For more than a decade, Zero Trust has been the cybersecurity philosophy that everyone endorsed but few truly implemented. It promised a world where no user, device, or workload was trusted by default; where access was continuously verified; where privileges were tightly controlled; and where lateral movement was contained before it could cause harm. Yet for many organisations, Zero Trust remained a conceptual ambition rather than a functioning architecture. It lived in strategy decks and conference keynotes, not in day-to-day operations.
In 2026, that gap is finally narrowing. Not because the concept has changed, but because the threat landscape has forced a reckoning. Attackers no longer rely on breaking in. They simply log in. Stolen credentials, misused privileges, and ungoverned identities have become the primary pathways into critical systems. In a region like the Middle East and Africa, where digital transformation, cloud migration, and AI adoption are accelerating at unprecedented speed, this shift is particularly stark. Identity has become the new perimeter—and the new battleground.
Across the Middle East, Africa, and Türkiye, security leaders describe the same pattern: organisations are not short of tools, but they are short of clarity. They try to implement Zero Trust as a big-bang transformation, only to discover that complexity becomes the enemy of progress. The ones that move forward are those that start with fundamentals: visibility into what exists, identity as the control plane, and privilege as the line between resilience and catastrophe.
Visibility: The Step Everyone Talks About and Few Execute Well
Meriam ElOuazzani, Vice President for Middle East, Turkey, and Africa at Censys, sees the same story play out across the region. Boards and CISOs talk confidently about Zero Trust, but when you look under the hood, the basics are missing. “Most organisations plan to implement Zero Trust, but very few have a mature program,” she explains. “The problem is trying to do everything at once. Zero Trust is more than securing identity and access; focusing only on protecting known assets misses a larger category of threats targeting shadow IT or Shadow AI assets that security does not manage.”
For her, the first discipline of Zero Trust is not policy—it is visibility. You cannot remove implicit trust from what you don’t even know exists. “At Censys, we provide that starting baseline,” she says. “You cannot protect what you cannot see.” In a world of cloud sprawl, unmanaged SaaS, and experimental AI projects, that statement is less cliché and more survival rule.
Mohammed Al-Moneer, Senior Regional Director at Infoblox, takes that idea and grounds it in the fabric of the network. He argues that Zero Trust collapses without foundational controls that see everything, and DNS is one of the few layers that truly does. “Stop treating Zero Trust as a PowerPoint project and start with your basics,” he says. “Map every identity and asset, lock down DNS as an enforcement point that sees everything, and automate deny-by-default policies from that context.”
For Al-Moneer, DNS is not just plumbing; it is a strategic enforcement point that reveals how identities behave, where assets communicate, and where trust is being assumed without verification. When DNS, identity, and asset visibility align, Zero Trust stops being a slogan and becomes a set of enforceable controls.
Ismael Valenzuela, Senior Instructor at SANS, sees the same problem from an architectural lens. He spends his time teaching defenders how to build defensible security architectures, and Zero Trust is a recurring theme. “The biggest mistake I see is treating Zero Trust as a product you buy rather than an architecture you build,” he says. He insists that organisations must start with data flow mapping: understanding how data moves, who touches it, and where trust is implicitly granted. “You cannot enforce Zero Trust policies if you don’t know how data moves through your environment,” he warns.
For Valenzuela, Zero Trust is not about buying a ZTNA solution or an identity platform and declaring victory. It is about doing the architectural homework first—identifying crown jewels, mapping dependencies, and then building controls outward from what truly matters.
Identity: The New Perimeter, the New Control Plane, and the New Attack Surface
Once visibility is in place, the conversation inevitably shifts to identity. Identity is now the control plane that touches everything: users, devices, workloads, APIs, and increasingly, AI agents. It is also the primary attack vector.
Biju Unni, Vice President at Cloud Box Technologies, sees identity as the natural starting point for Zero Trust in real deployments. “It begins with a structured, identity-first strategy,” he explains. “Companies should map users, devices, applications, and data flows to understand the boundaries of trust. It is very important to have proper identity and access management with continuous verification.”
For Unni, Zero Trust is not a single product or a one-time project. It is a phased deployment approach that prioritises measurable outcomes while minimising disruption to business processes. Cloudnative security platforms and SASE frameworks, he notes, are helping organisations extend Zero Trust into hybrid environments without adding operational complexity. The key is to make identity the lens through which access decisions are made, everywhere.
Mortada Ayad, VP of Sales for META at Delinea, shares a similar view but emphasises the reality check that comes when organisations actually map access. “The organisations that move the fastest resist the urge to start with shiny new infrastructure and instead begin with identity,” he says. “When you sit down with customers and really map out who — or what — has access to what, especially privileged and machine identities, there are often a few uncomfortable surprises.”
Over-privileged accounts, forgotten service identities, and machine-to-machine access that no one owns are common findings. Once those are surfaced, applying least-privilege and just-in-time access becomes far more practical and far less disruptive than people fear. “The key is progress over perfection,” Ayad adds. “Integrate identity controls into the tools you already have and focus on small, meaningful wins rather than trying to flip everything to Zero Trust overnight.”
Jay Reddy, Head of Growth at ManageEngine, pushes the identity conversation into the future that is already arriving. He points to AI agents and automated workflows as the fastest-growing identity layer—and the least governed.
“In the GCC, where AI adoption is accelerating under Vision 2030, organisations must extend least privilege and continuous verification to every identity, as ungoverned agentic identities are where identity entropy begins.” For Reddy, Zero Trust that only covers human users is already outdated. Machine identities, service accounts, and AI agents must be treated as first-class citizens in identity governance and access control.
Ezzeldin Hussein, Regional Senior Director at SentinelOne, frames identity as a security pillar in its own right. “Companies should really start considering identity security as a new security pillar,” he says. “They should use proper identity governance, MFA, and least-privilege access. It is always important to keep an eye on identity behavior.” For Hussein, identity is not just about who can log in; it is about how identities behave over time. Integrating identity signals with XDR allows defenders to detect compromised credentials, lateral movement, and privilege escalation far earlier than endpoint telemetry alone.
Harish Chib, Vice President for Emerging Markets at Sophos, adds the operational dimension: identity cannot be separated from device health and network posture. “At Sophos, we advise organisations to adopt Zero Trust by implementing network micro segmentation, continuously verifying identities and device health, and enforcing policies via Sophos ZTNA within Workspace Protection,” he explains.
For Chib, Zero Trust works when identity, device posture, and network segmentation operate as a unified system. “Integrated visibility ensures consistent policy enforcement across hybrid environments, preventing lateral attacks and granting access only to trusted, compliant users and devices.” Identity is the decision point, but it must be informed by context.
MFA Fatigue: When the Front Door Becomes a Social Engineering Channel
As identity becomes the new perimeter, authentication becomes the new choke point—and attackers have learned to exploit it. MFA fatigue, push bombing, token theft, and session hijacking have become mainstream attack techniques, turning what was once a strong control into a new social engineering channel.
Ezzeldin Hussein, Regional Senior Director, Solution Engineering – META, SentinelOne, thinks that identity threat detection and response (ITDR) is becoming a critical layer. By correlating identity signals with endpoint and network telemetry, organisations can detect authentication anomalies before privilege escalation occurs. Chib reinforces this by focusing on contextual access: Sophos uses adaptive MFA and continuous monitoring to reduce unnecessary prompts while ensuring that only verified, low-risk sessions are allowed to proceed.
ElOuazzani captures the shift in a single line: “Attackers are not breaking in. They are logging in.” Most intrusions today use stolen credentials rather than custom malware. MFA helps, but adversaries have adapted by stealing tokens, push-bombing, and session hijacking. The answer, she argues, is phishing-resistant MFA, continuous credential monitoring, and session-level detection. Authentication can no longer be treated as a one-time gate; it must be part of a continuous verification loop.
Unni sees organisations moving toward adaptive authentication—analysing user behaviour, device health, and location to determine when MFA is truly necessary. Passwordless authentication and biometrics are gaining traction, while AI-driven identity threat detection helps identify anomalous login attempts. The goal is to reduce friction for legitimate users while increasing friction for attackers.
Ayad believes MFA fatigue is often a sign that MFA has been deployed too bluntly. “If the user behaviour looks normal, the device is healthy and the context makes sense, you don’t need to constantly ask the users for MFA,” he says. Risk-based enforcement reduces fatigue while strengthening security. When something feels off—an unusual location, elevated privileges, or odd behaviour—that is when MFA should be applied.
Valenzuela is blunt: push-based MFA is a known exploitable control. “If your organisation is still on SMS or basic push, you are running with a known exploitable control,” he warns. He points to recent breaches in which attackers bombarded users with push notifications until they tapped “approve.” Phishing-resistant MFA, conditional access, and continuous session evaluation are now table stakes. He also stresses the importance of security awareness: if employees do not recognise MFA bombing as an attack, even the best controls can be undone by a single tap.
Privilege: Where Breaches Escalate or Die
If identity is the new perimeter, privilege is the new blast radius. Across all interviews, one theme stands out: privileged access determines whether a breach becomes an incident or a catastrophe.
Muhammad Zubair, Presales Consultant for Cybersecurity at Omnix International, sees PAM as the single most decisive control in modern cyber defence. He believes the region’s rapid digital transformation has created an environment where privileged credentials are proliferating faster than organisations can govern them. “Forrester estimates 80% of security breaches involve privileged credentials — that number should keep every CISO up at night,” he says.
Zubair argues that PAM is not merely a compliance requirement but a strategic safeguard that determines whether attackers can escalate, persist, and cause real damage. “A solid PAM strategy enforces least privilege, vaults credentials, enables just-in-time access, and records privileged sessions for forensics,” he explains. He emphasises that PAM is also a resilience mechanism: when a breach does occur, PAM limits its reach by reducing both blast radius and attacker persistence. In his view, organisations that fail to modernise PAM are effectively handing attackers the master key and hoping they never use it.
Ali AlJuneidi, Regional Sales and Business Development Manager at ESET Middle East, believes PAM is the anchor that stabilises Zero Trust in real-world environments. He sees privileged access as the point where identity, device posture, and network controls converge—and where attackers focus their efforts. “Privileged Access Management (PAM) is critical in preventing breaches by controlling and monitoring access to sensitive accounts,” he says.
For AlJuneidi, PAM is not just about restricting access; it is about ensuring that every privileged action is intentional, authorised, and observable. “By enforcing least-privilege policies, session monitoring, and credential rotation, organisations reduce the risk of insider threats and compromised accounts,” he explains. He also highlights the importance of integrating PAM with endpoint, cloud, and application security to ensure consistent enforcement across hybrid environments. In his view, PAM is the control that transforms Zero Trust from a conceptual model into a measurable, enforceable security posture that auditors, regulators, and boards can actually understand.
Jay Reddy highlights the risk of third-party and contractor identities, especially in large infrastructure projects. Just-in-time access and zero standing privileges, he argues, dramatically shrink the attack surface. Organisations that rely on permanent privileged accounts are creating unnecessary risk, particularly when those accounts are shared, poorly monitored, or tied to external vendors.
Ezzeldin Hussein notes that combining PAM with endpoint telemetry helps detect privilege abuse and prevent attackers from gaining full control of critical systems. Privileged activity must be monitored continuously, not periodically. Suspicious commands, unusual access times, and atypical resource usage are all signals that something is wrong.
Ismael Valenzuela adds a final warning: nonhuman identities—service accounts, API keys, machine identities, and AI agents—are increasingly the privileged identities attackers target, as they are often excluded entirely from PAM programmes. Zero Trust, he argues, must treat every privileged identity as high-risk, regardless of whether it belongs to a human or a machine.
Tidiane Lo, Vice President for Westcon-Comstor MEA, brings the channel perspective into sharp focus. He believes the region is entering a new phase of Zero Trust adoption—one where organisations are prioritising operational simplicity and rapid deployment. “Privileged access management is foundational to Zero Trust, limiting standing privileges and enforcing least-privilege access across hybrid environments,” he explains.
Lo sees a growing shift toward cloud-delivered PAM solutions that are easier to deploy, integrate, and scale. “Through the channel, organisations are increasingly adopting modern, cloud-delivered PAM solutions that are faster to deploy and easier to operationalise at scale,” he says. He emphasises that channel partners play a critical role in helping organisations move from proof of value to full operationalisation, ensuring that PAM becomes a living control rather than a one-time project. For Lo, the future of PAM lies in automation, cloud-native architectures, and integrated identity ecosystems that reduce complexity while strengthening security.
Zero Trust in 2026: Less Slogan, More Structure
Across all these perspectives, a clear picture emerges. Zero Trust in 2026 is not defined by tools, but by discipline. It is built on identity as the new perimeter, visibility as the foundation, and privilege as the decisive control. It recognises that MFA alone is no longer enough, that machine identities are the next frontier, and that Zero Trust is not a product but an architecture.
The organisations making real progress are not those with the biggest budgets, but those that start with fundamentals: mapping identities, understanding data flows, eliminating standing privileges, and enforcing continuous verification. They are the ones that treat Zero Trust as a journey rather than a destination, and identity as a living system rather than a static directory.
In a world where attackers log in rather than break in, Zero Trust is no longer optional. It is the architecture of modern defence—and identity, in all its human and machine forms, is its foundation.