#1744863: What Part of Zero Trust Does Your Exception Not Understand?

Description: Organizations spend millions implementing zero trust architecture. But any time a business-critical tool needs an exemption from those policies, we all know who is going to win. So, how do we implement zero trust that works for the way business works?

Identity built for one person at a time
Most identity access frameworks still assume a person can only be in one place at a time. Agents break that rule by design, which exposes a foundation that was already cracking. But the points where agentic AI strains identity programs the hardest, ownership, scope, lifecycle, and monitoring, aren't anything new, noted Tomás Maldonado, CISO of the National Football League (NFL). They're the same gaps organizations never fully closed for service accounts, now running unsupervised at scale. Before spending energy on how to govern AI agents, it might be worth checking whether identity programs were working before agents ever showed up. Baselining normal behavior becomes much harder when an agent's entire premise is to operate outside human limits.

Patching can't outrun the exploit timeline
The median time between a vulnerability going public and someone weaponizing it dropped from 771 days in 2018 to about four hours in 2024. Ouch. That's the finding from a zero day clock breakdown by Chris H. of Resilient Cyber. Meanwhile, organizations still remediate only about 10 percent of new vulnerabilities each month. Closing it through patching speed alone would require something close to a 9x jump in remediation pace. And if you believe that's possible, I have a bridge in Brooklyn you might be interested in. The math points to a harder question: whether resilience and fast recovery should replace patching as the primary goal.

The exception hiding inside zero trust
Plenty of organizations that spent heavily on zero trust still maintain extensive whitelists of vendors, executives, and outside counsel who bypass email security controls. Alan LeFort of StrongestLayer points out that each entry on that list is a permanent hole in a strategy built to have none. This is a tradeoff the business will always force cybersecurity to make. A whitelist is outdated castle-and-moat thinking living inside a modern security stack. If zero trust is really the principle guiding the program, it's worth asking why email keeps getting a pass that everything else doesn't.

A revenue question nobody's answered yet
Cybersecurity has a technology surplus and an outcome deficit. Joe Head of Molto. found that out after extensive conversations with founders, hearing the same patterns each time. He saw tool sprawl promising identical outcomes, products designed for the CISO instead of the people using them, and an SMB market everyone ignores while chasing Fortune 500 logos. And the ROI question? Good luck. Security leaders still can't show how their work drives revenue, and no vendor has built that layer yet. If the market isn't short on technology, the real shortage might be a straightforward answer to whether any of it helps the business sell more of whatever it sells.
More info: https://www.linkedin.com/pulse/what-part-zero-trust-does-your-exception-understand-cisoseries-updtc/

Date added July 8, 2026, 1:57 a.m.
Source Linkedin
Subjects
  • PodCasts / Webcast / Webinar / eSummit / Virtual Event etc.
  • Security Management/Strategic Security/ROI/ROSI - CISO and Higher Level
  • Zero-Trust / Zero Trust Security / Zero Trust Models / Zero Trust Network Access / ZTNA