Company's 'Zero Trust' Architecture Trusts Dave From IT Because He Seemed Nice

A Fortune 500 company that spent $23 million implementing a Zero Trust security architecture has granted broad administrative exceptions to a single IT support technician named Dave Willoughby, undermining the foundational principle of the entire framework because, according to three separate managers, "Dave is just really helpful." Zero Trust, a security model that requires strict verification for every user and device attempting to access resources regardless of their position within or outside the network, was deployed across the company over eighteen months. Every employee, contractor, and executive was enrolled in continuous authentication, least-privilege access, and micro-segmentation. Except Dave. Dave, who has worked in the company's IT support department for eleven years, accumulated exceptions during the migration process because he was the person everyone called when the new system locked them out. Over the eighteen-month rollout, Dave was granted temporary elevated access 214 times. Of those, 197 were never revoked. "Dave needed access to fix things," explained IT Director Sandra Perimeter. "Every time someone got locked out of a system during the transition, Dave was the one who fixed it. You can't make Dave go through fourteen verification steps when he's trying to help the CFO print a PDF." Dave currently has administrative access to the identity provider, the endpoint management platform, the cloud infrastructure console, the HR database, and the building's HVAC system. He can access more systems than the CISO. "Zero Trust means trust nothing, verify everything," said the company's CISO. "Dave is the exception. He brought donuts to the security team every Friday during the migration. He knows everyone's name. He helped my mother set up her iPad. You can't Zero Trust a man like that." A penetration testing firm hired to assess the company's security posture described the architecture as "Zero Trust with one Dave-shaped hole in it." Their report recommended revoking Dave's exceptions. The recommendation was overruled by six department heads who described Dave as "essential."