A recent report revealed a widespread gap between the application of zero trust policies and how they are being used or circumvented in the workplace, with 83% of engineers admitting to bypassing security controls to get work done, and 68% still having access from previous employers.
Traditional cybersecurity models that relied on a secure perimeter as the defining barrier to entry are increasingly viewed as no longer effective. With cloud adoption, remote work and increasingly sophisticated cyber attacks, businesses can’t afford to “trust by default.” Zero trust has emerged as a key priority because of its potential to protect against modern threats by assuming every user, device and connection could be compromised.
Reducing risk and damage through continuous verification, least-privilege access and limiting attacker movement can strengthen business resilience and trust by safeguarding sensitive data and operations in hybrid and cloud environments. However, as with other security measures that place barriers for entry in front of legitimate users as well as illegitimate ones, it can be a source for non-cooperation and circumvention.
As highlighted in Tailscale’s 2025 State of Zero Trust Report, which surveyed a thousand engineering, security, development and IT professionals in the U.S. and Canada, there are persistent issues with both the implementation and use of zero trust policies and supporting technologies.
Zero Trust is Dead. Long Live Zero Trust
Respondents suggested that only 29% of organizations use identity-based access as their main approach to zero trust. Further, 22% of respondents said they use IP-based access, while the remaining 48% use a combination of the two. The key risk lies with those who rely solely on IP-based trust: an attacker who makes it through the perimeter of the network has the potential to jump within the internal infrastructure without the need for any kind of further authentication.
Next, 68% – over two thirds – of those answering the survey said that access provisioning to their networks is a manual task. Of the rest, most (22%) use automated provisioning whilst the remainder have a self-serve approach with an approval process wrapped around it. The issue with manual provisioning in a zero trust environment is that as the number of systems, applications and devices grows, the complexity of any manual provisioning tasks grows geometrically – that is, adding a few new items can create a disproportionately large workload to manage access to them and between them.
The third key statistic the report reveals is that the vast majority of respondents use a wide variety of security tools. According to the findings, fewer than 10% use a single, integrated network security platform. Two-thirds use two or three and at the extreme end 8% use five or more different systems. The risk is, of course, that having so many disparate security applications elevates the risk that they will not play well together, which adds to the complexity of managing security – particularly where that management task is largely manual as discussed in the previous paragraph.
Zero Trust Risks
No surprise, then, that significant numbers of organizations have risks in their zero trust implementations. Risk in itself is not a bad thing: we all have to identify and assess our risks and put controls in place to mitigate them so they operate within what we – IT, cybersecurity, senior management and the board – deem acceptable. The unnerving element of the report, though, is that large subsets of the people who took part in the survey have seen unwanted, and potentially dangerous, behaviors taking place because people have exploited the gaps in the defenses.
Circumventing Zero Trust
The least common transgression, with just under a quarter of survey respondents admitting to it, is credential sharing. The only time that this is permissible is when it is technically impossible to avoid it (for example, if a system has only one super-user credential) and in such cases the mitigation is to wrap an access management package around the systems to manage and usage of such shared, generic credentials. Sharing passwords insecurely is a little more common – it is far too easy for an engineer simply to email a password to a user without thinking of the risks. Next, we have exposed public endpoints: any internet-facing assets bring elevated risk levels and additional controls are essential to deal with those extra risks.
Moving on we have 25% of organizations that have engineers bypassing multi-factor authentication (MFA) – an absolutely unforgivable action, particularly where privileged access is concerned. Unapproved scripts have also affected a quarter of respondents, along with access controls being bypassed and, in a slightly larger proportion, poorly executed storage of credentials. The use of unapproved software has been experienced by 28% - the risk, of course, being that it has not been evaluated properly for security concerns. At the top of the league table, though, with 32% experiencing the concept, is people using their personal devices – devices which are invariably not controlled, managed or defended against threats by corporate systems.
The vast majority (83%) of respondents said that their organizations have had instances where at least one of the above workarounds had been used or attempted. The motivation is clear, of course: if done badly and without proper engagement among everyone in the company (which includes the IT team) security becomes perceived as a blocker, not an enabler. Security measures – being an intentional obstacle – are arguably an inconvenience and side-stepping helps the IT teams work more quickly without anything bad happening security-wise. The problem comes in the 1% of the time where a workaround is used and something goes wrong or a workaround is exploited by a bad actor.
An Important Inconvenience
Zero trust, when executed properly, makes it difficult to bypass protections. As cybersecurity professionals we – and particularly the users we serve – need to reinforce that security is a necessity – and particularly that zero trust is an excellent approach to implementing effective, reliable security.
It cannot be denied, of course, that zero trust has some downsides regarding usability and convenience. It can become a chore to respond to authenticator pop-ups on smartphones several times each day; to be able only to access a particular server or network device via a jump server; to wrap a password manager around privileged access and particularly shared or generic credentials. It is, however, rather better than the unpalatable alternative that none of us wants to experience.