In 2026, zero trust architecture is non-negotiable. Here’s how we help our customers get where they need to be.
By Miguel Quinn
Most IT leaders already know they need to move toward zero trust network access. But most don’t know where to start.
Ransomware attacks are omnipresent, remote work has erased the network perimeter for good, and AI is introducing a whole new set of risks. Still, the idea of untangling years of legacy infrastructure and rebuilding access from the ground up can feel nearly as daunting as defending against the threats themselves.
At Sanity, we’ve guided dozens of organizations through this transition. While every company’s journey looks different, we’ve broken the process down into a series of manageable, measurable steps.
Step 1: Assess the Environment—You can’t secure what you don’t understand. Within many organizations, network documentation is outdated, with ad hoc changes never even recorded. That’s why we start by auditing physical infrastructure, remote sites, and the flow of data between different systems. Often, we’ll see glaring weaknesses, such as SSL VPNs, which can grant attackers broad access across the network if they are compromised. Our initial assessment helps us understand an organization’s unique needs, and it lays a foundation for all of our subsequent recommendations.
Step 2: Inventory Users and Devices—The unofficial mantra of zero trust is “never trust, always verify,” meaning that no user or device is trusted inherently. Instead, users and devices require strict identity verification, least-privilege access, and continuous monitoring. It’s critical, then, for IT and cybersecurity leaders to know exactly which devices and users are on the network. This step almost always uncovers shadow IT, such as Raspberry Pis that an employee covertly connected to the network to make their own job easier. We also frequently discover “ghost” users: employees who left the company years ago, but who still have active credentials.
Step 3: Map Workflows—This is one of the most important—and most challenging—parts of planning out a zero trust strategy. We need to know how different teams work together, how and why they share data and documents, and what access is needed to power business-critical applications. The easiest way to secure resources, of course, is to make them inaccessible to everyone, but that’s obviously not practical. Organizations need to make data and systems available to users who need them—but, ideally, not to anyone else. By carefully mapping workflows, we can help IT and business leaders determine who needs access to which resources.
Step 4: Choose a ZTNA Model—A zero trust model can be agent-based, service-based, or a hybrid of both. In an agent-based model, a software client is installed on all managed endpoints, creating an authenticated, encrypted tunnel to a ZTNA broker. A service-based (or “agentless”) model is powered primarily by a cloud service or gateway that brokers access to apps without the use of endpoint software. A hybrid model combines these approaches—for instance, by requiring agents on corporate laptops while using cloud-based access for partners and personal devices. This decision will depend on how your workforce operates, where your applications live, and how much of your infrastructure is on-premises versus in the cloud.
Step 5: Select a Solution—When you follow the earlier steps, solution selection becomes the easy part. Instead of shopping based on brand recognition or slick sales pitches, you’re matching tools to your own environment and needs. Many deployments involve more than one vendor, because no single platform does everything equally well. The right solution depends on where your infrastructure lives, how your users work, and where sensitive data must be protected. Rather than pushing a particular product, we provide our customers with vendor-agnostic recommendations based on their unique situation. It’s the difference between buying a product off the shelf vs. designing a custom set of tools that match your business goals.
Your road to zero trust doesn’t end with solution selection. Next comes the drafting of policies, the implementation and testing of new controls, and the continuous monitoring and maintenance of the environment as the organization and threat landscape change. The journey is never-ending, and many organizations need a partner to help them navigate it. In fact, the choice of a partner will often end up being the most important decision in this entire process. Anyone can sell a solution billed as zero trust. But only a partner that takes the time to understand your environment will be able to design and implement a strategy that holds up over time in the real world.