Zero Trust in the Age of Regulatory Cyber Resilience
Vice President, Industry Strategy
In 1999, Phil Park was on call with three pagers clipped to his belt, waiting for the world to break.
It was Y2K. Midnight was approaching, and critical systems were expected to fail. Entire industries had prepared for collapse.
And then — nothing happened.
For Phil, now a financial services cybersecurity leader at IBM, that moment proved that disciplined preparation prevents catastrophe.
Fast forward to 2026, and that lesson feels relevant again. When Phil and I sat down on The Segment podcast, we discussed how supervision has fundamentally shifted. Regulators no longer ask, “Are you protected?” but, “Can you operate through disruption?”
For decades, cyber programs revolved around controls and checklists. Now supervisors want proof that critical services stay available when systems fail, vendors go offline, or ransomware hits.
Prevention still matters, but containment and recovery under pressure matter more.
That is where Zero Trust comes in. In this new supervisory era, Zero Trust isn’t about stopping every attack but about designing your environment so that when something breaks, it doesn’t break everything.
From checklists to consequences
Phil explained that cyber and operational risk used to be evaluated through static frameworks. Now regulators are looking at real-world performance.
They care less about perfection and more about the quality of response:
- How quickly can you isolate a problem?
- Do you understand your service dependencies?
- Can you escalate decisively?
- Can you keep critical operations running?
This is where many organizations struggle. It’s one thing to show that a control exists but another to demonstrate, live, that it works.
The biggest gap Phil sees is that firms still rely on heat maps and documentation while supervisors demand action and outcomes.
That gap is exactly where Zero Trust lives.
Zero Trust as demonstrable resilience
Zero Trust was never just an access model. At its core, it’s a design philosophy for resilience.
Phil said that too many institutions still operate with flat networks. In a flat environment, lateral movement is easy for attackers, and isolating breaches becomes manual and chaotic.
Containment changes that.
When supervisors ask, “How would you isolate a major failure and keep critical services running?” your answer must be architectural.
Zero Trust provides the ability to:
- Constrain lateral movement by design
- Ringfence high-value services
- Reduce dependency on manual intervention
- Turn a breach into an incident instead of an existential crisis
Regulators now examine leadership judgment, cross-functional coordination, and communication clarity. This means Zero Trust must extend into operating models.
AI changes speed, not fundamentals
Of course, no 2026 conversation avoids AI.
Phil described AI as a double-edged sword. Productivity gains are real. But so are deepfake risks and agentic automation deployed without governance.
For Phil, the most important conversation around AI is about fundamentals.
Security teams need to focus on the fundamentals:
- Knowing exactly where their assets are
- Tightly controlling privileged access
- Continuously identifying and fixing vulnerabilities before they become entry points
In Phil’s words, blocking and tackling still matter.
AI amplifies both capability and fragility. If your foundations are weak, automation accelerates failure. Zero Trust discipline becomes even more critical in an environment filled with machine identities and autonomous agents.
Zero Trust is now a regulatory imperative
The world didn’t end in 1999 because organizations prepared seriously for failure.
Today’s disruption landscape is more complex, more interconnected, and more AI-driven than anything Y2K engineers imagined.
Regulators know that. And that’s why they’re looking beyond security controls. They want you to prove that you can isolate a breach, protect your critical services, and operate through disruption.
Zero Trust is the operating model that makes that proof possible.
