an organization's IT environment and the data it holds. It also helps contain entities that do gain access, such as threat actors, by preventing unauthorized entities from moving freely throughout the environment.
John Kindervag introduced the zero-trust security model in 2010 while he was an analyst at Forrester Research. He and other early advocates championed zero trust as a necessary replacement for the traditional castle-and-moat security model, which by default extends trust to anything within the corporate environment. Such a hard-perimeter, soft-interior model relies on firewalls. In an era when cloud computing and other technologies were quickly eliminating the perimeter, this approach provided inadequate protection against threat actors.
A zero-trust environment requires a combination of security technologies and IT architecture patterns and principles. These technologies include identity and access management, MFA, zero trust network access (ZTNA) and endpoint detection and response tools. Key enabling IT architectures include microsegmentation and microperimeters.
"Zero trust is a journey. It's a way of leveraging various technologies to address a specific problem, which is securing networks and securing data," said Fritz Jean-Louis, principal cybersecurity advisor at Info-Tech Research Group.
Key use cases for zero trust
An organization can apply zero-trust principles in a variety of ways. Key use cases include the following:
- Employees working on-site. Zero trust ensures on-site workers access only the systems and data necessary to perform their jobs at the time they need that access. This limits the risks posed by insider threats.
- Remote workers. With zero trust, remote workers access only the systems and data they are authorized to access when that access is required. They do so from devices and networks that are secure through contextual security enabled by ZTNA and other measures.
- Third parties. Zero trust can be applied to third parties outside the organization, such as contractors, partners and customers. Strictly controlled access for them reduces the risk of unwanted, unintended exposure and third party-related data breaches.
- System-to-system or machine-to-machine access. These require continuous authentication for every request, and zero trust adds protection through the use of microsegmentation. This zero-trust use case helps prevent lateral movement by entities and ensures that if one service or device is compromised, attackers cannot automatically access other parts of the environment.
- Endpoints and remote devices. In this use case, which includes operational and IoT technologies, zero trust requires that devices be authenticated and validated before they are permitted to access networks, systems and data.
- Access to APIs. Zero trust can be used for strict, continuous authentication and authorization for every API request, regardless of origin. This design is meant to permit legitimate access while preventing lateral movement by unauthorized entities. The result is a minimized blast radius in the event of an unauthorized entry somewhere in the environment.
- Data. Zero trust can help protect data in the era of generative AI and large language models by authenticating and verifying AI identities and roles before granting them access to data they are authorized to use. Gartner has predicted that 50% of organizations will implement a zero-trust posture for data governance by 2028. This is increasingly relevant as unverified AI-generated data proliferates.
- AI agents. Organizations that apply zero trust to AI agents deny trust by default. Instead, agents are assigned individual identities, which enables each to be tracked. Zero trust prevents agents from sharing credentials, and agents are subject to continuous authentication and task-based permissions, as well as behavioral and semantic analysis.
Zero-trust implementation strategies and challenges
To implement or advance their use of zero trust, experts advise organizations to develop a new mindset, yet many struggle to do this, Nilsson said.
"Many organizations aren't successful because they're too focused on cybersecurity technology. They end up with siloed cybersecurity technologies, which is no different than how security organizations focused on cybersecurity two decades ago," Nilsson said. "Zero trust requires a new operating model. It's a change in how organizations approach security architecture."
Nilsson and others cautioned organizations against implementing zero trust in every area of their digital environment all at once.
"Zero trust can protect the entire ecosystem, but realistically, the number of tools you'd have to deploy to protect all those elements is onerous," Jean-Louis said.
Experts also noted that organizations might struggle to implement zero-trust principles in legacy systems and to balance user experience with zero-trust requirements.
Jean-Louis said he advises organizations to identify their protect surface -- that is, the portion of the larger attack surface they deem most necessary to protect. Consider how to apply zero trust to identities, devices, applications, data and the network using tools and technologies that can work across as many of those five areas as possible.
Nilsson recommended a similar strategy, saying organizations should be as specific as they can in how they define their use cases. Build a zero-trust strategy for a specific use case, he said, and then use that as a blueprint for the next use cases.
"Always think about what you are trying to secure, understand the asset you're trying to secure, how it is used by the business, how it collaborates with other systems in the business, and then build the security around that," Nilsson said.
Mary K. Pratt is an award-winning freelance journalist with a focus on covering enterprise IT and cybersecurity management.
