Has zero trust lost its momentum—or are businesses just doing it wrong? In this episode of Today in Tech, host Keith Shaw sits down with Morey Haber, Chief Security Advisor at BeyondTrust and author of several cybersecurity books, to unpack the truth behind zero trust adoption challenges. From overhyped vendor claims to the role of identity, lateral movement, AI agents, and compliance frameworks like HIPAA and PCI, Haber offers a practical, no-fluff perspective on how zero trust should be implemented — and why it’s more relevant than ever in the age of AI.The full video is embedded below, and a complete transcript is included to follow along or quote from.
Register Now
Keith Shaw: For a while, zero trust architecture was the hot commodity in the security space. But now, it feels like nobody's talking about it or even trying to deploy it. Has the technology lost its mojo?
We're going to discuss whether zero trust is struggling — and why — on this episode of Today in Tech. Hi, everyone. Welcome to Today in Tech. I'm Keith Shaw.
Joining me today is Morey Haber, Chief Security Advisor at BeyondTrust and a well-known expert in the world of identity management. Welcome to the show, Morey.
Morey Haber: Thank you so much for having me today, Keith.
Keith: We also recently had you on an episode of DEMO, where you showcased the BeyondTrust platform and how cool it is. So if you're interested in that, go check out that episode. But today, we’re going a bit higher level — right, Morey?
Morey: I hope so. But we can go as deep as you want, so let’s dig in.
Keith: In your past writings, you’ve covered attack vectors related to privileged identity, assets, and the cloud. From your perspective, which of these are the most critical entry points that zero trust must address? Morey: Certainly.
Let me frame it a bit. I'm an author, in addition to being Chief Security Advisor, and I now have five titles under my name — eight books in total, with some in multiple editions.
To answer your question, zero trust is really a combination of two key areas: asset attack vectors, which cover vulnerability management, and identity attack vectors, which focus on the different ways to compromise an identity — on-premises, in the cloud, or at the asset level.
So, when we think about zero trust, we need to address it in two parts. First, traditional vulnerabilities — patching, misconfigurations, and those basic things we often take for granted. Second, identity: verifying who you are, proving it, and ensuring you're doing the right things with that access.
It's all about confidence in identity and appropriate behavior.
Keith: A lot of surveys show that most enterprises say they’re “starting” a zero trust journey, but very few have reached maturity. From your advisor role and what you're seeing in the market, what’s driving that gap between intention and execution?
Morey: That gap is massive. It doesn’t matter what you read or which framework you follow — the core issue is we have a concept with principles and tenets, but not enough guidance on how to implement it.
Then you have vendors claiming to sell “zero trust” products — which is misleading. There’s no such thing as a zero trust product. Products implement security controls, but they don’t embody zero trust principles by themselves.
NIST provides architecture guidance — control planes, data planes, enclave models, agent models — but most organizations don’t know how to translate that into actual implementation. To succeed, you have to apply zero trust to specific use cases: remote workers, vendor access, client access, etc.
You design around that workflow and then layer in the appropriate controls: MFA, least privilege, behavioral monitoring — maybe 152 different DoD-recommended controls. Then, and only then, do you choose the products: this one for access, that one for identity, another for behavior analytics.
That’s how a use case becomes a zero trust implementation. But most organizations are stuck between principles and execution. They’re not sure how to make it real.
Keith: Is there also resistance from the business side? Maybe security teams say, “We need this,” but business leaders push back — maybe due to access limitations or cost?
Morey: It’s a combination: a lack of understanding of how to architect it, and then how to fund it. Take VPNs. A wide access point, maybe a remote agent — definitely not a zero trust architecture.
Some vendors now say they offer a “zero trust VPN,” but often that’s just marketing. Even if they put something in the control plane and try to analyze behavior, encrypted traffic limits their insight.
If your architecture allows lateral movement, lacks enclave segmentation, or still relies on shared accounts, you’ll need to re-architect — which costs money. And then comes the question: can we adapt existing tools, or do we need to license all-new ones? So from principle to practice, it’s complex.
You may need to revamp identity governance, remove shared admin accounts, enforce least privilege, and layer in additional controls. It’s a non-trivial task — even if everyone agrees it should be done.
Keith: Is it fair to blame vendors for slapping “zero trust” on everything and muddying the waters?
Morey: I had a colleague once say, “Never confuse marketing with actual product solutions.” I think they were right. I don’t blame vendors outright. They probably understood what they were doing — but it’s opportunistic. It’s about revenue and market share. Maybe they’re working toward those controls, maybe not.
If a vendor says, “This remote access solution achieves zero trust principles,” that’s great — but I’ve yet to see one that truly delivers more than 10–15% of the required controls. So yeah, marketing is fluff. Don’t confuse it with what you're actually buying.
Keith: You’ve also argued that identity should be the foundation of modern cybersecurity. How does identity and privilege management fit into zero trust?
Morey: Identity is a foundational component. It’s about confidence, least privilege, continuous verification — core zero trust principles. And identity is the next perimeter. It’s easier today to log in with stolen credentials than to hack in via vulnerabilities. Worms and viruses aren’t spreading like in the early 2000s.
If an attacker can steal credentials — whether from the dark web, via phishing, or by spoofing MFA — they gain persistent access that’s hard to detect and patch. So yes, we still need to patch and manage misconfigurations, but we must protect identities first.
Keith: Even that big MGM casino hack a few summers ago — same thing. Social engineering, resetting identities, and then running wild with too much access, right? Morey: Exactly.
Least privilege was ignored. Social engineering remains king. If a help desk resets a password or disables MFA without verifying identity, it’s game over. They’re the gatekeepers — and they must say “no” when needed. Then comes lateral movement. If someone gains privileged access, what systems can they touch? One?
Or all of them? If virtual infrastructure is compromised — say, your hypervisor gets hit — you could lose DNS, AD, PAM, NTP. Total collapse. That’s a bigger disaster than any exploit.
Keith: Lateral movement is a phrase I’m hearing more often. Seems like attackers are moving away from just targeting endpoints to going after infrastructure — VPNs, appliances, servers. Are you hearing the same?
Morey: Yes, lateral movement is everywhere now. But it’s more than just “my credentials work on another system.” It’s also about exploiting unpatched systems to move laterally — maybe I log in, then find a vulnerability in an adjacent system and exploit that. That’s lateral movement too.
And according to recent reports, 97% of breaches last year involved an identity component. So lateral movement is often a combo of identity and vulnerability exploitation.
Keith: So it’s both — identity plus patch management. What are the biggest mistakes companies make when trying to deploy zero trust? Technical, cultural, organizational?
Morey: Two main issues. First: buzzword bingo. People hear “zero trust,” “future proof,” “just use the framework,” and get confused. There is nothing that is future proof. Second: education. The mission isn’t just X, Y, or Z — it’s understanding the principles. Don’t use admin for email.
Don’t check your bank account from a coffee shop. Education is foundational. Successful zero trust initiatives over-communicate. Explain the why. “We’re moving to a bastion host. We’ll record sessions — not because we don’t trust you, but to protect you.” Education reframes the conversation from punitive to protective.
Keith: At Black Hat, so much attention was on AI. Zero trust doesn’t feel as “sexy” anymore. Is it losing its appeal? Morey: Good observation.
Let’s break it down. We all agree: zero trust is necessary. But it’s been hard to implement. Now enters AI — generative, agentic, middleware AI. It connects everything. Take a calendaring agent: it has access to your calendar, your boss’s calendar, maybe others’. That’s privileged.
But most AI agents today are overprivileged. We've already seen breaches where overprovisioned AI contexts were compromised. So, zero trust is perfect for managing AI agents. They need least privilege, behavioral monitoring, lateral movement protection — just like users.
Zero trust could have a huge resurgence as the governance model for AI agents.
Keith: Why are AI agents so overprivileged? Is it convenience — "just let the agent do its job without asking me every two seconds"? Morey: Exactly.
Secure by design is often an afterthought. The goal is: get it working, then secure it — after the first breach. That’s the case with many AI agents today. To function, calendaring agents need read/write access to calendars — even ones the user doesn’t have access to.
That means granting them higher privileges from the start. Admin rights, shared tokens — it’s easier, but riskier. It’s a classic case of overprivileging for convenience, with security lagging behind.
Keith: So, if a company builds toward zero trust, does it help AI agents? Or does it get in their way?
Morey: It helps — if done right. Zero trust brings structure: least privilege, ephemeral access, just-in-time connections, no persistent tokens. On endpoints, it means sandboxing, privilege restrictions, and tighter software controls. Whether the agent is in the cloud or on a laptop, it needs guardrails. Zero trust provides that.
Keith: What about compliance standards like HIPAA — do they help or hinder zero trust adoption?
Morey: Let’s be honest: most organizations follow HIPAA because they have to — not because they want to. That said, many compliance frameworks do align with zero trust. PCI, for example: segmented networks, bastion hosts, separate environments. That’s an enclave model — core to zero trust.
The issue is people don’t always make that connection. But compliance can absolutely reinforce zero trust principles — whether they realize it or not.
Keith: You do it because you have to. Morey: Exactly.
And sometimes you're already doing zero trust — you just don't know it.
Keith: When we did the DEMO episode, you mentioned MFA often gets overlooked — even though companies think they've deployed it. Morey: Right.
If you're claiming zero trust but don’t have MFA everywhere — you’ve failed. You need to evaluate each workflow. Remote employees? Contractors? Are they covered? Do an audit — most companies find gaps, often in privileged access. That’s where it matters most.
Keith: If you were advising a Fortune 1000 client, what practical first steps should they take toward zero trust?
Morey: Step one: identify your risk. Your GRC team already has them. Ask: What workflows carry the most risk? Then change behavior around those — remote access, vendor onboarding, whatever it is. From there, map zero trust architecture and controls to mitigate that risk. Don’t start with tools.
Start with risk.
Keith: Last question: If I made you the “Emperor of IT Security,” what would you mandate?
Morey: Get rid of admin rights. Throw away the keys. After you create your AWS account, it tells you to delete the root. Same principle should apply everywhere. You don’t need dozens of domain admins. Enforce separation, least privilege, passwordless, just-in-time access. That’s the only way forward.
Keith: Do people push back? “But I need my admin rights!” Morey: Absolutely.
Ego gets involved. But the truth is, with modern tooling, you can still do your job — just with better guardrails. We have too many shared accounts, IoT devices, and legacy systems that complicate things. But shrink the number of admins, and you shrink your attack surface dramatically.
Keith: Will we still be talking about zero trust in five years?
Morey: We’re already in the maturity phase of the hype cycle. It’s no longer “new,” but it’s being baked into new architectures from day one. That’s where it belongs — not bolted on afterward. AI may reignite zero trust in a new way.
But we might just call it something else. Keith: Any 2026 predictions?
Will we still be talking about AI and zero trust?
Morey: I think we’ll be talking about supply chain attacks. We didn’t touch on it much today, but it’s going to be huge. Whether it's open source, compiled code, or vendor dependencies — supply chain is the next big attack vector. Zero trust fits there, too.
Identity confidence, source validation, code assurance — those concepts apply, and we’ll need them badly.
Keith: Morey, thanks again for being on the show. Always great talking with you.
Morey: Thanks for having me, Keith. Have a great afternoon.
Keith: That’s it for this week’s show. Be sure to like the video, subscribe to the channel, and drop your thoughts in the comments. Join us every week for new episodes of Today in Tech. I’m Keith Shaw — thanks for watching.