Zero Trust Architecture: A practical operating model for a more complex digital world 

By Matthew Osborne, Master Technologist, DXC Technology 

Zero Trust Architecture is no longer an emerging security concept. It is becoming a practical operating model for organisations navigating cloud adoption, hybrid work, digital supply chains, increasingly complex IT estates and the rise of AI. 

That matters because modern organisations no longer operate inside tidy, well-defined boundaries. Users work from anywhere. Applications are distributed across on-premises and cloud environments. Data moves across platforms, partners and services at speed. AI is adding another layer of complexity by increasing automation, expanding the use of APIs and introducing more non-human identities into enterprise environments. The result is simple: trust has become harder to manage and easier to exploit. 

This is why Zero Trust has moved up the agenda. At its core, it reflects a simple principle — trust should never be automatic, permanent or based solely on network location. Access should be governed by identity, context, policy and risk, then reassessed continuously. That is a more realistic approach for protecting how organisations operate and thwarting how attackers behave. 

Zero Trust is often misunderstood. It is not a single product, a one-off transformation project or a label that can be attached to an existing security stack. As an operating model, it changes how organisations manage identity, access, segmentation, workloads, devices, applications, data and monitoring. In other words, it is less about buying a thing and more about changing how trust is granted across the enterprise. For UK organisations managing a mix of legacy platforms, cloud services, outsourced capabilities, hybrid workforces and connected suppliers, this shift is particularly relevant.  Most of them are trying to modernise securely while keeping core services running, users productive and regulators reassured. In that environment, security based mainly on perimeter assumptions is no longer enough. Protection must follow the user, the device, the session, the workload and the data. 

Zero Trust becomes practical under these circumstances. Done properly, it reduces implicit trust, limits unnecessary privilege, makes lateral movement more difficult and improves containment when something goes wrong. It is built on the assumption that compromise is possible and that resilience depends on restricting what an attacker can do next. That may sound less optimistic than traditional perimeter thinking, but it is generally much more useful after the first phishing email has done its work. 

A practical Zero Trust model starts with visibility. Organisations need to know what assets they have, which identities can access them, what privileges exist, how those privileges are used and where policy is being enforced. Without that, Zero Trust risks remaining a strategic ambition supported largely by architecture diagrams and determined nodding in meetings. 

Identity is usually the starting point, and rightly so. Strong authentication, conditional access, privileged access management and identity governance provide the basis for more intelligent access control. But Zero Trust doesn’t stop there. Device posture matters. Application context matters. Segmentation matters. Data sensitivity matters. So do machine identities, service accounts and APIs, all of which are becoming more important as organisations automate more processes and embed AI into business operations. 

As organisations deploy AI assistants, copilots, agents and automated workflows, they create more paths to data, more interactions between systems and more forms of delegated access. Every one of those connections raises questions about identity, privilege, policy enforcement and monitoring. With AI increasing speed, scale and autonomy, Zero Trust provides the discipline to stop those qualities turning into risk with a chatbot attached. If AI is to be used safely at scale, it has to sit inside a security model that assumes trust must be earned, limited and continuously re-evaluated. 

With legacy technology in the mix, Zero Trust adoption has to be phased and pragmatic. Start with critical assets and privileged access paths. Reduce unnecessary permissions. Strengthen identity controls. Improve segmentation. Build better visibility. 

This is also where delivery partners have a role. Many organisations understand Zero Trust in principle but need help translating it into an operating model across large, mixed and often messy estates. DXC’s Cybersecurity services align to Zero Trust strategy, transformation and operational management across identity, devices, applications, workloads and data. Our scale is significant: we manage more than 450 million digital identities across employees, partners, customers, citizens, software bots, smart agents, automated scripts, IoT devices and APIs. We have also published examples of applying Zero Trust network access within our own global environment. Those foundations are becoming even more important as organisations modernise securely while introducing greater automation and AI-enabled services. 

The real question now is not whether an organisation “has Zero Trust,” but whether it is reducing implicit trust, governing access more intelligently and becoming more resilient as its environment becomes more distributed and automated. 

Learn more about DXC CyberSecurity and DXC Zero Trust solutions.