By Michael Henry, CEO, Accelerynt
Ask around and many people will say Zero Trust fails at the enforcement stage. In practice, most programs struggle much earlier. The underlying issue is that the foundational work never fully took hold.
The Real-World Friction We See
This is the pattern we hear from security teams again and again. There is pressure to move quickly on Zero Trust, but when implementation begins, progress slows. The reason is usually straightforward. You cannot secure what you do not clearly understand. Without a reliable view of users, devices, applications, and data flows, security decisions are based on assumptions rather than facts.
Those assumptions show up later as exceptions, fragile policies, and workarounds that quietly erode confidence.
The Core Issue: Treating Discovery as a Milestone Instead of a Discipline
Recent guidance from the NSA reinforces something experienced operators already know. Zero Trust needs to start with Discovery. Not as a one-time exercise and not as a box to check, but as a continuous practice.
Discovery does not need to be perfect before progress begins. Waiting for completeness often leads to inertia. What matters is establishing an initial, credible baseline and then improving it deliberately over time.
The mistake is thinking Discovery is something you finish. In reality, it is something you maintain, refine, and revisit as the environment changes.
Why This Matters Now
Security leaders are under sustained pressure to demonstrate progress. Boards want clarity. Budgets are scrutinized. Automation is expected to reduce friction, not introduce more of it.
When Discovery is treated as a one-time effort, automation tends to amplify gaps rather than close them. When Discovery is continuous, automation compounds improvement. Each cycle tightens visibility, sharpens policy decisions, and reduces operational noise.
Small, consistent improvements in understanding create outsized gains in control.
A Subtle but Important Distinction
Many partners approach Zero Trust by emphasizing specific technical components. Asset management, tooling, and perimeter controls are often the focus. Those elements matter, but they are not sufficient on their own.
What makes the difference is how those elements are fed. At Accelerynt, Discovery has never been a gate to pass through. It has been a steady, iterative process that informs every other decision. The NSA’s recent guidance aligns closely with that mindset. It confirms that durable Zero Trust outcomes come from continuously improving understanding, not from reaching an artificial endpoint.
The Bottom Line
Zero Trust does not require complete Discovery before you begin. It does require honest Discovery that continues after you start.
Organizations that treat Discovery as a living process are able to adapt, automate, and respond with confidence as conditions change. Those that treat it as a one-time phase often find themselves rebuilding foundations later, at greater cost and with less trust.
Zero Trust starts with understanding. It succeeds through continuous improvement.