In this edition of the Copenhagen Compliance Newsletter, we examined two critical governance themes shaping modern organisations:

Human involvement in AI risk management ensures that artificial intelligence strengthens rather than replaces human judgment.

AI governance frameworks, emphasising oversight, accountability, and risk control, are being adopted as organisations adopt increasingly powerful technologies.

A natural continuation of this conversation is cybersecurity architecture—specifically, the concept of Zero Trust.

In a world where AI systems, cloud platforms, and global data flows redefine how organisations operate, traditional security models are no longer sufficient.

What Is Zero Trust?

Zero Trust is often misunderstood as a product, a technology platform, or a single security tool.

It is none of these.

Zero Trust is a security philosophy and architecture model that prioritises data protection and policy-driven access control rather than relying on network location or infrastructure boundaries.

The core principle is simple:

“Never trust. Always verify.”

In a Zero Trust architecture:

  • No user, system, or device is trusted automatically.
  • Every access request must be verified.
  • Access is granted based on policy, identity, and context, not network location.

This approach reflects a fundamental shift in cybersecurity thinking.

Traditional models focused on protecting networks.
Zero Trust focuses on protecting data.

Why Traditional Security Models Are Failing

For decades, cybersecurity relied on a perimeter-based model.

The assumption was straightforward:

  • Threats originate outside the organisation.
  • Systems inside the network are trusted.
  • Security focuses on defending the boundary between inside and outside.

This is why cybersecurity terminology historically includes concepts such as:

  • Firewalls
  • Gateways
  • Demilitarized zones (DMZ)
  • Network perimeters

The model worked when organisations operated primarily within centralised data centres and controlled networks.

But modern digital environments no longer function this way.

Today:

  • Applications run in cloud environments
  • Employees work from remote locations
  • Systems integrate through APIs and microservices
  • Data moves constantly between partners, platforms, and services

In such an environment, the distinction between “inside” and “outside” has effectively disappeared.

The Hidden Weakness of Perimeter Security

Traditional network architectures rely heavily on logical security zones, such as:

  • Virtual Local Area Networks (VLANs)
  • Virtual Networks (VNETs)
  • Security Groups
  • Access Control Lists (ACLs)

These zones regulate which traffic may enter or leave a segment.

However, they also introduce a critical vulnerability.

Once an attacker successfully enters a network segment, all systems within that zone are often implicitly trusted.

This creates the conditions for lateral movement, also known as “East–West” attacks.

Instead of attacking critical systems directly, attackers typically:

  1. Compromise on a weaker system.
  2. Establish a foothold inside the network.
  3. Move laterally to access more valuable assets.

The widely reported SolarWinds Supply Chain Attack illustrates this risk. Attackers compromised software updates, which were then distributed to thousands of organisations, giving them internal access without breaching traditional perimeter defences.

The Zero Trust Mindset

Zero Trust begins with a different assumption:

Attackers may already be inside the network.

Instead of focusing on how attackers enter, Zero Trust focuses on what they can access once inside.

The objective is simple:

Even if a breach occurs, attackers should gain access to nothing of value.

This philosophy aligns closely with the governance principles discussed in our previous AI risk articles:

  • Assume systems can fail
  • Assume data may be targeted
  • Implement continuous verification and oversight

The Core Principles of Zero Trust

A mature Zero Trust architecture relies on several key principles.

  1. Data-Centric Security

The primary asset to protect is data, not infrastructure.

Controls focus on:

  • Who is accessing the data
  • Why they need access
  • Whether the access request matches policy
  1. Deny by Default

Access is never assumed.

Instead:

  • Every request is denied by default.
  • Access must be explicitly authorised.
  • Permissions are granted only when justified.
  1. Continuous Verification

Access decisions are not one-time events.

Systems continuously evaluate factors such as:

  • User identity
  • Device security posture
  • Behaviour patterns
  • Location and context
  1. Microsegmentation

Rather than trusting an entire network zone, Zero Trust divides systems into small, controlled segments.

This technique—known as microsegmentation—ensures that even if one component is compromised, attackers cannot easily move laterally.

Each system interaction must be explicitly authorised.

Zero Trust and AI Governance: The Connection

The shift toward Zero Trust mirrors the governance principles discussed in our earlier articles on AI risk and human oversight.

Both approaches recognise that modern digital systems are:

  • Highly interconnected
  • Rapidly evolving
  • Difficult to fully predict or control

Whether managing AI outputs or data access, organisations must adopt the same fundamental principle:

Trust cannot be assumed. It must be continuously validated.

In practice, this means:

  • AI outputs require human verification
  • Data access requires identity verification
  • Systems require continuous monitoring

Governance frameworks and cybersecurity architecture are therefore becoming increasingly aligned.

A New Security Mantra for the AI Era

In a digital environment defined by AI systems, cloud computing, and global data exchange, organisations must rethink long-standing assumptions about security.

Perimeter defence alone is no longer sufficient.

Zero Trust offers a more resilient model built around three realities:

  1. Data is everywhere.
  2. Systems are interconnected.
  3. Breaches are inevitable.

The organisations that succeed in this environment will be those that combine:

  • Strong governance frameworks
  • Human oversight in AI systems
  • Policy-driven Zero Trust security architectures

Together, these elements create the foundation for secure digital transformation in the AI era.