I’ve spent years driving Zero Trust initiatives across complex organisations; large, distributed, regulated, and constantly under threat. And if there’s one truth experience has made painfully clear, it’s this:
Zero Trust does not fail because of weak technology. It fails because humans are forced to operate inside systems that were never designed for them.
As security leaders, we’ve focused relentlessly on controls, policies, and enforcement. We’ve hardened perimeters, reduced implicit trust, and automated access decisions. All necessary. All overdue.
But somewhere along the way, we ignored the human cost.
Why Zero Trust Is Colliding with Employee Experience
From the outside, Zero Trust looks elegant. From the inside, many employees experience it as friction.
- Too many authentication prompts
- Confusing access workflows
- Delayed approvals
- Sudden access removals without explanation
The result? People stop engaging thoughtfully. They comply mechanically, or worse, they work around controls.
That’s not resistance. That’s fatigue.
And fatigue is now one of the most exploited vulnerabilities in modern security environments.
The Hard Truth Most Leaders Avoid
Here’s what I’ve learned the hard way:
- If employees don’t understand why access is restricted, they won’t protect it.
- If managers don’t see risk clearly, they’ll approve blindly.
- If systems penalise productivity, people will find ways to bypass them.
At that point, Zero Trust becomes performative; strong on paper, weak in reality. This is why employee experience has quietly become a security control.Reframing the Role of IAM in a Zero Trust World
Identity and Access Management sits at the centre of this tension.
IAM isn’t just infrastructure anymore. It’s where security strategy meets human behaviour.
Forward-looking organisations are now redesigning IAM with three principles in mind:
1.) Reduce Cognitive Load – When approvals and reviews require interpretation instead of clarity, humans default to speed over judgment.
- Good IAM UX simplifies decisions.
- Great IAM UX prevents bad ones.
2.) Make Risk Visible, Not Abstract
- Risk buried in logs and dashboards doesn’t change behaviour.
- Risk is shown clearly; at the moment of decision, it does.
Visual cues outperform training decks every time.
3.) Replace Enforcement with Guidance
Zero Trust works best when systems guide users toward secure behaviour, instead of constantly blocking them.
Security that teaches is stronger than security that threatens.
Why This Shift Matters Now
Threat actors have already adapted. They’re no longer just attacking systems; they’re exploiting:
- approval fatigue
- privilege creep
- human shortcuts
- process overload
The organisations that win won’t be the ones with the most controls. They’ll be the ones whose people make better access decisions under pressure.
That’s leadership. And that responsibility sits squarely with us.
Final Thought
Zero Trust was never meant to create distance between organisations and their people. It was meant to protect them.
As leaders, we don’t just defend systems; we shape behaviour. And in today’s environment, the human layer is the decisive layer. Design it wisely.