Traditional security models were built around the idea of a trusted perimeter: everything inside it was assumed to be trustworthy, and the goal was to keep bad actors out. But that model no longer holds.
Now, users connect from anywhere, using a mix of corporate and personal devices, accessing data across multiple platforms. The perimeter has dissolved. And, with it, the illusion of internal safety.
It's something network architects are becoming acutely aware of. They need to make sure that the burgeoning number of users and devices can all connect to the network. This includes connecting unmanaged IoT devices, which -- due to their effective invisibility -- create a critical point of vulnerability when the network is 'protected' by a legacy tool like a VPN.
And this critical vulnerability is only growing, as we see leaps and bounds made in interconnected vehicles, smart buildings and the like. In fact, the global number of IoT devices is forecast1 to more than double from 19.8 billion this year to over 40.6 billion in the next decade.
The more pervasive IoT becomes, the greater the vulnerabilities in legacy networks will be. IoT introduces proprietary software that often lacks integration with legacy network and security tooling -- creating vulnerabilities in your defenses. What's more, IoT devices are increasing faster than employee counts, rapidly expanding the attack surface. With AI now being embedded into these devices, combined with the emergence of Agentic AI intent, the traditional castle-and-moat architecture is entirely inadequate.
These outdated architectures fail to correctly tailor permissions -- a critical flaw in a landscape where lateral movement remains one of the biggest threats. They simply aren't sophisticated enough to correctly tailor permissions. They give broad network access to users and devices with verified credentials. If those credentials are compromised, a hacker using them can bypass your 'trusted perimeter' and access any sensitive data hosted internally without going through any further checks.
Bottom line? Never trust, always verify, because there is no safe boundary around your network anymore.
The Urgent Need for a Psychological Reframe
It seems like a cynical principle: never trust, always verify. However, this foundational philosophy of the zero trust movement isn't about being paranoid -- it's about being prepared. It's a recognition that trust, while essential in human relationships, must be earned and continuously verified in digital systems.
Understanding this, we can safely say that zero trust isn't just a technical framework. It's a mindset shift. We must safeguard our digital environment from the threat of our own familiarity bias; we must turn the decision to trust into an objective action instead of a subjective one to gain assurance that security policies are consistently applied. By enforcing least-privilege access and carrying out continuous authentication, zero trust transforms security from a static barrier into a dynamic, adaptive system.
This approach aligns with today's 'when not if' cyberattack reality. It acknowledges that breaches are inevitable, and that internal actors (whether malicious or compromised) can be just as dangerous as external ones.
Email phishing, of course, isn't the only way a compromised internal actor can expose data. Employees using public-facing AI tools to speed up work tasks could unwittingly share private data. And, they are also less likely, considering the familiarity bias undercurrent, to spot AI-refined social engineering. Hackers are also turning to AI to automate their efforts, giving them greater scope and sophistication in less time with far less effort. This increases the likelihood that they'll hook a victim.
Clearly, AI is a pervasive threat and arguably will eventually erode trust to the point we trust nothing. But it's not all bad. We need to reframe how we view AI: it can be a powerful ally, used to objectively enforce security policies in a way that takes trust out of the equation.
From Paranoia to Prudence
For business decision-makers, the path forward is clear. The threats are evolving. The perimeter is gone. And the psychology of trust must evolve with it.
Zero trust offers a way to do just that -- not by rejecting trust, but by redefining it for a world where control through continuous verification is the new foundation of security.
For further information please visit: https://explore.zscaler.com/emea-financial-services/
PART OF A HIGHLY REGULATED INDUSTRY? For organizations in tightly regulated
sectors, particularly those in Financial Services, the need to embrace zero trust now is critical. If you're just starting your journey, view Zscaler's checklist of features to
consider ahead of investing in zero trust architecture. It'll give you an overview of what you need to embed the necessary control and resilience for navigating our complex world. Details in our Financial Services eBook
Statista, Number of Internet of Things (IoT) connections worldwide from 2022 to 2023, with forecasts from 2024 to 2034. June
2025. Available at: https://www.statista.com/statistics/1183457/iot-connected-devices-worldwide/