Zero Trust Starts With Knowing Who — Not What You Verify
96% of organisations favour Zero Trust. 84% had identity breaches anyway. The problem: 'never trust, always verify' fails when you can't verify who someone is.
Rob Ainscough, chief identity security advisor at Silverfort, put it as plainly as anyone has: "Zero trust is not possible without an identity-first approach — they are fundamentally interconnected. Trust cannot be verified if the identity itself cannot be verified."
That was published in SecurityWeek's Cyber Insights 2026 report, alongside a more uncomfortable observation from Ariel Parnes, former IDF 8200 colonel and COO at Mitiga: "The biggest security incidents in 2026 will stem from compromised identities within supposedly zero trust environments."
Both are right. And the tension between these two statements — zero trust requires identity, but identity keeps getting compromised — reveals the structural flaw in how most organisations are implementing zero trust today.
The Numbers That Should Worry Zero Trust Advocates
Zero trust adoption is not the problem. According to a 2026 survey by CertEmpire, 96% of organisations favour a zero trust approach and 81% plan to implement within the next 12 months. The framework has won the argument.
The results, however, tell a different story. Seceon's comprehensive 2026 analysis compiled the data that should be on every CISO's desk: 84% of organisations experienced identity-related breaches in 2025. 72% of breaches involved exploitation of privileged credentials. Breach costs averaged $5.2 million — with costs 38% higher for organisations without zero trust. And perhaps most telling: credential-based attacks had a 95% success rate against organisations lacking zero trust controls.
The pattern is clear. Organisations are adopting zero trust. Breaches keep happening through identity. The framework is not failing — but something inside it is.
"Never Trust, Always Verify" — But Verify What, Exactly?
Zero trust rests on a principle so simple it fits on a t-shirt: never trust, always verify. The question that most implementations skip is: verify what?
In practice, here is what most zero trust deployments actually verify. They verify the device: is it managed, patched, compliant? They verify the network context: where is the request coming from? They verify the session: is the MFA token valid, has the session expired? They verify the application: is this request within the user's role and permissions?
What they rarely verify at a foundational level is the human. Not the account. Not the credential. Not the device. The actual person. Under NIS2 Article 21, that is exactly the gap supervisors now examine in essential and important entities.
As BleepingComputer reported in a March 2026 analysis: while authentication verifies who a user is, it does not determine whether their access should be trusted at that specific moment. Verizon's 2025 Data Breach Investigations Report identified compromised credentials as the top initial access vector for breaches — present in roughly one in five incidents overall and implicated in about 88% of basic web application attacks. These attackers had valid credentials — the system implicitly trusted them.
This is the gap. Zero trust says "never trust." But when an attacker presents a valid credential, the system does trust — because it cannot tell the difference between a legitimate user with a valid token and an attacker with a stolen one.
The Identity Stack Has Three Layers — Most Deployments Have Two
The identity foundation for zero trust has three distinct layers. Understanding which are present and which are missing explains why implementations fail.
Layer 1: Identity proofing. Establishing who someone is in the real world. This happens once — at onboarding, at account creation, at the moment a person is first connected to a credential. The strength of everything that follows depends on the strength of this step.
Layer 2: Authentication. Confirming that the person presenting a credential is the same person who was proofed. Passkeys, MFA, biometrics — all operate here. This is what most organisations mean when they say "identity verification."
Layer 3: Authorization and context. Determining what the authenticated person is allowed to do, based on role, risk signals, device posture, and behavioural context. This is where policy engines, RBAC, conditional access, and analytics operate.
Most zero trust deployments invest heavily in layers 2 and 3. They implement strong authentication. They build sophisticated authorization policies. They deploy behavioural analytics.
But layer 1 — the foundation that everything else rests on — is often a username and an email address. Or a self-asserted identity verified by an HR department during onboarding. Or, increasingly, nothing at all — as AI agents inherit credentials from human accounts without anyone verifying the human behind them.
Dan Schiappa, president of technology and services at Arctic Wolf, described the trajectory in SecurityWeek: "In 2026, zero trust won't just be a security model, it will be a corporate lifestyle and a defining principle of digital leadership."
If the lifestyle rests on a foundation of unverified identities, the lifestyle has a structural problem.
Why Cross-Border Makes the Problem Visible
Within a single enterprise, in a single country, identity proofing may seem adequate. The HR department checked the passport. The IT team issued a credential. The person is "known."
The problem becomes visible when you cross borders. A contractor in Turkey. A supplier in India. A logistics partner in Ukraine. A customer in Nigeria. A developer in Brazil. Each of these people needs access to your systems, your data, your workflows — and your zero trust architecture needs to verify them.
The EUDI wallet will cover 27 EU member states. That leaves 152 countries with biometric passports but no European digital identity infrastructure. National eID systems are fragmented, incompatible, and largely unavailable to non-citizens.
For organisations operating across borders — which, in 2026, means most organisations — the identity proofing layer of zero trust has a structural gap. The authentication is strong (passkeys work everywhere). The authorization is sophisticated (policy engines are platform-agnostic). But the question "who is this person?" has no consistent answer across jurisdictions.
The AI Agent Amplifier
The rise of AI agents acting autonomously magnifies the identity proofing gap. When a human delegates authority to an AI agent, the agent inherits access. The delegation chain is only as trustworthy as the identity at its root.
The Cloud Security Alliance found that only 23% of organisations have a formal, enterprise-wide strategy for managing AI agent identities — and that more than two-thirds cannot clearly distinguish AI agent activity from human activity. Teams share human credentials with agents. Agents spawn sub-agents that inherit permissions. The zero trust architecture verifies the agent's token — but who verified the human who delegated the token?
Keith McCammon, co-founder at Red Canary, captured the operational pressure in SecurityWeek: "In 2026, zero trust principles and implementation will shift from ambition to necessity. Security budgets are tightening, SOC teams aren't growing, and identity-based threats are multiplying."
When AI agents multiply the number of identities in an organisation by 17x or more, the necessity becomes urgent. You cannot verify 17 machine identities per human if you have not verified the human.
What "Identity-First Zero Trust" Actually Requires
The phrase "identity-first security" has become a Gartner-tier buzzword. But the practical requirements are specific — and most vendor implementations stop short.
Cryptographic identity proofing at onboarding. Not a username and an email. Not a scanned ID card reviewed by a human. A cryptographic proof of identity that cannot be deepfaked, social-engineered, or fabricated — verified automatically, at scale, across borders.
Re-proofing at high-risk moments. Account recovery (the weakest link in passkey deployments). Privilege escalation. New device enrollment. AI agent delegation. Each of these moments should re-verify the human, not just re-authenticate the credential.
Continuous assurance that links credential to human. The session is valid — but is the same proofed human still behind it? Behavioural biometrics, device attestation, and contextual signals provide ongoing confidence between explicit verification events.
The biometric passport provides the strongest available foundation for the first requirement. The NFC chip contains government-issued, cryptographically signed identity data under ICAO 9303 standards, available in roughly 180 countries. It cannot be cloned (Active Authentication), tampered with (Passive Authentication), or read without physical possession (access control protocols).
At IdentiGate, we build identity proofing on this foundation. A person scans their biometric passport via NFC, completes liveness verification, and receives a cryptographically anchored digital identity in 90 seconds. That identity becomes the root of trust for zero trust — the verified human that credentials, passkeys, and AI agent delegations all trace back to.
A Practical Sequence for Security Leaders
Based on the data, the expert analysis, and the operational reality of 2026, here is what identity-first zero trust looks like in practice.
Audit your identity proofing layer. For every category of user — employees, contractors, partners, customers, AI agents — ask: how was their identity originally established? If the answer is "they filled out a form" or "HR checked their documents manually," you have a layer 1 gap that layers 2 and 3 cannot compensate for.
Implement cryptographic identity proofing for high-risk onboarding. Not every user needs passport-chip-level verification. But privileged users, cross-border contractors, AI agent delegators, and anyone with access to sensitive systems should be proofed at the highest available assurance level. For OT environments, the NERC CIP-003-9, NIS2 Article 21(2)(i), and IEC 62443-2-4 convergence in 2026 has moved this requirement from optional to mandatory — every vendor remote session must bind to a verifiable named individual.
Close the recovery gap. When a credential is lost or compromised, the recovery process should re-proof the identity, not fall back to email codes and security questions. This is the moment attackers target most — and the moment where identity proofing matters most.
Extend the model to non-human identities. Every AI agent and automated workflow should trace back to a verified human through a delegation chain that is logged, auditable, and cryptographically anchored. If you cannot point to the human behind an action, you do not have zero trust — you have zero accountability.
Ainscough at Silverfort was right: trust cannot be verified if the identity cannot be verified. The organisations that take this seriously — that invest in identity proofing with the same rigour they invest in authentication and authorization — will be the ones where zero trust actually works.
The rest will have the framework, the budget, and the vendor contracts. They will also have the breaches.
Sources
- SecurityWeek — Cyber Insights 2026: Zero Trust and Following the Path — Silverfort, Arctic Wolf, Mitiga, Red Canary expert quotes
- Seceon — Zero Trust AI Security Guide 2026 — 84% identity breaches, $5.2M average cost, 95% credential attack success
- CertEmpire — What Is Zero Trust Security 2026 — 96% adoption, 81% planning implementation
- BleepingComputer — Zero Trust: Bridging the Gap Between Authentication and Trust — 44.7% of breaches involve stolen credentials
- DevPro Journal — Building Software for a Never Trust, Always Verify World — Zero Trust reduces breach costs by $1.76M
- Aembit — Zero-Trust Architecture: Identity-First — secretless architecture, ephemeral credentials
- Entrust — 2026 Identity Security Trends — identity as continuous process
- Verizon — 2025 Data Breach Investigations Report — compromised credentials as top initial access vector
- Cloud Security Alliance — AI Agent Identity Study (March 2026) — 23% formal AI agent identity strategy
- NIST SP 800-207 — Zero Trust Architecture — canonical Zero Trust reference
- CISA — Zero Trust Maturity Model v2.0 — identity pillar and maturity stages
- ICAO Doc 9303 — Machine Readable Travel Documents — ePassport chip standard
- Signicat — Which countries have ePassports — ~180 ePassport-issuing countries
IdentiGate provides the identity proofing layer that Zero Trust requires — cryptographic human verification from biometric passports in roughly 180 countries. The root of trust for credentials, passkeys, and AI agent delegation chains. Learn more at identigate.com
About the author
Gustav Poola is co-founder of IdentiGate. He focuses on the technical architecture of passport-chip identity verification, advanced electronic signature production under eIDAS, and the engineering of identity flows that survive regulator and auditor walk-back.