Zero trust sounds perfect in theory. By Thursday, the admin rights are quietly back. Here is why the gap between security policy and reality is the real vulnerability.
The security community has spent two decades preaching least privilege and zero trust. Both principles are technically sound. Both are operationally out of reach for most organizations.
I don’t say that to be cynical. I say it after 40 years of managing IT infrastructure across thousands of endpoints. I’ve watched capable IT teams try to follow the playbook of ‘locking down machines’, only to quietly abandon it three months later because their users couldn’t do their jobs.
We need a new framework. I’m calling it pragmatic trust.
The Gap Between Theory and Tuesday Morning
Here’s what zero trust looks like in theory: Each access request would have to be authenticated, each session would be monitored, and users would receive the minimum permissions possible. Beautiful when shown on a whiteboard.
When you apply “zero-trust” to a 200-employee manufacturing organization on a Tuesday morning, the bookkeeper cannot update QuickBooks. Engineering’s CAD application will not open, and no one can update the print drivers for the new printer installed on Monday. The Help Desk received 47 service requests prior to lunch from individuals who needed to perform their jobs. By Wednesday, a member of management contacts IT and says, “Fix this”. By Thursday, admin rights are quietly reinstated for the few that we think are least risky.Â
This cycle generates a real credibility issue for security teams. Security teams present policies in training that everyone knows won’t survive contact with production. IT staff nod along, then make exceptions because work needs to get done. In my experience, the gap between what we prescribe and what organizations actually sustain is the single biggest security risk most companies face.
What Pragmatic Trust Actually Looks Like
Trust starts with a practical question: What is the largest practical enhancement I can make that will be maintained? Not the one that meets all compliance requirements at the time of implementation. The one that lasts.
For many organizations, this means moving from all-or-nothing privilege decisions to risk- and duration-based decisions. Your bookkeeper updating QuickBooks on a Saturday is a different risk profile than a developer accessing production databases at 2 a.m. Both need admin-level access sometimes. The controls should match the actual risk, not a theoretical ideal.
Instead of saying you cannot take away administrator privileges because you cannot implement them perfectly, start by granting just-in-time administrative access to specific applications. Instead of a manual ticket system that creates so much friction and goes unused, establish approved rules for known-good applications. Rather than recording each session that no one reviews, monitor high-risk activities where it matters most.
In essence, the concept is: Make the greatest enhancement you can sustainably achieve, and then make another.
But Doesn’t This Water Down Security?
I hear this objection a lot, and I get it. Anything short of zero trust feels like a concession.
But here’s what critics miss: Organizations are currently doing this type of “compromise” every day. They simply do so in a way that is invisible, uncontrolled, undocumented and without any auditing capability. Each time an IT admin grants local admin rights back to an end user to stop the deluge of helpdesk requests, that is a security-related decision made during a stressful time, with no oversight or control over what was done.
Pragmatic trust doesn’t lower the bar. It makes the decisions that are already happening explicit, manageable, and auditable. That’s a significant upgrade from the status quo at most mid-sized organizations.
Tiered Risk, Not One-Size-Fits-All
Part of what makes this work is accepting that not all privilege is equal. A county school district and an investment bank have almost nothing in common when it comes to their threat models, their resources, or their tolerance for complexity. Treating them the same has never made sense.
Pragmatic trust builds in tiers. You match your controls to your actual risk and your actual capacity. A small municipality running legacy software that requires admin rights doesn’t need the same vault-and-session-recording infrastructure as a Fortune 500 firm. They need their applications to work, their users to stay productive, and their attack surface to be reduced enough to deter opportunistic threats. That’s not giving up on security. That’s meeting organizations where they are.
What Is Coming
Privileged access is becoming more scrutinized by ransomware actors due to its ability to move throughout the network. Cyber Insurance Carriers are asking tougher questions regarding privileged access as part of their renewal process. Each year, compliance frameworks are getting more specific.
Privilege management will continue to be pressured, but the current operational reality is that most organizations are still running software that was created over 20 years ago and expect all users to be administrators.
We have been saying for decades that we should remove administrative rights from employees; we now need to provide those same organizations with a framework that makes it possible. One sustained improvement at a time.
