Zero Trust Architecture: A practical operating model for security in a complex digital world

Zero Trust Architecture (ZTA) is no longer an emerging security concept. It is becoming a practical operating model for organizations navigating cloud adoption, hybrid work, digital supply chains, increasingly complex IT estates and the rise of AI.

That matters because modern organizations no longer operate inside tidy, well-defined boundaries. Users work from anywhere. Applications are distributed across on-premises and cloud environments. Data moves across platforms, partners and services at speed. AI is adding another layer of complexity by increasing automation, expanding the use of APIs and introducing more non-human identities into enterprise environments. Without Zero Trust in the age of AI, the result is simple for organizations relying on traditional security models: trust is harder to manage and easier to exploit.

This is why implementing a Zero Trust Architecture has moved up the agenda. At its core, the Zero Trust Architecture definition reflects a simple principle — trust should never be automatic, permanent or based solely on network location. Access should be governed by identity, context, policy and risk, then reassessed continuously. That is a more realistic approach for protecting how organizations operate and thwarting how attackers behave.

Zero Trust security architecture is often misunderstood. It is not a single product, a one-off transformation project or a label that can be attached to an existing security stack. As an operating model, it changes how organizations manage identity, access, segmentation, workloads, devices, applications, data and monitoring. In other words, it is less about buying a thing and more about changing how trust is granted across the enterprise. 

For enterprises managing a mix of legacy platforms, cloud services, outsourced capabilities, hybrid workforces and connected suppliers, this shift is particularly relevant. Most of them are trying to modernize securely while keeping core services running, users productive and regulators reassured. In that environment, security based mainly on perimeter assumptions is no longer enough. Protection must follow the user, the device, the session, the workload and the data.

Zero Trust becomes practical under these circumstances. Done properly, it reduces implicit trust, limits unnecessary privilege, makes lateral movement more difficult and improves containment when something goes wrong. It is built on the assumption that compromise is possible and that resilience depends on restricting what an attacker can do next. That may sound less optimistic than traditional perimeter thinking, but it is generally much more useful after the first phishing email has done its work. 

A practical Zero Trust Architecture model starts with visibility. Enhanced security requires that organizations' security teams know what assets they have, which identities can access them, what privileges exist, how those privileges are used and where policy is being enforced. Without that, Zero Trust risks remaining a strategic ambition supported largely by architecture diagrams and determined nodding in meetings.

Identity is usually the starting point, and rightly so. Strong authentication, conditional access, privileged access management and identity governance provide the basis for more intelligent and strict access control. But Zero Trust doesn’t stop there. Device posture matters. Application context matters. Segmentation matters. Data sensitivity matters. So do machine identities, service accounts and APIs, all of which are becoming more important as organizations automate more processes and embed AI into business operations.

As organizations deploy AI assistants, copilots, agents and automated workflows, they create more paths to data, more interactions between systems and more forms of delegated access. Every one of those connections raises questions about identity, privilege, policy enforcement and monitoring. With AI increasing speed, scale and autonomy, Zero Trust Architecture benefites include providing the discipline to stop those qualities turning into risk with a chatbot attached. If AI is to be used safely at scale, it has to sit inside a security model that assumes trust must be earned, limited and continuously re-evaluated.

With legacy technology in the mix, Zero Trust adoption has to be phased and pragmatic. Start improving your security posture with critical assets and privileged access paths. Reduce unnecessary permissions. Strengthen identity controls. Improve segmentation. Build better visibility.

This is also where Zero Trust delivery partners have a role.

Many organizations understand Zero Trust in principle but need help translating it into an operating model across large, mixed and often messy estates. DXC’s Cybersecurity services align to Zero Trust strategy, transformation and operational management across user identity, devices, applications, workloads and data. Our scale is significant: we manage more than 450 million digital identities across employees, partners, customers, citizens, software bots, smart agents, automated scripts, IoT devices and APIs. We’ve also published examples of applying Zero Trust network access within our own global environment. Those foundations are becoming even more important as organizations modernize securely while introducing greater automation and AI-enabled services.

The real question now is not whether an organization “has Zero Trust,” but whether it is reducing implicit trust, governing access more intelligently and becoming more resilient as its environment becomes more distributed and automated.