63% of organisations have implemented zero trust — but only 1% meet the full definition. The $42 billion security market built on “never trust, always verify” creates MFA fatigue, identity provider concentration, and productivity friction that cascades across every dimension. Gartner predicted more than half of cyberattacks will target areas zero trust cannot cover. The security model that eliminates implicit trust creates explicit new attack surfaces.
Zero trust was coined by Forrester in 2010. By 2026, it has become the dominant security paradigm — a $42 billion market growing at 16% annually, adopted in some form by 63% of organisations worldwide. The premise is elegant: never trust, always verify. Every user, device, and application session is authenticated continuously. No implicit trust. No perimeter to breach.[1][2]
The paradox emerges from the gap between adoption and implementation. Gartner found that 63% of organisations have implemented zero trust either partially or fully. But PacketLabs reported that as of 2023, only 1% of companies met the full definition. Gartner’s own prediction was precise: by 2026, only 10% of large enterprises will have a mature and measurable zero trust programme in place, up from less than 1%. The security model is widely purchased but rarely completed.[1][3]
Never trust, always verify. Continuous authentication. Least privilege access. Microsegmentation. Every session validated.
MFA fatigue attacks up 300%+. Identity provider as single point of failure. 48% cite cost constraints. 22% face internal resistance. MGM breached by phone call.
The cascade is structural. Zero trust requires continuous verification, which creates friction. That friction generates MFA fatigue — attackers now spam push notifications until users accept, an attack vector that has increased over 300% since 2022. The model concentrates trust in identity providers — Okta, Microsoft Entra — creating a new single point of failure. When Okta itself was breached in 2023, the identity layer that enables zero trust became the attack surface. When MGM Resorts was breached via a social engineering call to its help desk, zero trust was defeated not by technology but by a human interaction the model was not designed to govern.[4]
MFA adoption in the workforce has reached 70% globally (Okta 2025). The identity layer is the most mature component of zero trust. But 30% of users still lack MFA, and phishing-resistant methods represent only 14% of authentications.[4]
49% of respondents cite complexity in maintaining consistent policies across multi-cloud environments as a major challenge. Microsegmentation — the network layer of zero trust — remains the most difficult and least completed component.[5]
48% point to cost and resource constraints as the primary barrier to zero trust implementation. The comprehensive programme requires identity orchestration, network segmentation, and automated policy engines. Capital intensity deters SMEs.[5]
22% of respondents reported resistance from internal teams. Zero trust treats every employee as a potential threat. The cultural cascade is measurable: friction reduces adoption, which reduces security, which increases the attack surface the model was designed to close.[5]
65% of organisations plan to replace VPN services within the year, a 23% jump from 2024. 56% reported VPN-exploited breaches. VPN CVEs grew 82.5% over five years. The migration away from perimeter security is accelerating — into an incomplete zero trust implementation.[6]
Gartner predicted that through 2026, more than half of cyberattacks will be aimed at areas that zero trust controls do not cover and cannot mitigate. The model addresses network and identity. It does not address social engineering, insider threats, or AI-native attack vectors.[3]
Many organisations established their infrastructure with implicit rather than explicit trust models to ease access and operations. Attackers abuse this implicit trust to establish malware and then move laterally to achieve their objectives.
— John Watts, VP Analyst, Gartner[3]
The cascade originates from Regulatory (D4) — the security model itself is the constraint. Zero trust is simultaneously a security framework and a regulatory response to executive orders, compliance mandates, and breach disclosure requirements. It flows through Operational (D6, implementation complexity), Employee (D2, friction and fatigue), Revenue (D3, cost burden), Quality (D5, partial deployment creating false confidence), and Customer (D1, access friction affecting user experience).
| Dimension | Score | Diagnostic Evidence |
|---|---|---|
| Regulatory (D4)Origin — 68 | 68 | The security model IS the regulatory constraint. US Executive Order on cybersecurity codified zero trust requirements. EU NIS2 mandates continuous verification. Compliance frameworks increasingly require zero trust architecture. The 2021 US executive order and evolving European data-protection rules continue to codify zero trust as mandatory. The model is not optional — it is becoming regulation.[2][3] Regulatory Mandate |
| Operational (D6)L1 — 62 | 62 | 49% cite multi-cloud policy complexity as major challenge. Microsegmentation, SASE, ZTNA — the operational tooling stack is fragmented. Only 28% use the same tools across cloud and on-premises environments. Average deployment takes 2–3 years. 35% encountered deployment failures. On-premises zero trust deployments hold 54% of spending, but cloud grows at 20% CAGR — creating hybrid complexity.[2][5] Implementation Complexity |
| Employee (D2)L1 — 58 | 58 | MFA fatigue attacks increased 300%+ since 2022. Continuous authentication means continuous friction. 22% report internal resistance. Employees treated as potential threats experience trust erosion. Push notification spam exploits the human desire to make the alert stop. Phishing-resistant methods (14% of authentications) are faster and better UX than traditional MFA, but adoption lags.[4][5] Authentication Fatigue |
| Revenue (D3)L1 — 52 | 52 | $42B market growing at 16% CAGR. 48% cite cost and resource constraints as primary barrier. SMEs captured only 40% of spending despite faster adoption growth (18% CAGR). Insider threats cost financial institutions $16.2M per event on average. The cost of not implementing zero trust exceeds the cost of implementation — but the cost of partial implementation may exceed both.[2][5] Cost Burden |
| Quality (D5)L2 — 48 | 48 | Partial zero trust creates false confidence. 63% say they have adopted it; 1% meet the definition. The gap means organisations believe they are protected while the most difficult layers remain unaddressed. Zero trust covers up to 50% of an organisation’s environment and mitigates up to 25% of enterprise risk — leaving 75% of risk to other controls. Quality of security posture degrades when the model is assumed complete but isn’t.[1][3] False Confidence |
| Customer (D1)L2 — 42 | 42 | Access friction affects user experience. Customers of zero trust-protected services encounter additional authentication steps, session re-validation, and access denials. The security benefit is invisible to the user; the friction is not. When the identity provider itself fails (Okta breach), customer access is disrupted across all connected services simultaneously.[4] Access Friction |
-- The Zero Trust Paradox: Cybersecurity Diagnostic
-- Sense -> Analyze -> Measure -> Decide -> Act
FORAGE zero_trust_implementation
WHERE adoption_rate_partial > 60
AND full_implementation_rate < 5
AND mfa_fatigue_attacks_increasing = true
AND identity_provider_concentration = true
AND cost_barrier_pct > 40
ACROSS D4, D6, D2, D3, D5, D1
DEPTH 3
SURFACE zero_trust_paradox
DIVE INTO adoption_implementation_gap
WHEN partial_adoption > 60 -- 63% say adopted
AND full_maturity < 10 -- <10% mature by 2026
AND attack_surface_shifting = true -- >50% attacks target uncovered areas
TRACE zero_trust_paradox -- D4 -> D6+D2+D3 -> D5+D1
EMIT security_model_cascade
DRIFT zero_trust_paradox
METHODOLOGY 85 -- NIST 800-207, Forrester ZTX, Gartner ZTNA — well-codified
PERFORMANCE 40 -- 63% partial, 1% complete, 48% cost-constrained
FETCH zero_trust_paradox
THRESHOLD 1000
ON EXECUTE CHIRP critical "6/6 dimensions, security model creates cascading friction"
SURFACE analysis AS jsonRuntime: @stratiqx/cal-runtime · Spec: cal.cormorantforaging.dev · DOI: 10.5281/zenodo.18905193
63% adopted. 1% complete. The gap between purchase and implementation is not a timeline problem — it is a structural condition. Organisations stop at identity (MFA, SSO) because it is achievable, and leave network segmentation, data-level controls, and supply chain verification incomplete. Partial zero trust is a new attack surface: it creates confidence without coverage.
Continuous verification requires continuous prompts. Continuous prompts create fatigue. Fatigue creates a new attack vector: MFA fatigue attacks, where adversaries spam authentication requests until the user accepts. The security model designed to prevent credential abuse enables a new form of credential abuse. The fix — phishing-resistant, passwordless authentication — has reached only 14% adoption.
Zero trust eliminates the network perimeter. It replaces it with an identity perimeter — concentrated in Okta, Microsoft Entra, and a handful of providers. When Okta was breached, the identity layer that enables zero trust became the attack surface. The model moves the single point of failure. It does not eliminate it. The structural parallel to UC-103 (Silicon Moat) is precise: concentration risk at a different layer of the stack.
The MGM Resorts breach — zero trust architecture defeated by a social engineering call to the help desk — demonstrates the boundary of the model. Zero trust governs digital interactions. It does not govern human interactions. The attack surface that matters most is the one the security model was not designed to address. Gartner’s prediction that over half of cyberattacks will target areas zero trust cannot cover reflects this structural limitation.
One conversation. We’ll tell you if the six-dimensional view adds something new — or confirm your current tools have it covered.