If you’ve been told that Zero Trust starts (and ends) with identity, let me stop you there.

Yes, identity is important. Crucial, even. But reducing Zero Trust to just identity security is like saying you’ve got a great car because you filled the tank with premium fuel. That’s a start, but it won’t get you far if there’s no engine.

Zero Trust was never just about identity. If that’s where your focus begins and ends, you’re setting yourself up for risk, not resilience.

The problem with pillars

A lot of this confusion comes from the way we talk about Zero Trust in the industry. Take Zero Trust maturity models, like CISA’s. They lay out pillars of Zero Trust, including identity, device, network, application, data, and so on.  

They’re useful as a framework, but too many people treat them like a to-do list.

This means some teams say, “Great, let’s start with identity. That’s the first pillar, right?” And then they get stuck there. Months, sometimes years, go by trying to “finish” identity before moving on.

But security doesn’t work in neat little boxes. Attackers don’t go one pillar at a time, and neither should we.

Instead of thinking vertically — identity, then device, then network — we need to think horizontally. What protects your most critical assets right now? What stops attackers from moving laterally once they get in?

Identity security is important. But it’s not always the right first step when you start with these questions about your organization’s unique needs.

Attackers don’t go one pillar at a time, and neither should we.

Start with what needs protecting

More than a decade ago, when John Kindervag, the creator of Zero Trust, wrote one of the foundational papers on the topic, he put segmentation at the core of the architecture.  

John always recommends starting with your protect surface. This includes the data, applications, assets, and services (DAAS) that matter most to your organization. Once you define that, the rest follows.

Sometimes identity will be part of the answer. But often, it’s segmentation that gives you the control and containment you need to stop lateral movement. This is especially true when we’re dealing with hybrid environments, legacy infrastructure, or high-value workloads that can’t afford a breach.

Segmentation delivers Zero Trust

Think about what Zero Trust is supposed to do: limit access, minimize the blast radius, reduce dwell time, and contain threats. Identity helps you control who can access something. But segmentation controls where they can go once inside.

You can have the most sophisticated identity system in the world, but if an attacker gets in using stolen credentials (and they will), then what?

If you’re relying on identity alone, they’re already inside the network. And without segmentation in place, there’s no way to contain their spread. They’re free to roam the network uninterrupted.

With segmentation, you draw the lines in advance. You proactively define where access stops for users, devices, workloads, and even legitimate connections.  

It’s not just about granting or denying access. It’s about limiting attackers’ reach.

Don’t take things too literally

One of the biggest traps in Zero Trust is being too literal with the language.  

Just because a maturity model lists identity first doesn’t mean it’s the most important. And just because a vendor puts “Zero Trust” on a product doesn’t mean it will get you there.

We need to be flexible, contextual, and above all, strategic.

Start by asking:

• What do I need to protect?

• What are the most likely paths an attacker would take to get there?

• How can I break those paths, not reactively but proactively?

Identity might play a role. But if segmentation isn’t part of the answer, you probably haven’t asked the right questions.

Just because a maturity model lists identity first doesn’t mean it’s the most important.

Zero Trust is a strategy, not a checklist

Zero Trust is not a product. It’s not a pillar checklist. It’s a strategy that adapts to your environment, your risks, and your business goals. Like any good strategy, it needs a layered, realistic approach.

So yes, lock down identity. Yes, invest in visibility. But don’t leave segmentation out of the equation for too long. It’s the piece that gives Zero Trust teeth. It makes sure that when attackers do get into your network, they can’t cause a full-blown disaster.

Don’t stop at the login screen with identity security. Build security that assumes breaches will happen and can contain them.