With many cybersecurity conversations focusing on the role of artificial intelligence (AI) in automating security processes and improving defenses, organizations are still investing in proven methods to secure their infrastructure. Zero trust remains one of those core principles, and its relevance continues to grow.
For more than a decade, the concept of zero trust has gained traction among technology and cybersecurity professionals, even as attention shifts toward AI. A recent Zscaler ThreatLabz survey of 600 IT and security professionals found that 96 percent of organizations support a zero trust approach, and 81 percent plan to implement zero trust strategies within the next 12 months.
Cyber professionals looking to advance their careers need to build their skill sets around zero trust—a concept that emphasizes least privilege and defense-in-depth—especially as organizations face increasingly advanced threats, including those aided by AI.
At the same time, older security technologies are no longer adequate for protecting infrastructure and networks, particularly as more data moves to the cloud.
“Zero trust isn’t dead; it’s more relevant than ever. As a cybersecurity professional, if you’re not building your skills around it, you’re falling behind,” Heath Renfrow, CISO and co-founder of security firm Fenix24, recently told Dice.
To help cyber and tech professionals develop zero trust skills and deepen their knowledge, the National Institute of Standards and Technology (NIST) updated its guidelines on building and expanding Zero Trust Architectures (ZTA) in June.
The new guidance—SP 1800-35—includes 19 real-world examples of how to construct zero trust architectures using commercially available, off-the-shelf technologies. This update supplements NIST’s 2020 publication, Zero Trust Architecture (SP 800-207).
“Switching from traditional protection to zero trust requires a lot of changes. You have to understand who’s accessing what resources and why,” said Alper Kerman, a NIST computer scientist and co-author of the publication. “Also, everyone’s network environments are different, so every ZTA is a custom build. It’s not always easy to find ZTA experts who can get you there.”
Experts note that the updated NIST guidelines come at a critical time. Security teams are evaluating AI’s potential while still needing effective ways to safeguard infrastructure in an increasingly hostile cyber environment. Skilled workers who understand zero trust are essential.
“The new NIST guidance stresses that there’s no one-size-fits-all model. Each implementation is unique, and security teams must be adept at tailoring principles to their environment,” Chad Cragle, CISO at Deepwatch, told Dice. “AI can assist in spotting issues like identity sprawl or poor device posture, and even initiate fixes when paired with suitable automation tools. However, without a strong zero trust foundation, those fixes lack context, guardrails and resilience.”
Zero Trust in the AI Age
Since former Forrester analyst John Kindervag coined the term "zero trust," cybersecurity professionals have used the concept to ensure that no user or identity is fully trusted, and that access requests are continually verified. This approach limits breaches and reduces attackers’ lateral movement if they gain initial access.
Zero trust also relies on tools and techniques such as multifactor authentication, micro-segmentation and network access management. These are essential as data increasingly resides in cloud infrastructures and remote access becomes the norm, making identity verification more complex.
NIST’s continued focus on zero trust through its updated guidelines reinforces the importance of core cybersecurity principles that professionals should not overlook—even as organizations explore generative AI, said Shane Barney, CISO at Keeper Security.
“The rapid adoption of AI makes zero trust even more important, as AI-driven systems must operate within secure, continuously verified environments to avoid introducing new risks or bypassing established access controls,” Barney told Dice.
By using the updated NIST guidelines, cyber professionals can better protect their organizations. Proper implementation of a zero trust architecture can:
Support user access to resources regardless of location or device
Protect sensitive information and business assets whether on-premises or cloud-based
Limit breaches by restricting attacker movement and addressing insider threats
Enable continuous, real-time monitoring, logging and risk-based policy enforcement
Since zero trust focuses on verifying identities, Barney noted that the updated NIST guidance underscores the evolving responsibilities of cybersecurity professionals.
“Zero trust requires continuous evaluation of identity, access and context—not just at the perimeter, but across every interaction. That shift calls for cross-functional expertise in identity management, automation and policy enforcement,” Barney added. “Cybersecurity is no longer just about securing infrastructure. It’s about architecting trust. Professionals who can translate these principles into scalable, real-world defenses will be in high demand for years to come.”
What Zero Trust Offers Cyber Pros
The NIST SP 800-207 guidance outlines several key assumptions that cybersecurity professionals must understand about zero trust architecture:
Enterprises migrating to ZTA may need to integrate it with legacy and cloud systems.
Organizations should inventory and prioritize resources that require protection based on risk, and define access policies based on subject and resource attributes.
A risk-based approach should be used to set and prioritize milestones for gradual ZTA adoption.
There is no universal approach for migrating to ZTA.
ZTA is a set of principles, not technical specifications, and the objective is continuous improvement in access control processes.
The updated guide is a major step forward, offering practical ways to implement security architectures tailored to each organization’s unique setup, said Stephen Kowski, field CTO at SlashNext.
“The most important part is making sure every user and device is checked—every time—no matter where they are or what they’re using,” Kowski told Dice. “Tools that spot threats in messages, links and attachments help keep bad actors from sneaking in, even if someone’s already inside the network. Staying sharp with these skills means you’re ready for whatever comes next, whether it’s a new device, a remote worker or a sneaky phishing attack.”
This approach, even amid AI advancements, highlights that each organization has distinct security needs. A flexible but proven framework like zero trust helps better secure infrastructure and data, Renfrow added.
“Attackers thrive in environments where access is broad, monitoring is shallow and assumptions go unchecked,” Renfrow said. “What makes SP 1800-35 so valuable is its practicality. It doesn’t just define zero trust; it shows how to build it using real-world tools. That’s essential, because zero trust isn’t a theory or a trend; it’s a tactical response to the reality that compromise is inevitable.”