Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Zero trust and user friction: what practitioners need to fix


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Zero Trust only works when it reflects how people actually use systems, according to Illumio’s conversation with former White House CIO Theresa Payton. The central challenge is that compliance-driven controls and user friction create workarounds, while AI expands the need for continuous verification and containment.

NHIMG editorial — based on content published by Illumio: Zero Trust must be designed for how people actually work

By the numbers:

Questions worth separating out

Q: How should security teams implement Zero Trust without breaking user workflows?

A: Start by observing how people actually complete work, then redesign access paths so the secure route is also the easiest route.

Q: Why do users and administrators create workarounds around security controls?

A: They create workarounds when controls are too slow, too rigid, or disconnected from operational reality.

Q: How do you know if Zero Trust is actually working?

A: Look for reduced lateral movement, narrower trust paths, and faster containment when an account or system is compromised.

Practitioner guidance

  • Measure friction before you tighten policy Identify where users create workarounds, shared accounts, or alternate paths because official controls slow delivery.
  • Build segmentation around real communication flows Map how systems, users, and service accounts actually communicate, then apply segmentation to those paths.
  • Put AI runtime identity under governance Require immutable logs, decision traceability, and scoped privileges for AI systems that can read data or trigger actions.

What's in the full article

Illumio's full article covers the operational detail this post intentionally leaves for the source:

  • Specific examples of how user friction creates security workarounds in real environments.
  • Theresa Payton’s practical guidance on observing workflows in call centres and client sites.
  • Further discussion of AI as privileged access and why immutable logs matter for governance.
  • How segmentation and least privilege are used together to contain lateral movement in practice.

👉 Read Illumio’s analysis of Zero Trust, user behaviour, and AI risk →

Zero trust and user friction: what practitioners need to fix?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Compliance-led security creates a control illusion when it replaces operational design. The article is right to challenge checklist thinking because Zero Trust fails when controls satisfy auditors but not actual users. In IAM and PAM programmes, that means access policy must be measured against behaviour, not just policy text. The practical conclusion is that resilience starts where the user journey starts.

A question worth separating out:

Q: Who is accountable when AI systems operate with privileged access?

A: Accountability should sit with the team that owns the AI system’s runtime privileges, logging, and decision traceability. If an AI can access data or trigger actions, its identity must be governed like any other privileged system. The organisation remains accountable for what the system does in production.

👉 Read our full editorial: Zero trust for real work: why usability now drives resilience



   
ReplyQuote
Share: