“Humans are the weakest link in the cybersecurity kill chain” has become something of a tired cliche in today’s security discourse. Of course, there’s a good measure of truth in every trope. Even the smartest among us is capable of clicking on the wrong link or accidentally breaking protocol in the name of getting work done. 

Recognizing that no perimeter could fully account for human error, the security community turned to zero-trust as a more adaptive, identity-centric model predicated on the idea that trust should never be assumed and always be verified. 

Zero-trust is often framed as a technical solution, a set of tools and policies designed to eliminate implicit trust in networks, devices and users. But this narrative overlooks an uncomfortable paradox: Zero-trust is only as strong as the judgment of the people who interpret its signals and define its guardrails. 

Consider this: A CEO logs into the corporate network from Tokyo just two hours after accessing it from Miami. Is this a compromised account or a legitimate business trip? Was there a travel notice? Is the CEO known to work across time zones? Technology can flag the anomaly, but it’s the trained human security expert who understands these nuances and can contextualize them into actionable insights.  

The challenge is only growing in complexity. Hybrid and remote work have blurred the lines of traditional network perimeters, expanding the potential attack surface in every direction. At the same time, threat actors are rapidly evolving, using generative AI to craft more convincing phishing lures, replicate login pages and manipulate behavioral signals in ways that can slip past technical controls.  

In this environment, zero-trust alone can’t promise security. Without human oversight, even the most advanced zero-trust implementations risk becoming overly reliant on automation, fostering a false sense of control, or worse, complacency.  

Which begs the question: If zero-trust isn’t enough on its own, what (or who) makes the difference? 

The Human Core of Zero-Trust 

Security leaders have long understood that the most devastating cyberattacks today don’t rely on technical exploits. Phishing, social engineering and credential theft account for more than 80% of breaches according to Verizon’s most recent DBIR report. Attackers recognize what too many defenders tend to forget: Security starts and ends with people. 

In reality, zero-trust systems generate enormous volumes of risk signals, too much for automation to handle alone. If you don’t have skilled security staff trained to analyze those signals, you’re just swapping one kind of noise for another. 

While a recent Gartner survey found that 63% of organizations worldwide have fully or partially implemented a zero-trust strategy, a significant number still struggle to operationalize it in a way that meaningfully reduces risk. The problem isn’t the framework itself. Rather, it’s the gap between signals and situational understanding. 

That’s one of the reasons why we find ourselves often repeating the mantra: ‘context matters more than credentials’. A user logging in with the right username and password is meaningless without knowing the where, when and why. An employee is accessing a sensitive financial database at 3 a.m. from a company-issued device. Is this a dedicated team member working late, or has their laptop been compromised? Without behavioral baselines and business context, it’s impossible to know. 

Too many organizations continue to believe that deploying a few tools checks the zero-trust box. Then they wonder why they’re still getting breached. 

Making Zero-Trust Work: 4 People-Driven Best Practices 

So how do we build a zero-trust architecture that actually delivers on its promise? It starts with a shift in mindset, from thinking about zero-trust as just a technical configuration to seeing it as a human-centered strategy. The real impact happens when policy design, access decisions and anomaly response are informed by the people who understand the business. Here are four principles we’ve found critical to making that shift successful: 

1. Design policies around real-world behavior, not job descriptions. Most organizations write access policies based on what someone should need, not how they actually work. We’ve seen users with access to apps they haven’t touched in 90 days. Those unused permissions represent more than inefficiency; they create unnecessary risk. Effective zero-trust starts with mapping actual usage patterns, including cross-functional workflows, seasonal access needs and just-in-time privileges.
2. Define clear thresholds for when automation stops and humans take over. Not every anomaly needs a red alert. Not every alert needs a human. The key is creating adaptive rules based on behavioral anomalies, access patterns and organizational risk tolerance: low-risk events trigger soft responses like re-authentication; Medium-risk events may auto-quarantine; high-risk events require human review. That balance helps teams scale without burning out while ensuring meaningful threats still get the attention they deserve.
3. Handle onboarding and offboarding with surgical precision. Privilege creep is one of the biggest risks in enterprise environments. In our network, we start new hires with minimum viable access – email and Slack – and nothing more until their manager requests it. For offboarding, we’ve automated workflows that shut off access to everything except final communications tools like Zoom or Teams. If you’re relying on spreadsheets to manage offboarding, you’re leaving doors wide open.
4. Build a zero-trust culture through empathy, not enforcement. Too often, security teams treat zero-trust like something they do to employees, not with them. That creates unnecessary resistance and perpetuates a security culture built on fear rather than collaboration. Instead, be intentional about leading with business value: faster vendor onboarding, secure remote work and simplified SSO experiences. Explain the “why,” not just the “what.” And when possible, recruit internal security champions in each department to help normalize the change.

Ultimately, the companies that succeed with zero-trust don’t compartmentalize it solely as a technical deployment. They view it as a cultural transformation. That means involving people at every stage – from policy creation and threat evaluation to access decisions and communication. Of course, automation will help us do more. And AI will undoubtedly continue to evolve and play an increasingly important role in its effectiveness. But at the center of it all, there will always be a human being making a judgment call.