The way I’d describe the original logic of network security is a crunchy outside and a soft middle.
The perimeter was the defense. Everything inside it was trusted by default – not because anyone made that decision explicitly, but because the model didn’t require them to. As long as the outside stayed hard, the inside could stay soft.
That logic held, until it didn’t.
SVP for International Business at FireMon.
Cloud environments, remote access, partner integrations, and the sheer sprawl of modern IT infrastructure dissolved the perimeter as a meaningful boundary. Zero Trust was the response, instigating a need to always verify, to define access by identity and context rather than by where something sits on the network.
The principle is sound. The problem is that principle and implementation are not the same thing. Most Zero Trust deployments work exactly as intended in a controlled environment. In production, in the real world, they encounter something the lab never prepared them for: the accumulated complexity of everything that came before.
The instinct, when implementations stall, is to reach for better visibility – more dashboards, more network monitoring, a clearer picture of what’s happening across the environment. That instinct isn’t wrong. But visibility doesn’t improve security in itself. It only gives you awareness of the problems. And without action, awareness changes nothing.
The complexity nobody planned for
Think about what an enterprise network security environment actually looks like. You started with one firewall. You understood it – you could hold the whole picture in your head; you knew what access was needed, and it was easy to make sensible, reasoned decisions along those lines. Then you added another layer. And another. But each time you added a layer, the complexity didn’t grow linearly. It grew exponentially.
You now have hundreds of firewalls, each with a policy consisting of thousands of rules, each rule containing multiple sources and destinations. You get to the point, and quickly, where you’re managing billions of access paths – more than anybody can hold in their head.
Making this manageable means recognizing what sits above all of it: policy. Every technology in the security stack – from the earliest access control lists through to next-generation firewalls and Zero Trust architectures – does one thing. It enforces the policy you define. Policy is the control plane. It doesn’t matter how sophisticated the enforcement technology becomes; if the policy is weak, the security is weak.
And in environments of this complexity, spanning data centers, cloud workloads, legacy infrastructure, and partner integrations, maintaining coherent policy across all of it is the challenge that everything else depends on.
What’s already in front of you
Walk into almost any organisation and do an honest assessment of their network security posture. What you find, reliably, is that the picture is worse than expected. Not because the engineers aren’t capable – they are, and they’re working hard under real pressure. But they’ve been set up to fail, because they’ve inherited complexity that was never fully understood to begin with.
There are rules that have been in place for years, even decades, and nobody knows exactly why. Nobody wants to touch them either, because if you do and something breaks, you own that. So they persist. The policy environment grows. The gaps and contradictions accumulate invisibly.
This is the policy surface problem. Just as the attack surface expands with every new device and workload, the policy surface expands with every new rule, every exception, every temporary access approval that becomes permanent.
Left unmanaged, it stops reflecting deliberate intent and starts reflecting accumulated history. And critically, that policy surface spans every environment the organisation operates in – firewalls, cloud controls, microsegmentation boundaries – each enforcing its own version of access, with no single coherent view across all of them.
A user gets denied at the network layer and permitted through at the application layer. Access that was approved for one purpose enables another. The controls are inconsistent because governance isn’t unified, and inconsistency is where exposure lives.
The limitations of Zero Trust
Zero Trust doesn’t solve this. In fact, it often creates new management challenges on top of existing ones, precisely because you’re not deploying into a clean environment.
And the environment keeps getting harder to govern. The policy surface expands with every new identity added to it: a new employee, a new contractor, a partner given access to a system. Each one represents a decision about what access is appropriate, what the minimum necessary permissions look like, and how that access gets reviewed and validated over time. That discipline is hard enough to maintain at human scale. Then came systems that act autonomously.
Agentic AI – systems that take action on behalf of users, make decisions, and interact with other systems without a person in the loop – introduces a new category of identity management into an already complex access environment.
Agents have identities. They require access to perform their function. They interact with other agents, call APIs, traverse infrastructure – and they do all of it at a speed and volume that no manual oversight process can match. More identities, more access paths, more need for continuous validation, accumulating faster than most governance processes were designed to handle.
The blast radius of a poorly scoped access decision is determined by the policies surrounding it. An agent that reaches systems or data it has no legitimate reason to touch – customer records, financial data, operational technology – doesn’t change that principle. It sharpens it. If the policies governing that access are coherent, current, and continuously validated, the radius is constrained.
If they’re the product of drift and unreviewed exceptions, the radius is unknowable. Agentic AI introduces new risk. Is your policy environment governed well enough to contain it?
From awareness to governance
So what does it actually mean to act on visibility, rather than just having visibility for its own sake? It starts with an honest account of what access currently exists – what rules are in place, what they permit, which are redundant, which contradict each other, which have never been reviewed.
That cleanup process is unglamorous but it’s also unavoidable. You can’t govern a policy environment you don’t understand, and most organizations, if they’re direct with themselves, don’t fully understand theirs. They certainly don’t have a unified view of it across firewalls, cloud, and microsegmentation controls simultaneously.
From there, the challenge becomes operational: every day brings new access requests, which must be managed by already stretched security teams. The pressure to say yes quickly, to not hold up the business, is real – and it’s exactly how policy drift accelerates.
The discipline that prevents this isn’t reactive. It’s the practice of validating intent before changes are deployed: ensuring that every new access request is assessed against defined policy, that what gets provisioned reflects a deliberate decision rather than an expedient one, and that the cumulative effect of individual changes doesn’t erode the coherence of the wider access environment.
Network Security Policy Management provides the governance layer needed to define, validate, and maintain policy intent across firewalls, cloud, and microsegmentation controls. This is what enables organizations to move from visibility to provable, operational security – the ability to say, with confidence, that every policy in place reflects a deliberate decision, and that when something new is introduced, access is defined by intent rather than inherited by default.
Policy is never going to go away
The underlying technologies will keep evolving. Firewalls have gone from access control lists to stateful inspection to application-aware next-generation architectures. The Zero Trust framework sits above all of that – a set of principles that those technologies are asked to enforce.
And that’s precisely the point: however sophisticated the enforcement technology becomes, it still does one thing. It enforces the policy you define. Policy is the control plane. If the policy is weak, the security is weak. The framework doesn’t change that equation. The technology doesn’t either.
What changes is whether organizations treat policy as a living discipline – something maintained, validated, and kept in constant alignment with actual intent – or as an artefact of past decisions that nobody has the time or confidence to revisit. And to realize the genuine promise of Zero Trust, those questions must be answered honestly.
Visibility is where it starts. Governance is what makes it matter.
We feature the best cloud firewall (WAF).
This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.
The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit
