I’ve been involved in three zero trust implementations over the past four years. Two in enterprise environments, one mid-size. None went according to the original plan. All are in a better security position today than when they started. Those two facts aren’t contradictory — they’re the reality of any honest zero trust journey.

The concept is sound: never trust, always verify. Authenticate and authorise every request, every time, regardless of origin. In a world of cloud services, remote workers, and sophisticated threats, this makes sense.

The problem isn’t the concept. It’s the implementation.

You Can’t Rip and Replace

The biggest mistake is treating zero trust as a project with a start and end date. “We’ll migrate to zero trust by Q4.” That’s not how it works.

You have legacy systems that don’t support modern authentication. Applications that assume network-level trust. Third-party integrations needing IP-based allowlisting because they were built in 2014.

Zero trust is a direction, not a destination. You’ll coexist with perimeter-based security for years. Possibly forever for some legacy workloads.

One organisation I worked with tried enforcing conditional access policies across the board on day one. They locked out half the finance department who used a legacy reporting tool that couldn’t handle modern authentication tokens. The rollback was messy and the project lost credibility for months.

Identity Is the Foundation, and It’s Probably a Mess

Zero trust depends on reliable identity. You need to know who is requesting access, from what device, in what context. Your identity infrastructure needs to be solid.

For most organisations, it isn’t. Active Directory is full of stale accounts. Service accounts have excessive privileges nobody’s reviewed in years. MFA adoption is patchy because some departments pushed back and got exceptions.

Before you buy a single zero trust product, audit your identity posture. Clean up your directory. Inventory service accounts. Close MFA gaps. Not glamorous work, but if your identity foundation is unreliable, everything built on it will be too.

At one company we spent four months doing nothing but identity hygiene. The security team wanted to deploy micro-segmentation. But we found 340 orphaned service accounts, 12 with domain admin privileges. You don’t build on that.

Micro-Segmentation Is Harder Than It Sounds

Every zero trust framework talks about micro-segmentation. Segment workloads. Limit lateral movement. In principle, fantastic. In practice, it requires a complete, accurate map of how applications communicate.

You need to know that Application A talks to Database B on port 5432, that Service C calls API D over HTTPS. For every application. Including the ones nobody documented three years ago.

Discovery alone takes months. When you enforce segmentation rules, you’ll break things. A batch job running at 2 AM on the first Sunday of each month will fail because nobody mapped that traffic flow.

Start with critical applications. Accept that full micro-segmentation is a multi-year effort.

The User Experience Battle Is Real

Security that makes people’s jobs harder doesn’t last. Users find workarounds. Managers demand exceptions. Executives override policies.

Zero trust, poorly implemented, can be deeply annoying. Constant re-authentication. Access denied errors. Apps loading slowly because every request hits an additional policy check.

The successful implementations invested in user experience. Risk-based authentication that only challenged users when something looked unusual. Broad SSO deployment. Clear communication before changes hit.

One company created a “zero trust champion” role in each business unit — someone technical enough to understand the changes and trusted enough to explain them to colleagues. Smartest move I’ve seen in any security programme.

Vendor Claims Need Scrutiny

The zero trust market is crowded and the marketing is aggressive. Every identity vendor, network vendor, and endpoint vendor claims to be a zero trust solution. Most address one piece and pretend the rest doesn’t exist.

No single product delivers zero trust. You need identity management, device trust, network segmentation, application-level controls, and continuous monitoring. Be cautious of anyone proposing to replace your entire security stack at once.

The Honest Timeline

For a mid-size organisation, expect three to five years for a mature zero trust posture. Year one: identity hygiene, conditional access, MFA everywhere, device trust basics. Year two: critical application segmentation, endpoint controls. Years three through five: broadening coverage, refining policies, handling the long tail of legacy systems.

That’s not a failure of planning. That’s transforming security architecture while the business keeps running. Anyone promising faster is either working with a simpler environment than yours, or not being honest about what “done” looks like.

Zero trust is worth it. Just go in with your eyes open.