The Privileged Path

Zero Trust for Privileged Access

Zero Trust is widely discussed but rarely applied specifically to privileged access. This guide explains what it actually looks like in practice.

Zero Trust is not a product

Zero Trust has become one of the most overused terms in cybersecurity. Every vendor claims to deliver it. Few organisations have actually implemented it — especially for privileged access.

Zero Trust is an architecture model, not a product. Applied to privileged access, it means:

  • Never assume trust based on network location, device ownership, or role membership alone
  • Verify explicitly every time a privileged action is requested
  • Enforce least privilege across all administrative roles and sessions
  • Assume breach and design controls that limit blast radius

Where most organisations fall short

Many organisations apply Zero Trust thinking to end-user access but revert to implicit trust for admin access:

  • Admins access cloud portals from devices used for email and browsing
  • Conditional Access policies have admin exclusions “for break glass”
  • PIM is deployed, but no device compliance is enforced during activation
  • Network segmentation exists for servers but not for admin traffic
  • Admin accounts bypass security controls because “they need to fix things when they break”

This is not Zero Trust. This is Zero Trust for users and implicit trust for admins.

What Zero Trust for privileged access looks like

Verify explicitly

  • Enforce phishing-resistant MFA for all privileged access
  • Require device compliance or managed device for admin portals
  • Use Conditional Access authentication context for sensitive roles

Least privilege

  • Use PIM with time-limited, approved role activations
  • Define granular roles instead of relying on Global Admin
  • Scope access to specific resources wherever possible

Assume breach

  • Deploy PAWs so that privileged sessions are isolated from user workloads
  • Segment admin network traffic
  • Monitor for anomalous privileged activity
  • Test break glass procedures regularly
  • Design for the scenario where an admin account or device is compromised

The framework connection

Zero Trust for privileged access maps directly to the Privileged Path Framework:

  • Foundation — clean identity and governance
  • Control — explicit verification and least privilege
  • Isolation — assume breach and enforce boundaries
  • Operations — secure processes that maintain trust
  • Validation — continuous verification that controls are working

Zero Trust is not something you buy. It’s something you build, maintain, and prove.